上网(源NAT)配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
配置端口基本信息
interface GigabitEthernet 0/0
 ip address 88.1.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet 0/1
 ip address 99.1.1.1 255.255.255.0
 ip nat outside

默认路由器配置
ip route 0.0.0.0 0.0.0.0 99.1.1.2

nat pool配置 (此处可以是outside接口地址,也可以不是,只要对端有回程路由网络可达即可)
ip nat pool snatpool prefix-length 1
 address 90.1.1.1 90.1.1.3 match interface GigabitEthernet 0/1 
 //同类型可添加多条,比如
 address 90.2.2.1 90.2.2.3 match interface GigabitEthernet 0/2

配置acl (指定内网上网源地址)
ip access-list standard 10
 10 permit 10.1.1.0 0.0.0.255 

上网nat配置,并调用nat pool
ip nat inside source list 10 pool snatpool overload



端口映射(目的NAT)配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
端口映射配置(表示将10.1.1.1的22端口映射到公网90.1.1.10的10022端口)
ip nat inside source static tcp 10.1.1.1 22 90.1.1.10 10022 permit-inside


扩展:使用acl精细化管理

配置acl
ip access-list extended outacl
 10 permit icmp any any 
 20 permit tcp host 101.1.1.1 host 90.1.1.10 eq 10022
 #隐含一条默认拒绝

在outside接口调用acl,方向是in
interface GigabitEthernet 0/1
 ip access-group outacl in
 ip address 99.1.1.1 255.255.255.0
 ip nat outside

查看NAT会话

Router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 101.1.1.1:50102 101.1.1.1:50102 90.1.1.10:10022 10.1.1.1:22