1-1 NAT和PAT

©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-1AddressSpaceManagementScalingtheNetworkwithNATandPAT©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-2NetworkAddressTranslationAnIPaddressiseitherlocalorglobal.LocalIPv4addressesareseenintheinsidenetwork.GlobalIPv4addressesareseenintheoutsidenetwork.©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-3PortAddressTranslation©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-4TranslatingInsideSourceAddresses©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-5EstablishesstatictranslationbetweenaninsidelocaladdressandaninsideglobaladdressRouterX(config)#ipnatinsidesourcestaticlocal-ipglobal-ipMarkstheinterfaceasconnectedtotheinsideRouterX(config-if)#ipnatinsideMarkstheinterfaceasconnectedtotheoutsideRouterX(config-if)#ipnatoutsideDisplaysactivetranslationsRouterX#showipnattranslationsConfiguringandVerifyingStaticTranslation©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-6EnablingStaticNATAddressMappingExampleRouterX#showipnattranslationsProInsideglobalInsidelocalOutsidelocalOutsideglobal---192.168.1.210.1.1.2------interfaces0ipaddress192.168.1.1255.255.255.0ipnatoutside!interfacee0ipaddress10.1.1.1255.255.255.0ipnatinside!ipnatinsidesourcestatic10.1.1.2192.168.1.2©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-7Establishesdynamicsourcetranslation,specifyingtheACLthatwasdefinedinthepreviousstepRouterX(config)#ipnatinsidesourcelistaccess-list-numberpoolnameDefinesapoolofglobaladdressestobeallocatedasneededRouterX(config)#ipnatpoolnamestart-ipend-ip{netmasknetmask|prefix-lengthprefix-length}DefinesastandardIPACLpermittingthoseinsidelocaladdressesthataretobetranslatedRouterX(config)#access-listaccess-list-numberpermitsource[source-wildcard]DisplaysactivetranslationsRouterX#showipnattranslationsConfiguringandVerifyingDynamicTranslation©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-8DynamicAddressTranslationExampleRouterX#showipnattranslationsProInsideglobalInsidelocalOutsidelocalOutsideglobal---171.69.233.209192.168.1.100---------171.69.233.210192.168.1.101------©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-9OverloadinganInsideGlobalAddress©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-10ConfiguringOverloadingEstablishesdynamicsourcetranslation,specifyingtheACLthatwasdefinedinthepreviousstepRouterX(config)#ipnatinsidesourcelistaccess-list-numberinterfaceinterfaceoverloadDefinesastandardIPACLthatwillpermittheinsidelocaladdressesthataretobetranslatedRouterX(config)#access-listaccess-list-numberpermitsourcesource-wildcardDisplaysactivetranslationsRouterX#showipnattranslations©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-11OverloadinganInsideGlobalAddressExampleRouterX#showipnattranslationsProInsideglobalInsidelocalOutsidelocalOutsideglobalTCP172.17.38.1:1050192.168.3.7:105010.1.1.1:2310.1.1.1:23TCP172.17.38.1:1776192.168.4.12:177610.2.2.2:2510.2.2.2:25hostnameRouterX!interfaceEthernet0ipaddress192.168.3.1255.255.255.0ipnatinside!interfaceEthernet1ipaddress192.168.4.1255.255.255.0ipnatinside!interfaceSerial0descriptionToISPipaddress172.17.38.1255.255.255.0ipnatoutside!ipnatinsidesourcelist1interfaceSerial0overload!iproute0.0.0.00.0.0.0Serial0!access-list1permit192.168.3.00.0.0.255access-list1permit192.168.4.00.0.0.255!©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-12ClearsasimpledynamictranslationentrythatcontainsaninsidetranslationorbothaninsideandoutsidetranslationRouterX#clearipnattranslationinsideglobal-iplocal-ip[outsidelocal-ipglobal-ip]ClearsalldynamicaddresstranslationentriesRouterX#clearipnattranslation*ClearsasimpledynamictranslationentrythatcontainsanoutsidetranslationRouterX#clearipnattranslationoutsidelocal-ipglobal-ipClearsanextendeddynamictranslationentry(PATentry)RouterX#clearipnattranslationprotocolinsideglobal-ipglobal-portlocal-iplocal-port[outsidelocal-iplocal-portglobal-ipglobal-port]ClearingtheNATTranslationTable©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-13TranslationNotOccurring:TranslationNotInstalledintheTableVerifythat:TherearenoinboundACLsthataredenyingthepacketsentrytotheNATrouterTheACLreferencedbytheNATcommandispermittingallnecessarynetworksThereareenoughaddressesintheNATpoolTherouterinterfacesareappropriatelydefinedasNATinsideorNAToutside©2007CiscoSystems,Inc.Allrightsreserved.ICND2v1.0—7-14RouterX#showipnatstatisticsTotalactivetranslations:1(1static,0dynamic;0extended)Outsideinterfaces:Ethernet0,Serial2Insideinterfaces:Ethernet1Hits:5Misses:0…DisplayingInformationwithshowanddebugCommandsRouterX#debugipnatNAT:s=192.168.1.95-172.31.233.209,d=172.31.2.132[6825]NAT:s=172.31.2.132,d=172.31.233.209-192.168.1.95[21852]NAT:s=192.168.1.95-172.31.233.209,d=172.31.1.161[6826]NAT*:s=172.31.1.161,d=172.31.233.209-192.168.1.95[23311]NAT*:s=192.168.1.95-172.31.233.209,d=172.31.1.161[6827]NAT*:s=192.168.1.95-172.31.233.209,d=172.31.1.161[6828]NAT*:s=172.31.1.161,d=172.31.233.209-192.168.1.95[23312]NAT*:s=172.31.1.161,d=172.31.233.209-192.168.1.95[23313]©2007CiscoSystems,Inc.A