网络地址翻译Network Address Translation

1、 2006, Shenzhen Polytechnic. All rights reserved.1网络地址翻译网络地址翻译Network Address Translation 深圳职业技术学院计算机系网络专业深圳职业技术学院计算机系网络专业 2006, Shenzhen Polytechnic. All rights reserved.2教学目标（教学目标（ Objectives ）1.私有地址（私有地址（Private Addressing ）2. NAT操作（操作（NAT Operation）3. NAT分类（分类（NAT Class）4. 配置配置NAT (Configuring N

2、AT) 5. NAT排错排错（Troubleshooting NAT Configuration） 2006, Shenzhen Polytechnic. All rights reserved.3IP Address Class and RangeClass A:Class B:Class C:1-126128-191192-223127 is lost, why? 2006, Shenzhen Polytechnic. All rights reserved.4公网地址和私有地址公网地址和私有地址（ Public Address and Private Address）1. 公网地址必须被

3、注册公网地址必须被注册 Public Internet addresses must be registered by a company with an Internet authority. 2. 私有地址被保留，并可以被任何人使用私有地址被保留，并可以被任何人使用 Private IP addresses are reserved and can be used by anyone. 2006, Shenzhen Polytechnic. All rights reserved.5私有地址范围（私有地址范围（Private Address Range） 2006, Shenzhen Po

4、lytechnic. All rights reserved.6Catalyst 4006Catalyst 6509教学楼教学楼工业中心工业中心信息大楼信息大楼行政大楼行政大楼图书馆图书馆Catalyst 6509Catalyst 2948GCatalyst 2948GCatalyst 2948GCatalyst 3548GCatalyst 3548Cisco 7206Internet163165CernetBackbone ChannelChannelLoadBalance上期已铺光纤本期待铺光纤Channel深职院二期网络核心拓扑图深职院二期网络核心拓扑图HSRP 2006, Shenzh

5、en Polytechnic. All rights reserved.7NAT操作（操作（NAT Operation） 2006, Shenzhen Polytechnic. All rights reserved.81. NAT典型工作存根网络的边缘典型工作存根网络的边缘A NAT enabled device typically operates at the border of a stub network. 2. 边界路由器执行边界路由器执行NAT功能，将内部私有地功能，将内部私有地址转换成公网可路由的地址。址转换成公网可路由的地址。The border gateway router

6、 performs the NAT process, translating the internal private address of a host to a public, external routable address. NAT操作（操作（NAT Operation） 2006, Shenzhen Polytechnic. All rights reserved.91. Inside local address 指定给内部主机使用的地址指定给内部主机使用的地址The IP address assigned to a host on the inside network. 2. I

7、nside global address 从从SP或或NIC注册的地址，即内部主注册的地址，即内部主机地址被机地址被NAT转换的外部地址转换的外部地址A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world. 3. Address Pool-NIC或或SP分配使用的多个地址分配使用的多个地址IP addresses assigned by the NIC or service

8、provider NAT术语（术语（NAT Terms） 2006, Shenzhen Polytechnic. All rights reserved.101.静态静态NAT 静态静态NAT的特征是内部主机地址被一对一映射到外的特征是内部主机地址被一对一映射到外部主机地址部主机地址 Static NAT is designed to allow one-to-one mapping of local and global addresses. NAT分类（分类（NAT Class）Pc1:10.1.1.1-200.200.200.1Pc2:10.1.1.2-200.200.200.2Pc3:

9、10.1.1.3-Pc4:10.1.1.4-200.200.200.2?X 2006, Shenzhen Polytechnic. All rights reserved.11NAT分类（分类（NAT Class）2. 动态动态NAT动态动态NAT的特征是内部主机使用地址池中的公网地址来的特征是内部主机使用地址池中的公网地址来映射映射Dynamic NAT is designed to map a private IP address to a public address. Any IP address from a pool of public IP addresses is assign

10、ed to a network host. Pc1:10.1.1.1-200.200.200.1Pc2:10.1.1.2-200.200.200.2Pc3:10.1.1.3-Pc4:10.1.1.4-200.200.200.2? 2006, Shenzhen Polytechnic. All rights reserved.123. 端口复用端口复用(PAT) 端口复用的特征是内部多个私有地址通过不同的端端口复用的特征是内部多个私有地址通过不同的端口被映射到一个公网地址，口被映射到一个公网地址，Overloading, or Port Address Translation (PAT), ma

11、ps multiple private IP addresses to a single public IP address. Multiple addresses can be mapped to a single address because each private address is tracked by a port number. 理想状况下，一个单一的理想状况下，一个单一的IP地址可以使用的端口数为地址可以使用的端口数为4000个。个。 Realistically, the number of ports that can be assigned a single IP ad

