目标内部的 NAT 未启动

网络工程 纳特
2021-07-24 17:07:36

本实验在Dynamips上完成,设置如下: 目标设置中的 ip nat NAT内部有两台相同的服务器(192.168.48.74、75),服务器使用一个公网IP 200.200.17.34/29。R1 是 NAT 路由器,SW3 是带有服务器的 L3 交换机。

据我所知,我可以使用“ip nat inside destination”命令来做到这一点。[2]它不允许我从服务器发起会话,我只需要外部人员能够访问服务器。

因此,我设置了一个本地地址池 RETAIL-WEB-LOCAL,它们是服务器地址和一个访问列表 RETAIL-WEB-GLOBAL,其中包含服务器的公共地址。然后我将它们与“ip nat inside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL”命令放在一起。

R1配置如下:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SeoulR1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
interface Loopback0
 ip address 10.10.11.1 255.255.255.248
!
interface Loopback1
 ip address 192.168.48.2 255.255.255.224 secondary
 ip address 192.168.48.3 255.255.255.224 secondary
 ip address 192.168.48.4 255.255.255.224 secondary
 ip address 192.168.48.5 255.255.255.224 secondary
 ip address 192.168.48.6 255.255.255.224 secondary
 ip address 192.168.48.7 255.255.255.224 secondary
 ip address 192.168.48.8 255.255.255.224 secondary
 ip address 192.168.48.9 255.255.255.224 secondary
 ip address 192.168.48.10 255.255.255.224 secondary
 ip address 192.168.48.11 255.255.255.224 secondary
 ip address 192.168.48.12 255.255.255.224 secondary
 ip address 192.168.48.13 255.255.255.224 secondary
 ip address 192.168.48.14 255.255.255.224 secondary
 ip address 192.168.48.15 255.255.255.224 secondary
 ip address 192.168.48.16 255.255.255.224 secondary
 ip address 192.168.48.17 255.255.255.224 secondary
 ip address 192.168.48.18 255.255.255.224 secondary
 ip address 192.168.48.19 255.255.255.224 secondary
 ip address 192.168.48.20 255.255.255.224 secondary
 ip address 192.168.48.21 255.255.255.224 secondary
 ip address 192.168.48.22 255.255.255.224 secondary
 ip address 192.168.48.23 255.255.255.224 secondary
 ip address 192.168.48.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback2
 ip address 192.168.48.34 255.255.255.224 secondary
 ip address 192.168.48.35 255.255.255.224 secondary
 ip address 192.168.48.36 255.255.255.224 secondary
 ip address 192.168.48.37 255.255.255.224 secondary
 ip address 192.168.48.38 255.255.255.224 secondary
 ip address 192.168.48.39 255.255.255.224 secondary
 ip address 192.168.48.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback3
 ip address 192.168.64.2 255.255.255.224 secondary
 ip address 192.168.64.3 255.255.255.224 secondary
 ip address 192.168.64.4 255.255.255.224 secondary
 ip address 192.168.64.5 255.255.255.224 secondary
 ip address 192.168.64.6 255.255.255.224 secondary
 ip address 192.168.64.7 255.255.255.224 secondary
 ip address 192.168.64.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback4
 ip address 192.168.64.34 255.255.255.224 secondary
 ip address 192.168.64.35 255.255.255.224 secondary
 ip address 192.168.64.36 255.255.255.224 secondary
