实验九 NAT配置(2)

老化时间可以通过display nat aging-time查看路由器的NAT默认老化时间。

[jiance2]display nat aging-time NAT aging-time value information:

tcp ---- aging-time value is 86400 (seconds) udp ---- aging-time value is 300 (seconds) icmp ---- aging-time value is 60 (seconds) pptp ---- aging-time value is 86400 (seconds) dns ---- aging-time value is 60 (seconds) tcp-fin ---- aging-time value is 60 (seconds) tcp-syn ---- aging-time value is 60 (seconds) ftp-ctrl ---- aging-time value is 7200 (seconds) ftp-data ---- aging-time value is 300 (seconds) 通过命令display address-group查看地址池信息 [jiance2]display nat address-group NAT address-group information:

1 : from 200.1.1.11 to 200.1.1.11 可以看到地址池的范围是：200.1.1.11~200.1.1.11

步骤七：清除Basic NAT相关配置

删除NAT地址池

[jiance2]undo nat address-group 1 Address-group is being used!

结果表明地址池的地址正在被使用，因此必须先删除NAT绑定 在接口下删除NAT绑定

[jiance2]interface Ethernet 1/0

[jiance2-Ethernet1/0]undo nat outbound 2000 address-group 1 no-pat 删除NAT地址池

[jiance2]undo nat address-group 1 再用display查看地址池

[jiance2]display nat address-group NAT address-group information:

No address-groups have been configured 发现地址池已经成功被删除了

实验任务二：NAPT配置

私网PC_A,PC_B需要访问公网服务器，但由于公网地址有限，可以通过配置NAPT动 态的为PC_A,PC_B分配公网地址和协议端口。 步骤一：搭建实验环境及基本配置

如同实验任务一中步骤一、二

步骤二：检查连通性

分别在PC_A，PC_B上ping服务器（IP地址为：220.1.1.1）。显示如下： 在PC_A上ping服务器:

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 在PC_B上ping服务器:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1 Pinging 220.1.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), 结果显示，从PC_A，PC_B上无法ping通服务器。

步骤三：配置NAPT

在JIANCE2上配置NAPT：

用ACL定义一条源地址属于192.168..0.0/16网段的流 [jiance2]acl number 2000

[jiance2-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255.255 [jiance2-acl-basic-2000]rule deny source any 配置NAT地址池1，地址池中只有一个地址200.1.1.11 [jiance2]nat address-group 1 200.1.1.11 200.1.1.11

进入接口视图将NAT地址池1与ACL 2000绑定，接口方向为出方向 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat outbound 2000 address-group 1 此时命令中未携带no-pat关键字，表示NAT要对数据包进行端口转换

步骤四：测试连通性

从PC_A，PC_B上ping公网服务器 PC_A测试：

C:\\Documents and Settings\\jiance_pca>ping 220.1.1.1 Pinging 200.1.1.1 with 32 bytes of data:

Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms

PC_B上测试:

C:\\Documents and Settings\\jiance_pcb>ping 220.1.1.1

Pinging 200.1.1.1 with 32 bytes of data:

Reply from 220.1.1.1: bytes=32 time=22ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253 Reply from 220.1.1.1: bytes=32 time=21ms TTL=253

Ping statistics for 220.1.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% looss) Approximate round trip times in milli-seconds: Minimum = 21ms, Maximum = 23ms, Average = 21ms 发现PC_A，PC_B都能ping通服务器。

步骤五：检查NAT表项

ping通后立即在JIANCE2上查看NAT表项：

[jiance2]display nat session

There are currently 2 NAT sessions:

Protocol GlobalAddr Port InsideAddr Port DestAddr Port

1 200.1.1.11 12289 192.168.2.100 43984 220.1.1.1 43984 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:51

1 200.1.1.11 12288 192.168.1.100 768 220.1.1.1 768 VPN: 0, status: 11, TTL: 00:01:00, Left: 00:00:52 从表项中可以看出源地址192.168.1.100，192.168.2.100转换成同一个公网地址200.1.1.11，但端口号是不同的，192.168.1.100转换的端口号为768，而192.168.2.100转换的端口号位43984，通过不同的端口号来分辨数据是发给192.168.1.100还是192.168.2.100，NAPT靠这种方式对数据包的IP层和传输层信息同时进行转换，从而显著的提高IP地址的利用率。

步骤六：恢复配置

在jiance2上删除NAPT相关配置 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]undo nat outbound 2000 address-group 1 [jiance2-Ethernet0/0]quit

[jiance2]undo nat address-group 1

实验任务三：Easy IP的配置

要实现私网里的主机需要访问服务器，但出口路由器JIANCE2上的出接口地 址动态获取的，因此我们需要在JIANCE2上配置Easy IP。 步骤一：搭建实验环境及基本配置

如同实验任务一中步骤一、二

步骤二：检查连通性

分别在PC_A，PC_B上ping服务器（IP地址为：220.1.1.1）。结果是从PC_A，PC_B 上无法ping通服务器。

步骤三：在jiance2上配置Easy IP

通过ACL定义一条源地址为192.168.0.0/24网段的流 [jiance2]acl number 2000

[jiance2-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255.255 [jiance2-acl-basic-2000]rule deny source any 在接口视图下将ACL 2000与其关联，方向为出方向 [jiance2]interface Ethernet 0/0

[jiance2-Ethernet0/0]nat outbound 2000

步骤四：检查连通性

从PC_A，PC_B上ping服务器，都能够ping通