实验拓扑:
注意ISP外loopback0口IP是: 220.220.200.1不是 220.220.220.1
要求:
1.PC1 NAT静态转换后,能够ping通220.220.200.1
2.PC2 NAT动态转换后,能够ping通220.220.200.1
GW交换机配置:
`
配置接口inside
GW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
GW(config)#int f1/0
GW(config-if)#ip nat inside
GW(config-if)#int f2/0
GW(config-if)#ip nat inside
GW(config-if)#
配置接口外部outside
GW(config-if)#int s0/0
GW(config-if)#ip nat outside
GW(config-if)#
配置PC1静态nat
ip nat inside source static 192.168.1.2 10.1.1.100
配置动态nat
access-list 10 permit 192.168.2.0 0.0.0.255
ip nat pool pc-to-web 10.1.1.3 10.1.1.10 netmask 255.255.255.0
ip nat inside source list 10 pool pc-to-web
添加路由,出去外部路由
ip route 0.0.0.0 0.0.0.0 10.1.1.2
`
PC1 验证:
`
PC1#ping 220.220.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.220.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/92 ms
PC1#
GW#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.1.100:17 192.168.1.2:17 220.220.200.1:17 220.220.200.1:17
--- 10.1.1.100 192.168.1.2 --- ---
--- 10.1.1.3 192.168.2.2 --- ---
GW#
`
PC2 ping
`
PC2#ping 220.220.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.220.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/51/68 ms
PC2#
GW#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.1.1.100:17 192.168.1.2:17 220.220.200.1:17 220.220.200.1:17
--- 10.1.1.100 192.168.1.2 --- ---
icmp 10.1.1.3:8 192.168.2.2:8 220.220.200.1:8 220.220.200.1:8
--- 10.1.1.3 192.168.2.2 --- ---
GW#
`
GW 抓包查看
`
GW#debug ip nat
IP NAT debugging is on
GW#
GW#debug ip nat
IP NAT debugging is on
GW#
Mar 1 01:12:29.451: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [90]
Mar 1 01:12:29.499: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [90]
Mar 1 01:12:29.575: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [91]
Mar 1 01:12:29.595: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [91]
Mar 1 01:12:29.615: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [92]
Mar 1 01:12:29.639: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [92]
Mar 1 01:12:29.663: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [93]
Mar 1 01:12:29.671: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [93]
Mar 1 01:12:29.695: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [94]
Mar 1 01:12:29.715: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [94]
GW#
GW#
Mar 1 01:12:54.835: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [45]
Mar 1 01:12:54.883: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [45]
Mar 1 01:12:54.955: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [46]
Mar 1 01:12:54.979: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [46]
Mar 1 01:12:54.999: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [47]
Mar 1 01:12:55.023: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [47]
Mar 1 01:12:55.043: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [48]
Mar 1 01:12:55.063: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [48]
Mar 1 01:12:55.087: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [49]
Mar 1 01:12:55.107: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [49]
`
ISP 反向验证
`
ISP#ping 10.1.1.3 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 220.220.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/53/84 ms
ISP#
*Mar 1 01:13:55.463: NAT: expiring 10.1.1.3 (192.168.2.2) icmp 9 (9)
Mar 1 01:14:09.159: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [25]
Mar 1 01:14:09.215: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [25]
Mar 1 01:14:09.255: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [26]
Mar 1 01:14:09.291: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [26]
Mar 1 01:14:09.311: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [27]
Mar 1 01:14:09.331: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [27]
Mar 1 01:14:09.351: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [28]
Mar 1 01:14:09.371: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [28]
Mar 1 01:14:09.395: NAT: s=220.220.200.1, d=10.1.1.3->192.168.2.2 [29]
Mar 1 01:14:09.415: NAT: s=192.168.2.2->10.1.1.3, d=220.220.200.1 [29]
ISP#ping 10.1.1.100 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
Packet sent with a source address of 220.220.200.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/57/96 ms
ISP#
GW#
Mar 1 01:16:10.331: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [40]
Mar 1 01:16:10.371: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [40]
Mar 1 01:16:10.447: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [41]
Mar 1 01:16:10.467: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [41]
Mar 1 01:16:10.487: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [42]
Mar 1 01:16:10.511: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [42]
Mar 1 01:16:10.535: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [43]
Mar 1 01:16:10.555: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [43]
Mar 1 01:16:10.575: NAT: s=220.220.200.1, d=10.1.1.100->192.168.1.2 [44]
Mar 1 01:16:10.595: NAT: s=192.168.1.2->10.1.1.100, d=220.220.200.1 [44]
GW#
`
标签:10.1,01,220.220,200.1,192.168,CCNA,NAT,复习 From: https://www.cnblogs.com/vbear/p/17071552.html