单接口NAT配置实例

单接口NAT配置实例

拓扑示意：

说明:一台路由器只有一个接口时，如何实现NAT/PAT的操作。如图所示：

192.168.1.1/16 192.168.1.100/16

R5相关配置：

方法一(较复杂，影响速度)：

r5:

en

conf t

host r5

no ip domain-lookup

defa int e0/0

defa int s0/0

defa int s0/1

defa int s0/2

defa int s0/3

no int loop0

line con 0

exec-time 0 0

logg sy

exit

int loop0

ip add 172.16.1.1 255.255.255.255

ip nat inside

int e0/0

ip add 192.168.1.254 255.255.0.0 secondary

ip add 218.87.18.20 255.255.255.192

ip nat outside

no shutdown

ip policy route-map no-route

exit

ip nat inside source list 10 int e0/0 overload

ip route 0.0.0.0 0.0.0.0 218.87.18.1

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.0.0 0.0.255.255 any

route-map kxy-nat permit 10

match ip add 110

set ip next-hop 218.87.18.1

route-map no-route permit 10

match ip add 110

set int loop0

end

主要语句相关解释(注意顺序)：

int loop0

ip add 172.16.1.1 255.255.255.255

ip nat inside -----------------------------------------------------------------------5、inside接口收到包

ip policy route-map kxy-nat ----------------------------------------------------6、匹配策略路由

int e0/0

ip add 192.168.1.254 255.255.0.0 secondary ------------------------------1、内网数据包到达该网关接口

ip add 218.87.18.20 255.255.255.192 --------------------------------------9、包到达该接口

ip nat outside ---------------------------------------------------------------------10、匹配NA T并转换

ip policy route-map no-route ---------------------------------------------------2、匹配策略路由

exit

ip nat inside source list 10 pool pool1 overload

ip nat pool pool1 218.87.18.20 218.87.18.20 netmask 255.255.255.192

ip route 0.0.0.0 0.0.0.0 218.87.18.1 (ip route 0.0.0.0 0.0.0.0 loop0 ?)------12、查路由表

access-list 10 permit 192.168.0.0 0.0.255.255 -------------------------------11、匹配NA T流量

access-list 110 permit ip 192.168.0.0 0.0.255.255 any -------------------3、匹配流量

route-map kxy-nat permit 10

match ip add 110 ------------------------------------------------------------------7、匹配流量

set ip next-hop 218.87.18.1-------------------------------------------------------8、基于策略，包送到e0/0口route-map no-route permit 10

match ip add 110

set int loop0 -------------------------------------------------------------------4、基于策略，包转交到loop0口end

注：如果此时no 掉ip route 0.0.0.0 0.0.0.0 loop0，则能够转换，可以拼通ISP地址218.87.18.1，但拼不通外网其它地址，且此时不能进行地址转换。

方法二(较简单，推荐)：

r5:

en

conf t

host r5

no ip domain-lookup

defa int e0/0

defa int s0/0

defa int s0/1

defa int s0/2

defa int s0/3

no int loop0

line con 0

exec-time 0 0

logg sy

exit

int loop0

ip add 172.16.1.1 255.255.255.255

ip nat inside

ip policy route-map kxy-nat

int e0/0

ip add 192.168.1.254 255.255.0.0 secondary

ip add 218.87.18.20 255.255.255.192

ip nat outside

no sh

exit

ip nat inside source list 10 int e0/0 overload

ip route 0.0.0.0 0.0.0.0 loop0

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.0.0 0.0.255.255 any route-map kxy-nat permit 10

match ip add 110

set ip next-hop 218.87.18.1

end

主要语句相关解释(注意顺序)：

int loop0

ip add 172.16.1.1 255.255.255.255

ip nat inside

ip policy route-map kxy-nat ---------------------------------------------------3、匹配策略路由

int e0/0

ip add 192.168.1.254 255.255.0.0 secondary------------------------------1、内网数据包到达该网关接口

ip add 218.87.18.20 255.255.255.192 --------------------------------------8、匹配策略路由，把包送出

ip nat outside ---------------------------------------------------------------------7、NA T转换

no sh

exit

ip nat inside source list 10 int e0/0 overload

ip route 0.0.0.0 0.0.0.0 loop0 -------------------------------------------------2、查路由表，包转到loop0 access-list 10 permit 192.168.0.0 0.0.255.255 --------------------------------6、匹配NA T流量

access-list 110 permit ip 192.168.0.0 0.0.255.255 any --------------------4、流量匹配

route-map kxy-nat permit 10

match ip add 110

set ip next-hop 218.87.18.1 -----------------------------------------------------5、策略路由

end

注：该方法简便，内网能拼通外网，但内网拼不通ISP的218.87.18.1地址(因为内网的包到达e0/0时，查路由表，有路由，包直接发出，没有经过NA T，但内网私有地址的包到达ISP后无法回包)

测试：

C:\>ping 202.101.224.68

Pinging 202.101.224.68 with 32 bytes of data:

Reply from 202.101.224.68: bytes=32 time=5ms TTL=58

Reply from 202.101.224.68: bytes=32 time=4ms TTL=58

Reply from 202.101.224.68: bytes=32 time=5ms TTL=58

Reply from 202.101.224.68: bytes=32 time=5ms TTL=58

Ping statistics for 202.101.224.68:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 4ms, Maximum = 5ms, A verage = 4ms

说明：该文经江西省计算机培训学院(https://www.360docs.net/doc/3016919778.html,)付金如老师测试通过，同时也欢迎沟通交流。转载请注明出处，谢谢!