Cisco router network address translation (NAT)

Source: Internet
Author: User

Experiment Name: Cisco router network address translation (NAT)

Experimental purpose: To achieve all intranet IP to use a small number of public IP network connection to the Internet

Experiment Introduction:

With the help of NAT technology, when the intranet private address sends packets to the router, the private address is converted to a legitimate public IP address, which realizes the demand of a large number of intranet computers through a small number of public IP addresses and Internet communication. NAT technology solves the problem of exhaustion of IP address, and also improves the security of intranet.

Experimental topology

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5A/2F/wKioL1T5SougjTXdAAEGoNITeGg713.jpg "title=" 1.png " alt= "Wkiol1t5sougjtxdaaegonitegg713.jpg"/>

Experiment Configuration steps

I. Setting the computer IP address

1.PC1 Setting the IP address

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/5a/2f/wkiol1t5swzaadsyaadtozd5yfo566.jpg "title=" 2.jpg "alt=" Wkiol1t5swzaadsyaadtozd5yfo566.jpg "/>

2.PC2 Setting the IP address

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/5a/33/wkiom1t5sgsdgm6zaadjertttju585.jpg "title=" 3.jpg "alt=" Wkiom1t5sgsdgm6zaadjertttju585.jpg "/>

3.PC3 Setting the IP address

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/5a/2f/wkiol1t5syqh8fxqaadf2s2rths621.jpg "title=" 4.jpg "alt=" Wkiol1t5syqh8fxqaadf2s2rths621.jpg "/>

Two. Configure the Router

1. Configure R1

Router#conf T

R1 (config) #hostname R1

R1 (config) #int f0/0

R1 (config-if) #ip add 192.168.75.30 255.255.255.0

R1 (config-if) #ip nat inside

R1 (config-if) #no shutdown

R1 (config-if) #exi

R1 (config) #int f1/0

R1 (config-if) #ip add 202.96.0.1 255.255.255.248

R1 (config-if) #ip Nat outside

R1 (config-if) #no shutdown

R1 (config-if) #exi

R1 (config) #ip Route 0.0.0.0 0.0.0.0 fastethernet 1/0

2. Configure R2

R2#conf T

R2 (config) #hostname R2

R2 (config) #int f0/0

R2 (config-if) #ip add 192.168.0.1 255.255.255.0

R2 (config-if) #no shutdown

R2 (config-if) #exi

R2 (config) #int f1/0

R2 (config-if) #ip add 202.96.0.2 255.255.255.248

R2 (config-if) #no shutdown

R2 (config-if) #exi

Third, configure static NAT

1. Map PC1 192.168.75.2 to 202.96.0.1 on R1

Map PC2 192.168.75.3 to 202.96.0.3

R1 (config) #ip nat inside source static 192.168.75.2 202.96.0.1

R1 (config) #ip nat inside source static 192.168.75.3 202.96.0.3

2. Ping the PC3 test on PC1

pc>ping 192.168.0.2

Pinging 192.168.0.2 with + bytes of data:

Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=9ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126

Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms

3. Ping the PC3 test on PC2

pc>ping 192.168.0.2
Pinging 192.168.0.2 with + bytes of data:

Reply from 192.168.0.2:bytes=32 time=1ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126

Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

4. View on Router R1

r1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
---202.96.0.1 192.168.75.2------
---202.96.0.3 192.168.75.3------

r1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
ICMP 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
ICMP 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
ICMP 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
ICMP 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
ICMP 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
ICMP 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
ICMP 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
---202.96.0.1 192.168.75.2------
---202.96.0.3 192.168.75.3------

Summary

Intranet computer is mapped into a public IP address one-on-one, using this method can be used to access intranet-specific network equipment, but the security is poor, the actual value is not high


Iv. Configuring dynamic NAT

1. Removal of two static IP mappings on router R1

R1 (config) #no IP nat inside source static 192.168.75.2 202.96.0.1
R1 (config) #no IP nat inside source static 192.168.75.3 202.96.0.3

2. Configure ACLs on router R1 that contain all IP addresses on the intranet

R1 (config) #access-list 1 Permit 192.168.75.0 0.0.0.255

3. Configure a legitimate IP address pool

R1 (config) #ip NAT pool ABC 202.96.0.1 202.96.0.6 netmask 255.255.255.248

4. Associating ACLs and IP address pools

R1 (config) #ip nat inside source list 1 Pool ABC

5. Ping the PC3 test on PC1

pc>ping 192.168.0.2


Pinging 192.168.0.2 with + bytes of data:

Request timed out.
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=2ms ttl=126

Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms

6. Ping the PC3 test on PC2

Pc>ping 192.168.0.2

Pinging 192.168.0.2 with + bytes of data:

Request timed out.
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126

Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

7. View on Router R1

R1#sh IP NAT Translations

Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
ICMP 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
ICMP 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
ICMP 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
ICMP 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
ICMP 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
ICMP 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
ICMP 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8

Summary

The mapping relationship is random, the maximum number of mappings is the configured legal public IP address how many, the actual still can not meet the daily needs


V. Port Multiplexing Pat

1. Add keywords after the associated ACL and IP address pool overload

R1 (config) #ip nat inside source list 1 pool ABC overload

2. After pinging PC3 on PC1, PC2, view on router R1

R1#sh IP NAT Translations

Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
ICMP 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
ICMP 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
ICMP 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
ICMP 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
ICMP 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
ICMP 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
ICMP 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9

Summary

Intranet computer access to the Internet address are mapped to the same legitimate public IP address, intranet computers share a public network IP address can be on the Internet, the most practical technology.


Expand your knowledge

1. Enterprises often need to map a certain port of a specific intranet computer to the public network, how to set up on the Cisco router?

IP nat inside source static TCP 192.168.75.2 202.96.0.2 extendable map 80 port for publishing Web site
IP nat inside source static TCP 192.168.75.2 3080 202.96.0.2 3389 extendable map 3389 port for Remote Desktop Connection

IP nat inside source static TCP 192.168.75.2 3090 202.96.0.2 3090 extendable Map Special port for Software publishing

IP nat inside source static TCP 192.168.75.2 202.96.0.2 extendable map 22 port for SSH remote connection


2. If we have only one public address and have been assigned to the f1/0 port of R1, how can we reuse or overload it?

R1 (config) #ip NAT inside Source list Interface f1/0 overload//The address pool is not set on R1 because there is only one public address and only the address of the f1/0 interface is overloaded

Or

R1 (config) #ip NAT pool ABC 202.96.0.1 202.96.0.1 netmask 255.255.255.248



3. How do I calculate the number of NAT translation entries for routers?

A NAT translation entry consumes 160 bytes of memory, so the number of NAT conversions is limited by the memory of the router.







This article from "Day Up" blog, please be sure to keep this source http://615sky.blog.51cto.com/2974242/1617929

Cisco router network address translation (NAT)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.