动、静态NAT及NAT端口映射和PAT转换

动、静态NAT及NAT端口映射和PAT转换
（一）静态NAT将一个私有地址，转换成一个共有地址，（一对一的），如下图：及将私有地址 192.168.10.10 转换成公有地址188.88.88.88R1(config-if)#ip nat inside 将nat运用在接口inside方向R1(config-if)#ip nat outside 将nat运用在接口outside方向R1(config)#ip nat inside source static 192.168.10.0 188.88.88.88 配置静态nat转换R1#clear ip nat translation * 清除所有nat转换条目，静态绑定的不会清除R1#show run | s nat 查看nat配置信息R1#show ip nat translations 查看nat转换条目










（二）动态NAT
动态pat也是将一个私有地址“配对”一个公有地址（一对一），不同的是，需要到公有池拿地址，当公有池地址拿尽，私有地址将无法上网，如下图：及将私有地址 192.168.20.10 转换成公有地址188.88.88.1R1(config)#ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0 创建公有地址池名，及地址池段R1(config)#ip access-list extended dtnat 创建acl列表R1(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 any 只允许192.168.20段拿地址R1(config)#ip nat inside source list dtnat pool dtnat 将acl运用在nat地址池








（三）NAT端口映射外网需要访问内网服务，可通过端口映射外网口实现1.通过nat端口映射（非23端口）2.R1(config)#ip nat inside source static tcp 192.168.1.1 23 202.106.1.1 2323 R2#telnet 202.106.1.1 2321 telnet时需加端口号





2通过nat端口映射（出口路由端口）R1(config)#ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23R2#telnet 202.106.1.1 直接telnet，无需加端口号


（四）PAT多个私有地址对一个公有地址1.复用路由器外部接口地址（出口路由端口）m1(config)#ip nat inside source list jkpat interface fastEthernet 0/0 overload 调用acl列表，并复用路由器外部接口地址 R1(config)#ip access-list extended jkpat 创建acl列表R1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any 只允许192.168.30段拿地址








2.复用外部全局地址上公网(即：公网池地址)R1(config)#ip access-list extended wbpat 创建aclR1(config-ext-nacl)#permit ip 192.168.40.0 0.0.0.255 any 只允许192.168.40段拿地址R1(config)#ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0 创建地址池，但起始地址和结束地址一样R1(config)#ip nat inside source list wbpat pool wbpat overload 将acl运用于地址池








例：


Sw1配置!enable secret 5 $1$JaRM$fGHpEp7K86hWT2tlu8rGN1enable password 123!interface FastEthernet1/1switchport access vlan 10!interface FastEthernet1/2switchport access vlan 20!interface FastEthernet1/3switchport access vlan 30!interface FastEthernet1/4switchport access vlan 40!interface FastEthernet1/15switchport mode trunk!interface Vlan1ip address 192.168.1.2 255.255.255.0!ip default-gateway 192.168.1.1!line vty 0 4password 123login!M1配置!enable secret 5 $1$It7v$xsKp.1aAthQFXIsMkC8CY.!interface FastEthernet1/0no switchportip address 192.168.100.1 255.255.255.0!interface FastEthernet1/15switchport mode trunk!interface Vlan1ip address 192.168.1.1 255.255.255.0!interface Vlan10ip address 192.168.10.1 255.255.255.0!interface Vlan20ip address 192.168.20.1 255.255.255.0!interface Vlan30ip address 192.168.30.1 255.255.255.0!interface Vlan40ip address 192.168.40.1 255.255.255.0!ip route 0.0.0.0 0.0.0.0 192.168.100.2!line vty 0 4password 123login!R1配置!interface FastEthernet0/0ip address 202.106.1.1 255.255.255.252ip nat outside!interface FastEthernet0/1ip address 192.168.100.2 255.255.255.0ip nat inside!!ip route 0.0.0.0 0.0.0.0 202.106.1.2ip route 192.168.1.0 255.255.255.0 192.168.100.1ip route 192.168.10.0 255.255.255.0 192.168.100.1ip route 192.168.20.0 255.255.255.0 192.168.100.1ip route 192.168.30.0 255.255.255.0 192.168.100.1ip route 192.168.40.0 255.255.255.0 192.168.100.1!ip nat pool dtnat 188.88.88.1 188.88.88.8 netmask 255.255.0.0ip nat pool wbpat 188.88.188.188 188.88.188.188 netmask 255.255.255.0ip nat inside source list dtnat pool dtnatip nat inside source list jkpat interface FastEthernet0/0 overloadip nat inside source list wbpat pool wbpat overloadip nat inside source static tcp 192.168.1.2 23 interface FastEthernet0/0 23ip nat inside source static 192.168.10.10 188.88.88.88ip nat inside source static tcp 192.168.10.1 23 202.106.1.1 2321 extendable!ip access-list extended dtnatpermit ip 192.168.20.0 0.0.0.255 anyip access-list extended jkpatpermit ip 192.168.30.0 0.0.0.255 anyip access-list extended wbpatpermit ip 192.168.40.0 0.0.0.255 any!R2配置!interface FastEthernet0/0ip address 202.106.1.2 255.255.255.252!ip route 188.88.0.0 255.255.0.0 202.106.1.1!