2024-09-02 12:01:41 +08:00
|
|
|
|
# NAPT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### 一、IP & Routing
|
|
|
|
|
|
|
|
|
|
|
|
- **PC、Client、Server**
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
[AR1]int g0/0/0
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/0]ip add 192.168.1.254 24
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/0]int g0/0/1
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/1]ip add 100.1.1.1 29
|
|
|
|
|
|
[AR1]ip route-static 0.0.0.0 0 100.1.1.2
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
- **IPX-dx**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
[ISP-dx]int g0/0/0
|
|
|
|
|
|
[ISP-dx-GigabitEthernet0/0/0]ip add 100.1.1.2 29
|
|
|
|
|
|
[ISP-dx-GigabitEthernet0/0/0]int g0/0/1
|
|
|
|
|
|
[ISP-dx-GigabitEthernet0/0/1]ip add 200.1.1.254 24
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### 二、ACL + NAPT(单一公网地址)
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
[AR1]acl 2000
|
|
|
|
|
|
[AR1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
|
|
|
|
|
|
[AR1-acl-basic-2000]quit
|
|
|
|
|
|
[AR1]nat address-group 1 100.1.1.3 100.1.1.3 //单公网地址
|
|
|
|
|
|
[AR1]int g0/0/1
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
*解析:*
|
|
|
|
|
|
|
|
|
|
|
|
> 见 `0902_动态NAT.md`
|
|
|
|
|
|
|
|
|
|
|
|
### 三、测试【NAPT(单一公网地址)】
|
|
|
|
|
|
|
|
|
|
|
|
- **PC PING Server**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
PC>ping 200.1.1.1
|
|
|
|
|
|
|
|
|
|
|
|
Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break
|
|
|
|
|
|
From 200.1.1.1: bytes=32 seq=1 ttl=253 time=63 ms
|
|
|
|
|
|
From 200.1.1.1: bytes=32 seq=2 ttl=253 time=78 ms
|
|
|
|
|
|
From 200.1.1.1: bytes=32 seq=3 ttl=253 time=62 ms
|
|
|
|
|
|
From 200.1.1.1: bytes=32 seq=4 ttl=253 time=47 ms
|
|
|
|
|
|
From 200.1.1.1: bytes=32 seq=5 ttl=253 time=63 ms
|
|
|
|
|
|
|
|
|
|
|
|
--- 200.1.1.1 ping statistics ---
|
|
|
|
|
|
5 packet(s) transmitted
|
|
|
|
|
|
5 packet(s) received
|
|
|
|
|
|
0.00% packet loss
|
|
|
|
|
|
round-trip min/avg/max = 47/62/78 ms
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
- **Client** *【success】*
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
> 多访问几次HTTP服务
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
> [AR1]dis nat session all //显示NAT会话表
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
<AR1>dis nat session all
|
|
|
|
|
|
NAT Session Table Information:
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.3 520
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
New SrcAddr : 100.1.1.3
|
|
|
|
|
|
New SrcPort : 10241
|
|
|
|
|
|
New DestAddr : ----
|
|
|
|
|
|
New DestPort : ----
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.3 1032
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
New SrcAddr : 100.1.1.3
|
|
|
|
|
|
New SrcPort : 10243
|
|
|
|
|
|
New DestAddr : ----
|
|
|
|
|
|
New DestPort : ----
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.3 776
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
***解析: (以第一块信息为例)***
|
|
|
|
|
|
|
|
|
|
|
|
- NAT会话表的信息提供了关于当前活跃的NAT会话的详细信息。以下是输出内容的解释:
|
|
|
|
|
|
|
|
|
|
|
|
- **Protocol**: 传输控制协议(TCP),其协议号为6。
|
|
|
|
|
|
|
|
|
|
|
|
- **SrcAddr Port Vpn**: 源地址和源端口号,以及VPN实例。在这里,源地址是192.168.1.3,源端口号是520。
|
|
|
|
|
|
|
|
|
|
|
|
- **DestAddr Port Vpn**: 目的地址和目的端口号,以及VPN实例。这里的目的地址是200.1.1.1,目的端口号是20480。
|
|
|
|
|
|
|
|
|
|
|
|
在 **NAT-Info** 部分,显示了NAT转换后的信息:
|
|
|
|
|
|
|
|
|
|
|
|
- **New SrcAddr**: 转换后的源地址,这里是100.1.1.3,这是地址组1中配置的公网IP地址。
|
|
|
|
|
|
- **New SrcPort**: 转换后的源端口号,这里是10241。这表明源端口号也发生了转换,这在NAT过程中是常见的,称为端口映射(Port Mapping)或端口转发(Port Forwarding)。
|
|
|
|
|
|
- **New DestAddr** 和 **New DestPort**: 目的地址和目的端口号在NAT转换过程中通常保持不变,因此这里显示为"----"。
|
|
|
|
|
|
|
|
|
|
|
|
> 这意味着来自192.168.1.3的源地址和端口号520的数据包在经过NAT转换后,会使用新的源地址100.1.1.3和新的端口号10241去访问目的地址200.1.1.1的端口号20480。这种转换允许内部网络中的主机通过公网IP地址访问外部网络。
|
2024-09-02 14:10:21 +08:00
|
|
|
|
>
|
|
|
|
|
|
>
|
2024-09-02 12:01:41 +08:00
|
|
|
|
|
|
|
|
|
|
### 四、ACL + NAPT(复数公网地址)
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
> 删除之前的配置信息
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
[AR1]int g0/0/1
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/1]undo nat outbound 2000 address-group 1
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/1]quit
|
|
|
|
|
|
[AR1]undo acl 2000
|
|
|
|
|
|
[AR1]undo nat address-group 1
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
[AR1]acl 2000
|
|
|
|
|
|
[AR1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
|
|
|
|
|
|
[AR1-acl-basic-2000]quit
|
|
|
|
|
|
[AR1]nat address-group 1 100.1.1.3 100.1.1.5 //复数公网地址
|
|
|
|
|
|
[AR1]int g0/0/1
|
|
|
|
|
|
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
*解析:*
|
|
|
|
|
|
|
|
|
|
|
|
- `[AR1]nat address-group 1 100.1.1.3 100.1.1.5`:创建或修改编号为1的NAT地址组将包含从100.1.1.3到100.1.1.5的IP地址范围
|
|
|
|
|
|
|
|
|
|
|
|
### 五、测试【NAPT(复数公网地址)】
|
|
|
|
|
|
|
|
|
|
|
|
- **AR1**
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
<AR1>dis nat session all
|
|
|
|
|
|
NAT Session Table Information:
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.5 264
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
New SrcAddr : 100.1.1.3
|
|
|
|
|
|
New SrcPort : 10240
|
|
|
|
|
|
New DestAddr : ----
|
|
|
|
|
|
New DestPort : ----
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.4 264
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
New SrcAddr : 100.1.1.5
|
|
|
|
|
|
New SrcPort : 10250
|
|
|
|
|
|
New DestAddr : ----
|
|
|
|
|
|
New DestPort : ----
|
|
|
|
|
|
|
|
|
|
|
|
Protocol : TCP(6)
|
|
|
|
|
|
SrcAddr Port Vpn : 192.168.1.3 2568
|
|
|
|
|
|
DestAddr Port Vpn : 200.1.1.1 20480
|
|
|
|
|
|
NAT-Info
|
|
|
|
|
|
New SrcAddr : 100.1.1.4
|
|
|
|
|
|
New SrcPort : 10244
|
|
|
|
|
|
New DestAddr : ----
|
|
|
|
|
|
New DestPort : ----
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
