网路地址转换NAT-PAT.ppt

Chapter 14Scaling IP Addresses with NAT and PAT,Objectives,Upon completion of this chapter, you will be able to perform the following tasks: Identify how NAT and PAT solve the limited IP address problem and describe how they operate Configure NAT and PAT Verify NAT and PAT,Chapter Activities,Windows 95 PC,Modem,Branch office,ISDN/analog,Small office,Central site,Frame Relay,PRI,BRI,BRI,Frame Relay,Async,AAA server,Async,SA 10.1.1.1,192.168.2.2,SA,Inside Local,IP Address,10.1.1.1,Inside Global IP,Address,192.168.2.2,NAT table,PAT,Why Use NAT?,Use NAT if: You need to connect to the Internet and your hosts do not have globally unique IP addresses You change over to a new ISP that requires you to renumber your network Two intranets with duplicate addresses merge You want to support basic load sharing,NAT Implementation Considerations,Advantages Conserves legally registered addressesReduces address overlap occurrence Increases flexibility when connecting to Internet Eliminates address renumbering as network changes,Disadvantages Translation introduces switching path delaysLoss of end-to-end IP traceability Certain applications will not function with NAT enabled,NAT Overview and Terminology,Internet,Inside,10.1.1.1,Inside Local IP,Address,10.1.1.2,10.1.1.1,Simple NAT table,Inside Global,IP Address,192.168.2.3,192.168.2.2,10.1.1.2,Host B,172.20.7.3,A,C,B,A,B,D,SA 10.1.1.1,DA 10.1.1.1,SA 192.168.2.2,DA 192.168.2.2,NAT Operation,Inside Local,IP Address,10.1.1.1,10.1.1.2,NAT table,Inside Global,IP Address,192.168.2.2,192.168.2.3,NAT functions: Translation inside local addresses Overloading inside global addresses TCP load distribution Handling overlapping networks,Internet,Inside,10.1.1.1,10.1.1.2,Translating Inside Local Addresses,10.1.1.2,10.1.1.1,192.168.2.3,192.168.2.2,NAT table,Inside Local IP Address,Inside Global,IP Address,10.1.1.3,192.168.2.4,Internet,Inside,10.1.1.1,10.1.1.2,Host B,172.20.7.3,1,3,SA 10.1.1.1,DA 10.1.1.1,SA 192.168.2.2,DA 192.168.2.2,10.1.1.2,10.1.1.3,4,5,2,Overloading Inside Global Addresses,10.1.1.2:1723,10.1.1.1:1024,NAT table,192.168.2.2:1723,192.168.2.2:1024,172.21.7.3:23,172.20.7.3:23,TCP,TCP,10.1.1.3:1723,192.168.2.2:1492,172.21.7.3:23,TCP,Internet,Inside,10.1.1.1,Host B,172.20.7.3,1,3,SA 10.1.1.1,DA 10.1.1.1,SA 192.168.2.2,DA 192.168.2.2,10.1.1.2,10.1.1.3,4,5,2,Host C,172.21.7.3,DA 192.168.2.2,4,Inside Global IP,Address: Port,Outside Global,IP Address: Port,Protocol,Inside Local IP,Address: Port,10.1.1.1,TCP Load Distribution,NAT table,Inside Global IP,Address: Port,10.1.1.127:80,10.1.1.127:80,10.1.1.127:80,Outside Global,IP Address: Port,172.20.7.3:3058,172.21.7.3:4371,172.20.7.3:3062,Protocol,TCP,TCP,TCP,Inside Local IP,Address: Port,10.1.1.1:80,10.1.1.2:80,10.1.1.3:80,Internet,Inside,10.1.1.1,Host B,172.20.7.3,4,5,SA 10.1.1.1,DA 10.1.1.1,SA 10.1.1.127,DA 10.1.1.127,10.1.1.2,10.1.1.1,1,3,2,Host C,172.21.7.3,10.1.1.127,10.1.1.3,Virtualhost,Realhosts,Handling Overlapping Networks,Internet,10.1.1.1,DNS ser,ver,x.x.x.x,Host C,10.1.1.3,Inside Local IP Address,10.1.1.1,Inside Global IP Address,192.2.2.2,Outside Global IP Address,10.1.1.3,Outside Local IP Address,193.3.3.3,NAT table,DNS request for host C address,SA=192.2.2.2 DA=x.x.x.x,DNS response from x.x.x.x,10.1.1.1 message to host C,SA= x.x.x.x DA= 192.2.2.2 C= 10.1.1.3,SA= 192.2.2.2 DA= 10.1.1.3,10.1.1.1 message to host C,SA= 10.1.1.1 DA= 193.3.3.3,SA= x.x.x.x DA= 10.1.1.1 C= 193.3.3.3,DNS request for host C address,SA= 10.1.1.1 DA=x.x.x.x,Static NAT Configuration Example,ip nat inside source static 10.1.1.1 192.168.2.2 ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 172.16.2.1 255.255.255.0 ip nat outside !,Maps the inside local address to the inside global address.,This interface connected to the outside world.,This interface connected to the inside network.,ip nat pool dyn-nat 192.168.2.1 192.168.2.254 netmask 255.255.255.0 ip nat inside source list 1 pool dyn-nat ! interface Ethernet0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0 ip address 172.16.2.