 ip address 192.168.64.37 255.255.255.224 secondary
 ip address 192.168.64.38 255.255.255.224 secondary
 ip address 192.168.64.39 255.255.255.224 secondary
 ip address 192.168.64.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback5
 ip address 192.168.80.98 255.255.255.224 secondary
 ip address 192.168.80.99 255.255.255.224 secondary
 ip address 192.168.80.97 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback6
 ip address 192.168.80.194 255.255.255.224 secondary
 ip address 192.168.80.195 255.255.255.224 secondary
 ip address 192.168.80.193 255.255.255.224
 ip ospf network point-to-point
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
!
interface Serial0/0.13 multipoint
 ip address 200.200.17.5 255.255.255.252
 ip ospf network point-to-point
 frame-relay map ip 200.200.17.6 103 broadcast
!
interface Serial0/1
 ip address 200.200.17.13 255.255.255.252
 serial restart-delay 0
!
interface Serial0/2
 no ip address
 serial restart-delay 0
!
interface Serial0/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Ethernet1/0
 ip address 200.200.17.18 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 full-duplex
!
interface Ethernet1/1
 no ip address
 full-duplex
!
interface Ethernet1/1.15
 encapsulation dot1Q 600
 ip address 166.15.13.1 255.255.255.252
!
interface Ethernet1/1.17
 encapsulation dot1Q 107
 ip address 192.168.32.1 255.255.255.240
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1/1.18
 encapsulation dot1Q 108
 ip address 192.168.32.17 255.255.255.240
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
router ospf 1
 router-id 10.10.11.1
 log-adjacency-changes
 area 0 authentication message-digest
 area 192 virtual-link 10.10.13.3 message-digest-key 53 md5 sj79aqj2dn0js
 passive-interface default
 no passive-interface Serial0/0.13
 no passive-interface Serial0/1
 no passive-interface Ethernet1/1.17
 no passive-interface Ethernet1/1.18
 network 192.168.32.1 0.0.0.0 area 1003
 network 192.168.32.17 0.0.0.0 area 1003
 network 192.168.48.0 0.0.0.63 area 1003
 network 192.168.64.0 0.0.0.63 area 1003
 network 192.168.80.96 0.0.0.31 area 1003
 network 192.168.80.192 0.0.0.31 area 1003
 network 200.200.17.5 0.0.0.0 area 192
 network 200.200.17.13 0.0.0.0 area 192
 default-information originate always
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.200.17.17
!
!
ip nat pool RETAIL-WEB-LOCAL 192.168.48.74 192.168.48.75 prefix-length 29 type rotary
ip nat inside source list NAT-GRP interface Ethernet1/0 overload
ip nat inside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL
!
!
ip access-list standard NAT-GRP
 permit 192.168.48.0 0.0.0.63
 permit 192.168.64.0 0.0.16.255
ip access-list standard RETAIL-WEB-GLOBAL
 permit 200.200.17.34
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

