一.测试拓扑:
二.测试需求
1.ServerA已经配置静态一对一的地址实现从Interternet的访问
2.RouterA和RouterB为专线
3.需要ServerA访问ServerB的源地址映射为193.170.3.200
三.测试思路
1.利用nat和route-map实现按照需要进行NAT转换
---实际测试,不能满足要求
2.分2组nat,一组传统方式ip nat inside、ip nat outside,另一组为ip nat enable
四.基本配置
1.服务器ServerA:
interface Ethernet0/0
ip address 172.16.10.200 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.10.254
2.路由器RouterC:
interface Ethernet0/0
ip address 172.16.10.254 255.255.255.0
no shut
interface Ethernet0/1
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.1
3.路由器RouterA:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
interface Ethernet0/1
ip address 192.169.2.105 255.255.255.0
no shut
interface Ethernet0/2
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.2
ip route 172.16.10.0 255.255.255.0 10.1.1.2
ip route 192.168.92.0 255.255.255.0 192.169.2.106
interface Ethernet0/0
ip nat outside
interface Ethernet0/2
ip nat inside
ip access-list extended PAT
deny ip host 172.16.10.200 192.168.92.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 any
ip nat inside source list PAT interface Ethernet0/0 overload
ip nat inside source static 172.16.10.200 202.100.1.200
---验证:
ServerA#ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/75/108 ms
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Mar 1 06:28:08.946: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
Internet#
*Mar 1 06:28:10.942: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar 1 06:28:11.038: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar 1 06:28:11.138: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
*Mar 1 06:28:11.198: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200
4.路由器Internet:
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
5.路由器RouterB:
interface Ethernet0/0
ip address 192.169.2.106 255.255.255.0
no shut
interface Ethernet0/1
ip address 192.168.92.254 255.255.255.0
no shut
ip route 172.16.10.0 255.255.255.0 192.169.2.105
五.NAT加route-map测试
A.路由器RouterA
1.定义ACL
ip access-list extended Inside
permit ip host 172.16.10.200 host 192.168.92.64
ip access-list extended Outside
permit ip host 172.16.10.200 any
2.配置route-map
route-map Inside permit 10
match ip address Inside
route-map Outside permit 10
match ip address Outside
3.删除原有的静态NAT
no ip nat inside source static 172.16.10.200 202.100.1.200
no ip nat inside source list PAT interface Ethernet0/0 overload
4.配置带 route-map的静态NAT
ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside
ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside
interface Ethernet0/1
ip nat outside
B.路由器RouterB
ip route 193.170.3.0 255.255.255.0 192.169.2.105
C.测试:
ServerA#ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ServerA#
Internet#
*Mar 1 06:59:10.862: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar 1 06:59:12.870: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar 1 06:59:14.890: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar 1 06:59:16.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
*Mar 1 06:59:18.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200
Internet#
ServerA#ping 192.168.92.64
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/121/160 ms
ServerA#
ServerB#debug ip icmp
ICMP packet debugging is on
ServerB#
*Mar 1 00:55:06.027: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar 1 00:55:06.187: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar 1 00:55:06.339: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar 1 00:55:06.427: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
*Mar 1 00:55:06.495: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200
ServerB#
-----出去的时候没有做源地址转换
Internet#telnet 202.100.1.200
Trying 202.100.1.200 ... Open
User Access Verification
Password:
ServerA>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:49
*130 vty 0 idle 00:00:00 202.100.1.2
Interface User Mode Idle Peer Address
ServerA>quit
ServerB#telnet 193.170.3.200
Trying 193.170.3.200 ... Open
User Access Verification
Password:
ServerA>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:52
*130 vty 0 idle 00:00:00 192.168.92.64
Interface User Mode Idle Peer Address
ServerA>quit
-----从外面进来时做聊目标地址转换
六.两种NAT配合使用测试
A.RouterA删除前面配置的nat并恢复原始配置中的NAT配置
no ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside
no ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside
interface Ethernet0/1
no ip nat outside
no route-map Inside permit 10
no route-map Outside permit 10
no ip access-list extended Inside
no ip access-list extended Outside
ip nat inside source static 172.16.10.200 202.100.1.200
ip nat inside source list PAT interface Ethernet0/0 overload
B.RouterA配置ip nat enable
interface Ethernet0/2
ip nat enable
interface Ethernet0/1
ip nat enable
C.配置静态NAT:
ip nat source static 172.16.10.200 193.170.3.200
D.测试:
ServerA#ping 192.168.92.64
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ServerA#
ServerB#
*Mar 1 01:18:22.823: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:18:24.807: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:18:26.819: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:18:28.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:18:30.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
Internet#
*Mar 1 07:24:07.350: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar 1 07:24:09.342: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar 1 07:24:11.334: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar 1 07:24:13.286: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
*Mar 1 07:24:15.314: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64
Internet#
----发现此时RouterA对回包没有做目标地址转换,把包丢给了Internet路由器
D.路由器RouterA增加secondary地址并测试:
interface Ethernet0/1
ip address 193.170.3.1 255.255.255.0 secondary
ServerA#ping 192.168.92.64
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 128/153/168 ms
ServerB#
*Mar 1 01:31:28.219: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
*Mar 1 01:31:28.399: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:31:30.379: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
*Mar 1 01:31:30.531: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
*Mar 1 01:31:32.515: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200
ServerB#
----通了,但是很有规律的丢包,并且比较严重
ServerA#ping 192.168.92.64 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.
Success rate is 50 percent (50/100), round-trip min/avg/max = 56/128/204 ms
七.使用loopback口和两种NAT配合使用测试
---经过上面配置后,有50%的丢包,测试可能是e0/2同时配置了两种NAT,所以增加loopback口,取消原先e0/2的ip nat enable
A.路由器RouterA增加loopback0,配置ip nat enable
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip nat enable
B.路由器RouterA配置route-map并在e0/2接口应用
ip access-list extended ToServerB
permit ip host 172.16.10.200 host 192.168.92.64
route-map ToServerB permit 10
match ip address ToServerB
set interface Loopback0
interface Ethernet0/2
no ip nat enable
ip policy route-map ToServerB
C.经过上述配置后仍然还有50%的丢包,于是保存配置,重启RouterA,此时没有丢包
-----这时采用第六步的配置也是正常的,说明可能是模拟器的缘故导致