Experiment Name: Cisco router network address translation (NAT)
Experimental purpose: To achieve all intranet IP to use a small number of public IP network connection to the Internet
Experiment Introduction:
With the help of NAT technology, when the intranet private address sends packets to the router, the private address is converted to a legitimate public IP address, which realizes the demand of a large number of intranet computers through a small number of public IP addresses and Internet communication. NAT technology solves the problem of exhaustion of IP address, and also improves the security of intranet.
Experimental topology
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5A/2F/wKioL1T5SougjTXdAAEGoNITeGg713.jpg "title=" 1.png " alt= "Wkiol1t5sougjtxdaaegonitegg713.jpg"/>
Experiment Configuration steps
I. Setting the computer IP address
1.PC1 Setting the IP address
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/5a/2f/wkiol1t5swzaadsyaadtozd5yfo566.jpg "title=" 2.jpg "alt=" Wkiol1t5swzaadsyaadtozd5yfo566.jpg "/>
2.PC2 Setting the IP address
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m00/5a/33/wkiom1t5sgsdgm6zaadjertttju585.jpg "title=" 3.jpg "alt=" Wkiom1t5sgsdgm6zaadjertttju585.jpg "/>
3.PC3 Setting the IP address
650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s3.51cto.com/wyfs02/m01/5a/2f/wkiol1t5syqh8fxqaadf2s2rths621.jpg "title=" 4.jpg "alt=" Wkiol1t5syqh8fxqaadf2s2rths621.jpg "/>
Two. Configure the Router
1. Configure R1
Router#conf T
R1 (config) #hostname R1
R1 (config) #int f0/0
R1 (config-if) #ip add 192.168.75.30 255.255.255.0
R1 (config-if) #ip nat inside
R1 (config-if) #no shutdown
R1 (config-if) #exi
R1 (config) #int f1/0
R1 (config-if) #ip add 202.96.0.1 255.255.255.248
R1 (config-if) #ip Nat outside
R1 (config-if) #no shutdown
R1 (config-if) #exi
R1 (config) #ip Route 0.0.0.0 0.0.0.0 fastethernet 1/0
2. Configure R2
R2#conf T
R2 (config) #hostname R2
R2 (config) #int f0/0
R2 (config-if) #ip add 192.168.0.1 255.255.255.0
R2 (config-if) #no shutdown
R2 (config-if) #exi
R2 (config) #int f1/0
R2 (config-if) #ip add 202.96.0.2 255.255.255.248
R2 (config-if) #no shutdown
R2 (config-if) #exi
Third, configure static NAT
1. Map PC1 192.168.75.2 to 202.96.0.1 on R1
Map PC2 192.168.75.3 to 202.96.0.3
R1 (config) #ip nat inside source static 192.168.75.2 202.96.0.1
R1 (config) #ip nat inside source static 192.168.75.3 202.96.0.3
2. Ping the PC3 test on PC1
pc>ping 192.168.0.2
Pinging 192.168.0.2 with + bytes of data:
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=9ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
3. Ping the PC3 test on PC2
pc>ping 192.168.0.2
Pinging 192.168.0.2 with + bytes of data:
Reply from 192.168.0.2:bytes=32 time=1ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
4. View on Router R1
r1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
---202.96.0.1 192.168.75.2------
---202.96.0.3 192.168.75.3------
r1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
ICMP 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
ICMP 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
ICMP 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
ICMP 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
ICMP 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
ICMP 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
ICMP 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
---202.96.0.1 192.168.75.2------
---202.96.0.3 192.168.75.3------
Summary
Intranet computer is mapped into a public IP address one-on-one, using this method can be used to access intranet-specific network equipment, but the security is poor, the actual value is not high
Iv. Configuring dynamic NAT
1. Removal of two static IP mappings on router R1
R1 (config) #no IP nat inside source static 192.168.75.2 202.96.0.1
R1 (config) #no IP nat inside source static 192.168.75.3 202.96.0.3
2. Configure ACLs on router R1 that contain all IP addresses on the intranet
R1 (config) #access-list 1 Permit 192.168.75.0 0.0.0.255
3. Configure a legitimate IP address pool
R1 (config) #ip NAT pool ABC 202.96.0.1 202.96.0.6 netmask 255.255.255.248
4. Associating ACLs and IP address pools
R1 (config) #ip nat inside source list 1 Pool ABC
5. Ping the PC3 test on PC1
pc>ping 192.168.0.2
Pinging 192.168.0.2 with + bytes of data:
Request timed out.
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=2ms ttl=126
Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
6. Ping the PC3 test on PC2
Pc>ping 192.168.0.2
Pinging 192.168.0.2 with + bytes of data:
Request timed out.
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Reply from 192.168.0.2:bytes=32 time=0ms ttl=126
Ping statistics for 192.168.0.2:
Packets:sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in Milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
7. View on Router R1
R1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
ICMP 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
ICMP 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
ICMP 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
ICMP 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
ICMP 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
ICMP 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
ICMP 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8
Summary
The mapping relationship is random, the maximum number of mappings is the configured legal public IP address how many, the actual still can not meet the daily needs
V. Port Multiplexing Pat
1. Add keywords after the associated ACL and IP address pool overload
R1 (config) #ip nat inside source list 1 pool ABC overload
2. After pinging PC3 on PC1, PC2, view on router R1
R1#sh IP NAT Translations
Pro Inside Global Inside local Outside local Outside global
ICMP 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
ICMP 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
ICMP 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
ICMP 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
ICMP 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
ICMP 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
ICMP 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
ICMP 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9
Summary
Intranet computer access to the Internet address are mapped to the same legitimate public IP address, intranet computers share a public network IP address can be on the Internet, the most practical technology.
Expand your knowledge
1. Enterprises often need to map a certain port of a specific intranet computer to the public network, how to set up on the Cisco router?
IP nat inside source static TCP 192.168.75.2 202.96.0.2 extendable map 80 port for publishing Web site
IP nat inside source static TCP 192.168.75.2 3080 202.96.0.2 3389 extendable map 3389 port for Remote Desktop Connection
IP nat inside source static TCP 192.168.75.2 3090 202.96.0.2 3090 extendable Map Special port for Software publishing
IP nat inside source static TCP 192.168.75.2 202.96.0.2 extendable map 22 port for SSH remote connection
2. If we have only one public address and have been assigned to the f1/0 port of R1, how can we reuse or overload it?
R1 (config) #ip NAT inside Source list Interface f1/0 overload//The address pool is not set on R1 because there is only one public address and only the address of the f1/0 interface is overloaded
Or
R1 (config) #ip NAT pool ABC 202.96.0.1 202.96.0.1 netmask 255.255.255.248
3. How do I calculate the number of NAT translation entries for routers?
A NAT translation entry consumes 160 bytes of memory, so the number of NAT conversions is limited by the memory of the router.
This article from "Day Up" blog, please be sure to keep this source http://615sky.blog.51cto.com/2974242/1617929
Cisco router network address translation (NAT)