内网用户上网-PNAT

交换机配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
接口ip
interface GigabitEthernet1/0
no switchport
ip address 1.1.1.1 255.255.255.0

vlan配置
vlan 10
vlan 20
vlan 30
vlan 40

vlanif配置
interface Vlan10
ip address 10.1.1.1 255.255.255.0
!
interface Vlan20
ip address 20.1.1.1 255.255.255.0
!
interface Vlan30
ip address 30.1.1.1 255.255.255.0
!
interface Vlan40
ip address 40.1.1.1 255.255.255.0


用户接口配置
interface GigabitEthernet0/0
switchport access vlan 10
!
interface GigabitEthernet0/1
switchport access vlan 20
!
interface GigabitEthernet0/2
switchport access vlan 30
!
interface GigabitEthernet0/3
switchport access vlan 40

路由配置
ip route 0.0.0.0 0.0.0.0 1.1.1.2

ISP路由器配置

1
2
3
模拟公网运营商设备,只配置接口ip即可
interface GigabitEthernet0/0
ip address 2.2.2.1 255.255.255.0

路由器配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
interface GigabitEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip nat inside //定义接口角色,同ASA配置方式理解

interface GigabitEthernet0/1
ip address 2.2.2.2 255.255.255.0
ip nat outside

路由配置
ip route 0.0.0.0 0.0.0.0 2.2.2.1 //去往运营商
ip route 10.1.1.0 255.255.255.0 1.1.1.1 //去内网
ip route 20.1.1.0 255.255.255.0 1.1.1.1 //去内网
ip route 30.1.1.0 255.255.255.0 1.1.1.1 //去内网
ip route 40.1.1.0 255.255.255.0 1.1.1.1 //去内网
!

nat配置
access-list 10 permit 10.1.1.0 0.0.0.255 log //通过acl定义需要上网的内网网段
ip nat inside source list 10 interface GigabitEthernet0/1 overload //用户上网转换为接口ip地址

如果是公网ip是多个地址,就定义为地址池

ip nat pool overload-pool 2.2.2.10 2.2.2.20 prefix-length 24
ip nat inside source list 10 pool overload-pool overload

一对一静态NAT

1
2
3
4
5
6
ip nat inside source static 20.1.1.8 2.2.2.10

效果:
20.1.1.8 出局转换为2.2.2.10
局外访问2.1.1.10 实际访问的就是20.1.1.8

20.1.1.8出局debug

局外访问2.2.2.10 debug

端口转换

1
2
3
4
5
6
7
8
9
10
11
ip nat inside source static tcp 30.1.1.8 23 2.2.2.11 10023 

注释:
30.1.1.8 //内网地址
23 //内网端口
2.2.2.11 //公网地址
10023 //公网端口

效果:
将30.1.1.8的23端口映射到公网2.2.2.11的10023 端口