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255 !,Dynamic NAT Configuration,Translate between inside hosts addressed from 10.1.1.0/24 to the globally unique 192.168.2.0/24 network.,This interface connected to the outside world.,This interface connected to the inside network.,Configuring Inside Global Address Overloading,ip nat pool ovrld-nat 192.168.2.1 192.168.2.2 netmask 255.255.255.0 ip nat inside source list 1 pool ovrld-nat overload ! interface Ethernet0/0 ip address 10.1.1.10 255.255.255.0 ip nat inside ! interface Serial0/0 ip address 172.16.2.1 255.255.255.0 ip nat outside ! access-list 1 permit 10.1.1.0 0.0.0.255,Configuring TCP Load Distribution,ip nat pool real-hosts 10.1.1.1 10.1.1.126 prefix-length 24 type rotary ip nat inside destination list 2 pool real-hosts ! interface serial0 ip address 192.168.1.129 255.255.255.224 ip nat outside ! interface ethernet0 ip address 10.1.1.254 255.255.255.0 ip nat inside ! access-list 2 permit 10.1.1.127,Configuring NAT to Translate Overlapping Addresses,ip nat pool net-2 192.2.2.1 192.2.2.254 prefix-length 24 ip nat pool net-10 10.0.1.1 10.0.1.254 prefix-length 24 ip nat outside source list 1 pool net-2 ip nat inside source list 1 pool net-10 ! interface Serial0 ip address 171.69.232.182 255.255.255.240 ip nat outside ! interface Ethernet0 ip address 10.1.1.254 255.255.255.0 ip nat inside ! access-list 1 permit 10.1.1.0 0.0.0.255,Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23,Verifying NAT,A translation for a Telnet is still active. Two different inside hosts appear on the outside with a single IP address.,Basic IP address translation,Unique TCP port numbers are used to distinguishbetween hosts.,Router#show ip nat trans ProInside globalInside localOutside local Outside global -192.2.2.110.1.1.1- -192.2.2.210.1.1.2-,IP address translation with overloading,Router#debug ip nat NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 0 NAT: s=172.16.2.2, d=192.168.2.1-10.1.1.1 0 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 1 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 2 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 3 NAT*: s=172.16.2.2, d=192.168.2.1-10.1.1.1 1 NAT: s=172.16.2.2, d=192.168.2.1-10.1.1.1 1 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 4 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 5 NAT: s=10.1.1.1-192.168.2.1, d=172.16.2.2 6 NAT*: s=172.16.2.2, d=192.168.2.1-10.1.1.1 2,Troubleshooting NAT,An example address translation inside-to-outside.,A reply to the packet sent.,An example TCP conversation, inside-to-outside.,* Indicates translation was in the fast path.,Clearing NAT Translation Entries,All entries are cleared.,192.168.2.2 is cleared.,Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 router#clear ip nat trans * router# router#show ip nat trans,router#show ip nat trans Pro Inside global Inside local Outside localOutside global udp 192.168.2.2:1220 10.1.1.2:1120 171.69.2.132:53 171.69.2.132:53 tcp 192.168.2.1:1100310.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23 router#clear ip nat trans udp inside 192.168.2.2 1220 10.1.1.2 1120 171.69.2.132 53 171.69.2.132 53 router#show ip nat trans Pro Inside global Inside local Outside localOutside global tcp 192.168.2.1:11003 10.1.1.1:11003 172.16.2.2:23 172.16.2.2:23 tcp 192.168.2.1:1067 10.1.1.1:1067 172.16.2.3:23 172.16.2.3:23,PAT Overview,Outside,10.1.1.1,10.1.1.2,Inside,Internet,Cisco IOSrouter,Outside,10.1.1.1,10.1.1.2,Inside,Internet,700router,PAT,NAT / PAT,PAT Overview (cont.),Enables hosts on private networks to communicate over public networks Conserves IP addresses,Internet,10.1.1.2,Private network,192.168.2.2,192.168.2.2,10.1.1.1,10.1.1.1,PAT Porthandler Operation,Only packets destined for the server (by type) are allowed through,Access router,Telephone company,Cisco 700,FTP server,Incoming FTP,10.0.0.108,Configuring PAT,Cisco1,ISDN,FTP server,10.0.0.108,10.0.0.1,192.168.2.1,192.168.2.2,NT server mydomain,DHCP server,DHCP client 10.0.0.2,SEt SYStem 7xx7XXSEt USer Cisco17xx:Cisco1SEt IP PAT ON7xx:Cisco1cd7xxSEt IP PAT POrt FTP 10.0.0.108,7xx,Monitoring PAT,7xx:Cisco1show ip pat Dropped - icmp 0, udp 0, tcp 0, map 0, frag 0 Timeout - udp 5 minutes, tcp 30 minutes Port handlers no default: Port Handler Service - 21 10.0.0.108 FTP 23 Router TELNET 67 Router DHCP Server 68 Router DHCP Client 69 Router TFTP 80 Router HTTP 161 Router SNMP 162 Router SNMP-TRAP 520 Router RIP,Laboratory Exercise: Visual Objective,Branch office,Cisco 3640,Cisco 1600,Central site,Frame Relay,Frame Relay,S3/1,S0,SA 192.1.1.1,NAT,Summary,After completing this chapter, you should be able to perform the following tasks: Identify how NAT and PAT solve the limited IP address problem and describe how they operate Configure NAT and PAT Verify NAT and PAT,Review Questions,What is the difference between a simple translation entry and an extended translation entry? State how each is used. Give one or more examples when NAT could be used. Your networks are addressed using 10.1.1.0/24 subnets. Your ISP provides you a globally unique address of 192.1.1.0/24. What commands do you use to translate from 10.1.1.0/24 to 192.1.1.0/24? When viewing the output of the show ip nat translations command, how can you determine when an inside global address is being used for overloading inside global addresses?,Blank Page For IG pagination,