作用权 2007-11-15 09:16
动态NAT的一点发现
我们在配置动态NAT的以后,当地址池中的IP地址用完时。假如有一个用户下线了,哪么他还要等一段时间才能空出这个IP出来, 这样就造成了下线与上线不能同时进行,为了解决这一问题我们可以通过设置它的超时来让他在最短的时间里空出Ip出来。它的配置方 法是:router(config)#ip nat translations timeout n ,这个N的单位是以秒计算的。
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]Inside Local(内部本地地址)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Configured IP address assigned to a host on the inside network. Address may be globally unique, allocated out of the private address space defined in RFC 1918, or might be officially allocated to another organization[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt](分配给内部网络中一台主机的IP地址,地址可以是全球唯一的,也可以是一个RFC 1918 定义的私有的地址。)[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]Inside Global (内部全球地址)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The IP address of an inside host as it appears to the outside network, "Translated IP Address". Addresses can be allocated from a globally unique address space, typically provided by the ISP (if the enterprise is connected to the global Internet)[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt](由地区因特网注册局(RIP)或服务提供商分配的一个合法IP地址。它可以代表一个或多个内部本地IP地址。)[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]Outside Local (外部本地地址)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The IP address of an outside host as it appears to the inside network. These addresses can be allocated from the RFC 1918 space if desired.[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt](为内部网络主机所知的一台外部主机的IP地址)[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]Outside Global (外部全球地址)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The configured IP address assigned to a host in the outside network.[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt](外部网络的某台主机拥有者分配给该主机的IP地址)[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]CONFIGURATION EXAMPLES(结构例子)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The following sample configuration translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 nets to the globally-unique 171.69.233.208/28 network.[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source list 1 pool net-20[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Ethernet0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip address 171.69.232.182 255.255.255.240[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat outside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Ethernet1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip address 192.168.1.94 255.255.255.0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]access-list 1 permit 192.168.1.0 0.0.0.255[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]access-list 1 permit 192.168.2.0 0.0.0.255[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The next sample configuration translates between inside hosts addressed from the 9.114.11.0 net to the globally unique 171.69.233.208/28 network. Packets from outside hosts addressed from 9.114.11.0 net (the "true" 9.114.11.0 net) are translated to appear to be from net 10.0.1.0/24.[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool net-20 171.69.233.208 171.69.233.223 netmask <netmask> 255.255.255.240[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool net-10 10.0.1.0 10.0.1.255 netmask <netmask> 255.255.255.0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source list 1 pool net-20[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat outside source list 1 pool net-10[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Ethernet0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip address 171.69.232.182 255.255.255.240[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat outside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Ethernet1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip address 9.114.11.39 255.255.255.0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]access-list 1 permit 9.114.11.0 0.0.0.255[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt][align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt][b]FEATURE ENHANCEMENTS(增加的功能)[/b][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]• More flexible pool configuration:[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The pool configuration syntax has been extended to allow discontiguous ranges of addresses. The following syntax is now allowed:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool <name> { netmask <mask> | prefix-length <length> } [ type { rotary } ][/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]This command will put the user into IP NAT Pool configuration mode, where a sequence of address ranges can be configured. There is only one command in this mode:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]address <start> <end>[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Example:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]Router(config)#ip nat pool fred prefix-length 24[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]Router(config-ipnat-pool)#address 171.69.233.225 171.69.233.226[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]Router(config-ipnat-pool)#address 171.69.233.228 171.69.233.238[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]This configuration creates a pool containing addresses 171.69.233.225-226 and 171.69.233.228-238 (171.69.233.227 has been omitted).[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]• Translating to interface's address:[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]As a convenience for users wishing to translate all inside addresses to the address assigned to an interface on the router, the NAT code allows one to simply name the interface when configuring the dynamic translation rule:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source list <number> interface <interface> overload[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]If there is no address on the interface, or it the interface is not up, no translation will occur.[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Example:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source list 1 interface Serial0 overload[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]• Static translations with ports:[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]When translating addresses to an interface's address, outside-initiated connections to services on the inside network (like mail) will require additional configuration to send the connection to the correct inside host. This command allows the user to map certain services to certain inside hosts.[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source static { tcp | udp } <localaddr> <localport> <globaladdr> <globalport>[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Example:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source static tcp 192.168.10.1 25 171.69.232.209 25[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]In this example, outside-initiated connections to the SMTP port (25) will be sent to the inside host 192.168.10.1.[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]• Support for route maps:[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The dynamic translation command can now specify a route-map to be processed instead of an access-list. A route-map allows the user to match any combination of access-list, next-hop IP address, and output interface to determine which pool to use:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source route-map <name> pool <name>[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Example:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool provider1-space 171.69.232.1 171.69.232.254 prefix-length 24[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool provider2-space 131.108.43.1 131.108.43.254 prefix-length 24[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source route-map provider1-map pool provider1-space[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source route-map provider2-map pool provider2-space[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Serial0/0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] ip nat outside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Serial0/1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] ip nat outside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]interface Fddi1/0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] ip nat inside[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]route-map provider1-map permit 10[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match ip address 1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match interface Serial0/0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]route-map provider2-map permit 10[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match ip address 1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match interface Serial0/1[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]• "Extendable" static translations:[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source static <localaddr> <globaladdr> extendable[/size][/font][/align]
[align=left][font=Arial, Verdana, Helvetica, sans-serif][size=9pt]Some customers want to use more than one service provider and translate into each provider's address space. You can use route-maps to base the selection of global address pool on output interface as well as an access-list match. Following is an example:[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool provider1-space ...[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat pool provider2-space ...[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source route-map provider1-map pool provider1-space[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]ip nat inside source route-map provider2-map pool provider2-space[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]route-map provider1-map permit 10[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match ip address 1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match interface Serial0/0[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]![/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt]route-map provider2-map permit 10[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match ip address 1[/size][/font][/align]
[align=left][font=Courier New, Courier, mono][size=9pt] match interface Serial0/1[/size][/font][/align]
[/size][/font][/align]
[/size][/font][/align]
[/size][/font][/align]
