In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Lab name: Cisco Router Network address Translation (NAT)
Experimental purpose: to realize that all intranet IP use a small amount of public network IP to connect to Internet
Introduction to the experiment:
With the help of NAT technology, when the private address of the intranet sends a packet to the router, the private address is converted into a legitimate public network IP address, thus realizing the need for a large number of intranet computers to communicate with the Internet through a small number of public network IP addresses. NAT technology not only solves the problem of IP address exhaustion, but also improves the security of the intranet.
Experimental topology
Lab configuration steps
one。 Set the computer IP address
1.PC1 sets the IP address
2.PC2 sets the IP address
3.PC3 sets the IP address
two。 Configure the router
1. Configure R1
Router#conf t
R1 (config) # hostname R1
R1 (config) # int f0bin0
R1 (config-if) # ip add 192.168.75.30 255.255.255.0
R1 (config-if) # ip nat inside
R1 (config-if) # no shutdown
R1 (config-if) # exi
R1 (config) # int f1and0
R1 (config-if) # ip add 202.96.0.1 255.255.248
R1 (config-if) # ip nat outside
R1 (config-if) # no shutdown
R1 (config-if) # exi
R1 (config) # ip route 0.0.0.0 0.0.0.0 fastEthernet 1max 0
two。 Configure R2
R2#conf t
R2 (config) # hostname R2
R2 (config) # int f0and0
R2 (config-if) # ip add 192.168.0.1 255.255.255.0
R2 (config-if) # no shutdown
R2 (config-if) # exi
R2 (config) # int f1and0
R2 (config-if) # ip add 202.96.0.2 255.255.255.248
R2 (config-if) # no shutdown
R2 (config-if) # exi
Configure static NAT
1. Map PC1 192.168.75.2 to 202.96.0.1 on R1
Map PC2 192.168.75.3 to 202.96.0.3
R1 (config) # ip nat inside source static 192.168.75.2 202.96.0.1
R1 (config) # ip nat inside source static 192.168.75.3 202.96.0.3
two。 Ping PC3 testing on PC1
PC > ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=9ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
3. Ping PC3 testing on PC2
PC > ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Reply from 192.168.0.2: bytes=32 time=1ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
4. View on router R1
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
-202.96.0.1 192.168.75.2-
-202.96.0.3 192.168.75.3-
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
Icmp 202.96.0.1:73 192.168.75.2:73 192.168.0.2:73 192.168.0.2:73
Icmp 202.96.0.1:74 192.168.75.2:74 192.168.0.2:74 192.168.0.2:74
Icmp 202.96.0.1:75 192.168.75.2:75 192.168.0.2:75 192.168.0.2:75
Icmp 202.96.0.1:76 192.168.75.2:76 192.168.0.2:76 192.168.0.2:76
Icmp 202.96.0.3:45 192.168.75.3:45 192.168.0.2:45 192.168.0.2:45
Icmp 202.96.0.3:46 192.168.75.3:46 192.168.0.2:46 192.168.0.2:46
Icmp 202.96.0.3:47 192.168.75.3:47 192.168.0.2:47 192.168.0.2:47
Icmp 202.96.0.3:48 192.168.75.3:48 192.168.0.2:48 192.168.0.2:48
-202.96.0.1 192.168.75.2-
-202.96.0.3 192.168.75.3-
Summary
The intranet computer is mapped to a public network IP address one-to-one. This method can be used to access specific intranet network devices from the external network, but the security is poor and the practical use value is not high.