12、dress is around 4000. NAT分类（分类（NAT Class） 2006, Shenzhen Polytechnic. All rights reserved.13PAT特征（特征（PAT Features） 2006, Shenzhen Polytechnic. All rights reserved.14配置配置NAT (Configuring NAT) 2006, Shenzhen Polytechnic. All rights reserved.15静态静态NAT配置实例配置实例 (Static NAT Example) 2006, Shenzhen Polytec

13、hnic. All rights reserved.16静态静态NAT配置实例配置实例 (Static NAT Example)r1(config)#ip nat inside source static 10.1.1.2 200.200.200.3r1(config)#ip nat inside source static 10.1.1.3 200.200.200.4r1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside 2006, Shenzhe

14、n Polytechnic. All rights reserved.17静态静态NAT配置实例配置实例 (Static NAT Example)r1# debug ip nat IP NAT debugging is on00:11:09: NAT: s=10.1.1.2-200.200.200.3, d=2.2.2.2 4093600:11:09: NAT*: s=2.2.2.2, d=200.200.200.3-10.1.1.2 4093600:11:10: NAT*: s=10.1.1.2-200.200.200.3, d=2.2.2.2 40938r1# sh ip nat tran

15、slations Pro Inside global Inside local Outside local Outside global- 200.200.200.3 10.1.1.2 - - 200.200.200.4 10.1.1.3 - - 2006, Shenzhen Polytechnic. All rights reserved.18动态动态NAT配置实例配置实例 (Dynamic NAT Example) 2006, Shenzhen Polytechnic. All rights reserved.19动态动态NAT配置实例配置实例 (Dynamic NAT Example)r

16、1(config)#ip nat pool NAT 200.200.200.3 200.200.200.50 netmask 255.255.255.0r1(config)#access-list 1 permit 10.1.1.0 0.0.0.255r1(config)#ip nat inside source list 1 pool NATr1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside 2006, Shenzhen Polytechnic

17、. All rights reserved.20动态动态NAT配置实例配置实例 (Dynamic NAT Example)r1# debug ip nat 00:45:40: NAT: s=10.1.1.2-200.200.200.3, d=2.2.2.2 3893000:45:40: NAT*: s=2.2.2.2, d=200.200.200.3-10.1.1.2 3893000:46:03: NAT: s=10.1.1.3-200.200.200.4, d=2.2.2.2 3896100:46:03: NAT*: s=2.2.2.2, d=200.200.200.4-10.1.1.3 3

18、896100:46:27: NAT: s=10.1.1.4-200.200.200.5, d=2.2.2.2 3899300:46:27: NAT*: s=2.2.2.2, d=200.200.200.5-10.1.1.4 38993 2006, Shenzhen Polytechnic. All rights reserved.21动态动态NAT配置实例配置实例 (Dynamic NAT Example)r1#sh ip nat translations Pro Inside global Inside local Outside local Outside global- 200.200.

19、200.3 10.1.1.2 - - 200.200.200.4 10.1.1.3 - - 200.200.200.5 10.1.1.4 - -r1#clear ip nat translation *r1#sh ip nat translations 2006, Shenzhen Polytechnic. All rights reserved.22 动态动态NAT深入研究（深入研究（Dynamic NAT Further Study）如果我们已经用完地址池中的地址，将发生如果我们已经用完地址池中的地址，将发生什么事情？什么事情？ If we have used all available

20、public address in pool, what will happen in next translation? 2006, Shenzhen Polytechnic. All rights reserved.23动态动态NAT深入研究（深入研究（Dynamic NAT Further Study）01:07:36: NAT: translation failed (A), dropping packet s=10.1.1.3 d=2.2.2.2r1#01:07:37: NAT: translation failed (A), dropping packet s=10.1.1.3 d

21、=2.2.2.2以上结果表明以上结果表明NAT转换失败，并将丢包转换失败，并将丢包 2006, Shenzhen Polytechnic. All rights reserved.24PAT配置实例配置实例 (PAT Example) 2006, Shenzhen Polytechnic. All rights reserved.25PAT配置实例配置实例 (PAT Example)r1(config)#ip nat pool NAT 200.200.200.3 200.200.200.50 netmask 255.255.255.0r1(config)#access-list 1 permit 10.1.1.0 0.0.0.255r1(config)#ip nat inside source list 1 pool NAT overloadr1(config)#interface f0/0r1(config-if)#ip nat inside r1(config)#int s0/0r1(config-if)#ip nat outside r1(config)#ip route 0.0.0.0 0.0.0.0 200