SW3配置如下:

no service password-encryption
!
hostname SW3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
!
interface Loopback1
 ip address 192.168.48.66 255.255.255.248 secondary
 ip address 192.168.48.67 255.255.255.248 secondary
 ip address 192.168.48.68 255.255.255.248 secondary
 ip address 192.168.48.69 255.255.255.248 secondary
 ip address 192.168.48.70 255.255.255.248 secondary
 ip address 192.168.48.65 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback2
 ip address 192.168.48.74 255.255.255.248 secondary
 ip address 192.168.48.75 255.255.255.248 secondary
 ip address 192.168.48.76 255.255.255.248 secondary
 ip address 192.168.48.77 255.255.255.248 secondary
 ip address 192.168.48.73 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback3
 ip address 192.168.48.82 255.255.255.248 secondary
 ip address 192.168.48.83 255.255.255.248 secondary
 ip address 192.168.48.84 255.255.255.248 secondary
 ip address 192.168.48.85 255.255.255.248 secondary
 ip address 192.168.48.81 255.255.255.248
 ip ospf network point-to-point
!
interface Loopback4
 ip address 192.168.80.2 255.255.255.224 secondary
 ip address 192.168.80.3 255.255.255.224 secondary
 ip address 192.168.80.4 255.255.255.224 secondary
 ip address 192.168.80.5 255.255.255.224 secondary
 ip address 192.168.80.6 255.255.255.224 secondary
 ip address 192.168.80.7 255.255.255.224 secondary
 ip address 192.168.80.1 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback5
 ip address 192.168.80.34 255.255.255.224 secondary
 ip address 192.168.80.35 255.255.255.224 secondary
 ip address 192.168.80.36 255.255.255.224 secondary
 ip address 192.168.80.37 255.255.255.224 secondary
 ip address 192.168.80.38 255.255.255.224 secondary
 ip address 192.168.80.39 255.255.255.224 secondary
 ip address 192.168.80.33 255.255.255.224
 ip ospf network point-to-point
!
interface Loopback6
 description Human Resources - Intranet/Web Service
 ip address 192.168.48.138 255.255.255.248 secondary
 ip address 192.168.48.139 255.255.255.248 secondary
 ip address 192.168.48.137 255.255.255.248
 ip ospf network point-to-point
!
interface Port-channel1
 switchport mode trunk
!
interface Port-channel2
 switchport mode trunk
!
interface Port-channel3
 switchport mode trunk
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 switchport access vlan 210
!
!
interface FastEthernet1/9
 switchport mode trunk
 channel-group 2 mode on
!
interface FastEthernet1/10
 switchport mode trunk
 channel-group 2 mode on
!
interface FastEthernet1/11
 switchport mode trunk
 channel-group 3 mode on
!
interface FastEthernet1/12
 switchport mode trunk
 channel-group 3 mode on
!
interface FastEthernet1/13
 switchport mode trunk
 channel-group 1 mode on
!
interface FastEthernet1/14
 switchport mode trunk
 channel-group 1 mode on
!
interface FastEthernet1/15
!
interface Vlan1
 no ip address
!
interface Vlan108
 ip address 192.168.32.18 255.255.255.240
 ip access-group CTRL-RETAIL-TELLER in
!
interface Vlan708
 ip address 192.168.32.34 255.255.255.240
 ip access-group CTRL-RETAIL-TELLER in
!
router ospf 1
 router-id 10.10.11.3
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan108
 no passive-interface Vlan708
 network 192.168.32.18 0.0.0.0 area 1003
 network 192.168.32.34 0.0.0.0 area 1003
 network 192.168.48.64 0.0.0.31 area 1003
 network 192.168.80.0 0.0.0.7 area 1003
 network 192.168.80.32 0.0.0.7 area 1003
!
ip http server
no ip http secure-server
!
ip access-list extended CTRL-RETAIL-TELLER
 permit ip 192.168.48.0 0.0.0.15 192.168.48.68 0.0.0.1
 permit ip 192.168.48.32 0.0.0.7 192.168.48.68 0.0.0.1
 deny   ip any 192.168.48.64 0.0.0.7
 permit ip any any
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

R1 上的 ip nat 统计信息显示如下:

R1#sh ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
  Ethernet1/0
Inside interfaces:
  Ethernet1/1.17, Ethernet1/1.18
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list NAT-GRP interface Ethernet1/0 refcount 0
-- Inside Destination
[Id: 2] access-list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL refcount 0
 pool RETAIL-WEB-LOCAL: netmask 255.255.255.248
        start 192.168.48.74 end 192.168.48.75
        type rotary, total addresses 2, allocated 0 (0%), misses 0
Queued Packets: 0

问题:当我尝试从 ISP ping 200.200.17.34 时,它失败了。它甚至不创建任何 ip nat 翻译条目。它试图在根本不通过 nat 的情况下路由地址。(ISP 有一条 200.200.17.34 的路由,当我调试 ip 数据包时,数据包来到 R1。我也在 R1 上添加了一条 200.200.17.34 的路由,因为在添加该路由之前,R1 尝试先路由但失败了。所以我以为它是先做路由然后再翻译。但是当我添加路由时,它仍然没有翻译。)我做错了什么?

我不确定这是否有任何作用,但在 R1 和 SW3 之间,有一个 L2 开关。

1个回答

将 ip nat inside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL 更改为: ip nat outside destination list RETAIL-WEB-GLOBAL pool RETAIL-WEB-LOCAL

其它你可能感兴趣的问题
上一篇以太网校验和是否包括填充位? 下一篇基于标签和基于端口的 VLAN 之间有什么区别,哪个更好?