网络设计与管理实践

1. 网络设计与管理实践 4.NAT网络地址转换

2. 网络地址转换

3. [RFC 1918]指明的专用地址(private address) • 10.0.0.0 到 10.255.255.255 • 172.16.0.0 到 172.31.255.255 • 192.168.0.0 到 192.168.255.255 • 这些地址只能用于一个机构的内部通信，而不能用于和因特网上的主机通信。 • 专用地址只能用作本地地址而不能用作全球地址。在因特网中的所有路由器对目的地址是专用地址的数据报一律不进行转发。

4. NAT的演化 • Traditional NAT • Basic NAT • Network Address Port Translation (NAPT) • Bi-directional NAT (or) Two-Way NAT • Twice NAT • Multihomed NAT • 克隆NAT（Clone NAT）和对称NAT(Symmetric ) • 全克隆(Full Clone)、限制性克隆(Restricted Clone)、端口限制性克隆(Port Restricted Clone)

5. NAT 基本结构

7. NAT

8. 网络地址转换NAT

9. Inside addressing

10. Outside addressing

11. Interface Configuration • ip nat { inside | outside } • 标记接口是内部还是外部

12. Defining a pool • ip nat pool <name> <start-ip> <end-ip> { netmask <netmask> | prefix-length <prefix-length> } [ type { rotary } ] • 定一个地址池

13. Defining ACLs • access-list 1 permit 192.168.1.0 0.0.0.255 • access-list 1 permit 192.168.2.0 0.0.0.255

14. Enabling translation of inside source addresses • ip nat inside source list <acl> pool <name> [overload] • ip nat inside source static <local-ip><global-ip>

15. Enabling translation of inside destination addresses • ip nat inside destination list <acl> pool <name> • ip nat inside destination static <global-ip> <local-ip>

16. Enabling translation of outside source addresses • ip nat outside source list <acl> pool <name> • ip nat outside source static <global-ip> <local-ip> }

17. Configuring translation timeouts • ip nat translation timeout <seconds> • ip nat translation udp-timeout <seconds> • ip nat translation dns-timeout <seconds> • ip nat translation tcp-timeout <seconds> • ip nat translation finrst-timeout <seconds>

18. CONFIGURATION EXAMPLES • translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network. • 内部 192.168.1.0或者192.168.2.0 • 外部171.69.233.208/28

19. CONFIGURATION EXAMPLES • ip nat pool net-20 171.69.233.208 171.69.233.223 netmask 255.255.255.240 • ip nat inside source list 1 pool net-20 • ! • interface Ethernet0 • ip address 171.69.232.182 255.255.255.240 • ip nat outside • ! • interface Ethernet1 • ip address 192.168.1.94 255.255.255.0 • ip nat inside • ! • access-list 1 permit 192.168.1.0 0.0.0.255 • access-list 1 permit 192.168.2.0 0.0.0.255

20. CONFIGURATION EXAMPLES • translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. • Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.

21. CONFIGURATION EXAMPLES • ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240 • ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0 • ip nat inside source list 1 pool net-20 • ip nat outside source list 1 pool net-10 • ! • interface Ethernet0 • ip address 171.69.232.182 255.255.255.240 • ip nat outside • ! • interface Ethernet1 • ip address 9.114.11.39 255.255.255.0 • ip nat inside • ! • access-list 1 permit 9.114.11.0 0.0.0.255

22. More flexible pool configuration • ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ] • Router(config)#ip nat pool fred prefix-length 24 • Router(config-ipnat-pool)#address 171.69.233.225 171.69.233.226 • Router(config-ipnat-pool)#address 171.69.233.228 171.69.233.238

23. Translating to interface's address • ip nat inside source list <number> interface <interface> overload • ip nat inside source list 1 interface Serial0 overload

24. Static translations with ports • ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport> • ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25