NAT (network address translation)
Convert private address to public address for Internet access
It can hide the internal network and protect the internal network
Private addresses are usually used on the company's internal network
Static NAT:1 to 1 conversion, converting a private address to a public address
Dynamic NAT: many to many conversion, converting a large number of private addresses to a small number of public addresses
PAT (take NAT): many to one conversion. The configuration of converting a large number of private addresses to a public address static NAT is generally used when publishing intranet servers
1. Which router should I use first?
2. Configure NAT conversion:
R2(config)#ip nat inside source static 192.168.20.2 220.127.116.11
3. Specify the inside and outside ports
inside: Gateway interface of internal network R2(config)#int f0/0 R2(config-if)#ip nat outside outside: Outlet interface of exit router R2(config)#int f0/1 R2(config-if)#ip nat inside
debug ip nat undebug ip nat Close undebug all Close all show runnint-config show ip nat ?
5. If it is configured in this way, the source address 192.168.20.100 will be published to the Internet for all services on all servers on this server
To ensure security, we just need to publish the services that need to be published
For example: only publish WEB servers to the public:
R3(config)#ip nat inside source static tcp 192.168.20.100 80 18.104.22.168 80 R3(config)#interface f0/1 R3(config-if)#ip nat inside R3(config)#int f0/0 R3(config-if)#ip nat outside R3(config)#ip nat inside source static tcp 192.168.20.100 53 22.214.171.124 53 R3(config)#ip nat inside source static udp 192.168.20.100 53 126.96.36.199 53
In essence, it is consistent with static. It is just to define a translation address pool first. When a PC has an outbound connection request, an IP address is taken from the address pool. When the connection is disconnected, the removed IP will be put back into the pool for other PCs to connect outward. The efficiency of dynamic transformation is very high, because a public IP can be used by different sites many times. This is better than static
Make a specific site more efficient. But it is impossible to access a specific internal address with a global address.
1. Configure address pool (public address pool):
R1(config)#ip nat pool zlt 188.8.131.52 184.108.40.206 netmask 255.255.255.0
2. Configure the allowed ACL
R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
3. Configure NAT conversion (convert list10 to pool zlt)
R1(config)#ip nat inside source list 10 pool zlt overload
4. Configure inside and outside ports
R1(config)#int f0/0 R1(config-if)#ip nat inside R1(config)#int f0/1 R1(config-if)#ip nat outside
In many to one transformation, a large number of private addresses are transformed into a public address, and multiple local addresses are mapped to the same global address. Different local addresses are distinguished by port numbers. For example, share the Internet in the local area network.
R1(config)#ip nat pool zlt 220.127.116.11 18.104.22.168 netmask 255.255.255.0 R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)#ip nat inside source list 10 pool zlt overload //Or R1 (config) - access list 10 limit 192.168.10.0 0.0.0.255 R1(config)#ip nat inside source list 10 interface f0/1 overloa R1(config)#int f0/0 R1(config-if)#ip nat inside R1(config)#int f0/1 R1(config-if)#ip nat outside