Fourth, configure dynamic NAT
1. Remove two static IP maps from router R1
R1 (config) # no ip nat inside source static 192.168.75.2 202.96.0.1
R1 (config) # no ip nat inside source static 192.168.75.3 202.96.0.3
two。 Configure ACL on router R1 that contains all IP addresses of the intranet
R1 (config) # access-list 1 permit 192.168.75.0 0.0.0.255
3. Configure a legitimate IP address pool
R1 (config) # ip nat pool abc 202.96.0.1 202.96.0.6 netmask 255.255.255.248
4. Associate ACL and IP address pools
R1 (config) # ip nat inside source list 1 pool abc
5. Ping PC3 testing on PC1
PC > ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=2ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
6. Ping PC3 testing on PC2
PC > ping 192.168.0.2
Pinging 192.168.0.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Reply from 192.168.0.2: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.0.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
7. View on router R1
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
Icmp 202.96.0.5:81 192.168.75.2:81 192.168.0.2:81 192.168.0.2:81
Icmp 202.96.0.5:82 192.168.75.2:82 192.168.0.2:82 192.168.0.2:82
Icmp 202.96.0.5:83 192.168.75.2:83 192.168.0.2:83 192.168.0.2:83
Icmp 202.96.0.5:84 192.168.75.2:84 192.168.0.2:84 192.168.0.2:84
Icmp 202.96.0.4:5 192.168.75.3:5 192.168.0.2:5 192.168.0.2:5
Icmp 202.96.0.4:6 192.168.75.3:6 192.168.0.2:6 192.168.0.2:6
Icmp 202.96.0.4:7 192.168.75.3:7 192.168.0.2:7 192.168.0.2:7
Icmp 202.96.0.4:8 192.168.75.3:8 192.168.0.2:8 192.168.0.2:8
Summary
The mapping relationship is random, and how many legitimate public network IP addresses are configured with the maximum mapping number, which actually can not meet the daily needs.
Port Multiplexing PAT
1. Add the keyword overload after the associated ACL and IP address pool
R1 (config) # ip nat inside source list 1 pool abc overload
two。 After Ping PC3 on PC1, PC2, view on router R1
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
Icmp 202.96.0.5:85 192.168.75.2:85 192.168.0.2:85 192.168.0.2:85
Icmp 202.96.0.5:86 192.168.75.2:86 192.168.0.2:86 192.168.0.2:86
Icmp 202.96.0.5:87 192.168.75.2:87 192.168.0.2:87 192.168.0.2:87
Icmp 202.96.0.5:88 192.168.75.2:88 192.168.0.2:88 192.168.0.2:88
Icmp 202.96.0.5:10 192.168.75.3:10 192.168.0.2:10 192.168.0.2:10
Icmp 202.96.0.5:11 192.168.75.3:11 192.168.0.2:11 192.168.0.2:11
Icmp 202.96.0.5:12 192.168.75.3:12 192.168.0.2:12 192.168.0.2:12
Icmp 202.96.0.5:9 192.168.75.3:9 192.168.0.2:9 192.168.0.2:9
Summary
The access Internet address of the intranet computer is mapped to the same legal public network IP address. The intranet computer can access the Internet by sharing a public network IP address, which is the most practical technology.
Expand knowledge
1. Enterprises often need to map a port of a specific intranet computer to a public network, how to set it on a Cisco router?
Ip nat inside source static tcp 192.168.75.2 80 202.96.0.2 80 extendable mapping 80 port for publishing website
Ip nat inside source static tcp 192.168.75.2 3080 202.96.0.2 3389 extendable mapping 3389 port for remote desktop connection
Ip nat inside source static tcp 192.168.75.2 3090 202.96.0.2 3090 extendable mapping special port for software distribution
Ip nat inside source static tcp 192.168.75.2 22 202.96.0.2 22 extendable mapping port 22 for SSH remote connection
two。 How can we reuse or overload if we have only one public network address and have been assigned to the F1AG0 port of R1?
R1 (config) # ip nat inside source list 10 interface f1ap0 overload / / No address pool is set on R1 because there is only one public network address and only the address of the F1ap0 interface is overloaded
Or
R1 (config) # ip nat pool abc 202.96.0.1 202.96.0.1 netmask 255.255.255.248
3. How to calculate the number of router NAT translation entries?
A NAT translation entry takes up 160 bytes of memory, so the number of NAT translations is limited by the router's memory.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
