ip nat inside source list 访问列表标号 pool 内部合法地址池名字
ip nat inside destination static10.106.1.16 172.1.1.15
将外部局部地址转换为外部全局地址
nat inside destination static tcp 10.106.1.16 21 172.1.1.11 21
将外部局部端口21转换为外部全局端口21
在示例中好理解,建议结合实际操作好掌握。以下网上找的。。。
NAT 具体命令理解
1,由内向外的转换,在路由器的inside口处发生了NAT转换行为
r1-2514(config)#ip nat inside ?
destination Destination address translation
source Source address translation
从上面可以看出,在inside边可以对数据包中的源地址或者目标地址进行转换.
r1-2514(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
从上面可以看出,针对源地址进行转换可以使用acl 或者 route-map来表述一个本地地址,意思是数据包中源地址符合这些的都要被转换. 也可以使用static进行静态映射,指定一个静态的从本地到全局的映射.
r1-2514(config)#ip nat inside source list 1 ?
interface Specify interface for global address
pool Name pool of global addresses
从上面输出可以看出接下来要给一个全局地址,数据包中的源地址将被这个全局地址替代.
对于静态映射,还可以指定协议 端口号:
When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts.
ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>
Example:
ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25
In this example, outside-initiated connections to the SMTP port (25) will be sent to the inside host 192.168.10.1.
在inside边对目标进行转换:
r1-2514(config)#ip nat inside destination ?
list Specify access list describing global addresses
从上面输出可以看出,路由器要求输入一个表示全局地址的ACL
r1-2514(config)#ip nat inside destination list 1 ?
pool Name pool of local addresses
pool Name pool of local addresses
接着要求输入一个本地地址池
所以这是一个针对从outside向inside方向数据的NAT,凡是在这个方向数据包中目标地址符合ACL描述的全部被转换成POOL中的本地地址.这可以被用来进行TCP的负载均衡,即外部都请求同一个全局地址,而在路由器的inside边,这些请求的目标地址全部被转换成地址池中的地址,而且是循环使用地址池中的地址,从而达到负载均衡,但是这种方法只适合TCP流,同时不适宜用在WEB服务的负载均担上.详细解释看这里:
Destination Address Rotary Translation
A dynamic form of destination translation can be configured for some outside-to-inside traffic. Once a mapping is set up, a destination address matching one of those on an access list will be replaced with an address from a rotary pool. Allocation is done in a round-robin basis, performed only when a new connection is opened from the outside to the inside. All non-TCP traffic is passed untranslated (unless other translations are in effect).
This feature was designed to provide protocol translation load distribution. It is not designed nor intended to be used as a substitute technology for Cisco's LocalDirector product. Destination address rotary translation should not be used to provide web service load balancing because, like vanilla DNS, it knows nothing about service availability. As a result, if a web server were to become offline, the destination address rotary translation feature would continue to send requests to the downed server.
http://www.cisco.com/warp/public/732/Tech/ipservices/natalgs.pdf2.由外向内,在OUTSIDE边发生的行为:
r1-2514(config)#ip nat outside ?
source Source address translation
从上面可以看出在OUTSIDE边,只能对数据包中的源地址转换
r1-2514(config)#ip nat outside source ?
list Specify access list describing global addresses
route-map Specify route-map
static Specify static global->local mapping
从上面可以看出接下来路由器要求给定一个全局地址的描述,可以是ACL route-map 或者 静态的.
r1-2514(config)#ip nat outside source list 1 ?
pool Name pool of local addresses
从上面可以看出,路由器接着又要求给定一个本地地址,这说明 这个命令是对从外到内的数据包,进行源地址字段的替换,它将外部全局地址转换成内部地址(内部本地或者内部全局,内部本地和内部全局可以相同也可以不同)
ip nat outside source { list <acl> pool <name> | static <global-ip> <local-ip> }
The first form (list..pool..) enables dynamic translation. Packets from addresses that match those on the simple access list are translated using local addresses allocated from the named pool.
The second form (static) of the command sets up a single static translation.
一个例子:
CONFIGURATION EXAMPLES
The following sample configuration translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
ip nat inside source list 1 pool net-20
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The next sample configuration translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.
ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240
定义一个名称为 net-20的内部全局地址池
ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0
定义一个名称为net-10的外部本地地址池
ip nat inside source list 1 pool net-20
ip nat outside source list 1 pool net-10
注意inside /outside全部调用了list 1 这说明 内外两边的源地址是重叠地址,通过将内部的源地址转换成net-20中地址和外部的9.114.11.0网络通信。将外部的源地址转换成net-10中的地址来与内部这边的9.114.11.0网络通信
!
interface Ethernet0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface Ethernet1
ip address 9.114.11.39 255.255.255.0
ip nat inside
!
access-list 1 permit 9.114.11.0 0.0.0.255