組網技術實驗四acl nat

ACL、showipaccess-listsIPshowipinterface access-list定義ACLaccess-class在vty下應用ACLipaccess-list定義命名的ACLtime-rangetime定義時間范圍clearipnattranslation*NATshowipnattranslation查看NAT表showipnatstatisticsNATdebugipnat動態(tài)查看NAT轉換過程ipnatinsidesourcestaticNATipnatinside配置NAT內部接口ipnatoutsideNATipnatpool配置動態(tài)NAT地址池ipnatinsidesourcelistaccess-list-numberpoolname配置動態(tài)ipnatinsidesourcelistaccess-list-numberpoolnameoverload標準ACL實驗拓撲如圖1圖1ACL本實驗拒絕PC2R2,同時只允許主機PC3R2TELNET服務。整個網絡配置EIGRP保證IP的連通性。R1(config)#routereigrp1R1(config-router)#networkR1(config-router)#networkR1(config-router)#noauto-summaryR2(config)#routereigrp1R2(config-router)#networkR2(config-router)#networkR2(config-router)#noauto-summaryR2(config)#access-list1deny55ACLR2(config)#access-list1permitanyR2(config)#interfaceR2(config-if)#ipaccess-group1inACLR2(config)#access-list2permitR2(config-if)#linevty0R2(config-line)#access-class2invtyACLR2(config-line)#passwordciscoR3(config)#routereigrp1R3(config-router)#networkR3(config-router)#noauto-summary括在routemap中的match應用和在vty下用“access-class”命令調用，來控制telnet“access-class”命令只對標準ACL在PC1ping，應該通，在PC2ping，應該不通，在主機PC3上TELNET，應該成功。showipaccess-R2#showipaccess-listsStandardIPaccesslist110deny,wildcardbits55(1120permitany(405matches)StandardIPaccesslist210permit(2以上輸出表明路由器R2上定義的標準訪問控制列表為“1”和“2”，括號中的數(shù)字表示匹配條件的數(shù)據包的個數(shù)，可以用“clearaccess-listcounters”將訪問控制列表計數(shù)showipR2#showipinterfaces0/0/0Serial0/0/0isup,lineprotocolisupInternetaddressis/24Broadcastaddressis55AddressdeterminedbysetupcommandMTUis1500bytesHelperaddressisnotDirectedbroadcastforwardingisdisabledMulticastreservedgroupsjoined:0OutgoingaccesslistisnotsetInboundaccesslistis擴展ACL實驗拓撲如圖1本實驗要求只允許PC2所在網段的主機訪問路由器R2的WWW和TELNET服務，并拒絕PC3所在網段PING路由器R2。刪除實驗1中定義的ACL，保留EIGRP的配置。3.R1(config)#access-list100permittcp55hosteqR1(config)#access-list100permittcp55hosteqwwweqeqeqtelnetR1(config)#interfaceR1(config-if)#ipaccess-group100R2(config)#noaccess-list1ACLR2(config)#noaccess-list2R2(config)#iphttpserverWEBR2(config)#linevty04R3(config)#access-list101denyicmp55hostR3(config)#access-list101denyicmp55hostR3(config)#access-list101denyicmp55hostR3(config)#access-list101permitipanyanyR3(config)#interfaceg0/0R3(config-if)#ipaccess-group101分別在PC2R2TELNETWWWR1#showipaccess-listsExtendedIPaccesslist10010permittcp55hosteqwww(820permittcp55hosteq30permittcp55hosteq40permittcp55hosteqtelnet(2050permittcp55hosteqtelnet(460permittcp55hosteqtelnet(4在PC3pingR2,R3*Feb2517:35:46.383:%SEC-6-IPACCESSLOGDP:list101deniedicmp->(0/0),1*Feb2517:41:08.959:%SEC-6-IPACCESSLOGDP:list101deniedicmp->(0/0),4*Feb2517:42:46.919:%SEC-6-IPACCESSLOGDP:list101deniedicmp-(0/0),1*Feb2517:42:56.803:%SEC-6-IPACCESSLOGDP:list101deniedicmp-(0/0),1R3#showaccess-listsExtendedIPaccesslist10110denyicmp55hostlog(520denyicmp55hostlog(530denyicmp55hostlog(540permitipanyany(6任務3：靜態(tài)NAT靜態(tài)NAT實驗拓撲如圖2圖2NAT提供NATR1(config)#ipnatsourcestatic//配置靜態(tài)NAT映射R1(config)#ipnatinsidesourcestaticR1(config)#interfaceR1(config-if)#ipnat//配置NAT內部接口R1(config)#interfaces0/0/0R1(config-if)#ipnatoutside//配置NAT外部接口R1(config)#routerripR1(config-router)#noauto-summaryR2(config)#routerripR2(config-router)#noauto-summarydebugip在PC1PC2Ping（路由器R2），此時應該是通的，路由器R1R1#debugip*Mar402:02:12.779:NAT*:s=->,d=*Mar402:02:12.791:NAT*:s=,d=->*Mar402:02:25.563:NAT*:s=->,d=*Mar402:02:25.579:NAT*:s=,d=->以上輸出表明了NAT的轉換過程。首先把私有地址“”和“”showipnat該命令用來查看NATNATR1#showipnatProInsideglobalInsidelocalOutsidelocalOutside----------------（insidelocal）地址：在內部網絡使用的地址，往往是RFC1918（insideglobal）地址：用來代替一個或多個本地IP向NIC注冊過的地址；（outsidelocal）地址：一個外部主機相對于內部網絡所用的IP（outsideglobal）地址：外部網絡主機的合法IP動態(tài)NAT動態(tài)NAT實驗拓撲如圖2步驟1：配置路由器R1NATR1(config)#ipnatpoolNAT00netmaskR1(config)#ipnatinsidesourcelist1pool//配置動態(tài)NATR1(config)#access-list1permit//允許動態(tài)NAT轉換的內部地址范圍R1(config)#interfaceg0/0R1(config-if)#ipnatinsideR1(config-if)#interfaces0/0/0R1(config-if)#ipnatoutside4.在PC（路由器R2）的WWWPC2telnetdebugipR1#debugipIPNATdebuggingisR1#clearipnattranslation*//清除動態(tài)NAT*Mar401:34:23.075:NAT*:s=->,d=*Mar401:34:23.087:NAT*:s=,d=->*Mar401:28:49.867:NAT*:s=->,d=*Mar401:28:49.875:NAT*:s=,d=->NAT轉換失敗，并丟棄數(shù)據包。*Feb2209:02:59.075:NAT:translationfailed(A),droppingpackets=showipnatR1#showipnatProInsideglobalInsidelocalOutsidelocalOutsideglobaltcp:1721:1721:80--------icmp:3:3:3tcp:14347:14347:23--------以上信息表明當PC1和PC2第一次訪問“”地址的時候,NAT路由器R1為主機PC1PC2“”和“”，在NAT為60）。在動態(tài)映射沒有過期（過期時間為86400）之前，再有應用從相同主機發(fā)起showipnat該命令用來查看NATR1#showipnatTotalactivetranslations:5(0static,5dynamic;3Outsideinterfaces://NAT外部接口Inside//NAT內部接口Hits:54Misses:6CEFTranslatedpackets:60,CEFPuntedpackets:5Expiredtranslations:12//NAT表中過期的轉換Dynamicmappings://動態(tài)映射--Inside[Id:1]access-list1poolNATrefcountpoolNAT:netmaskstartend00//地址池范圍typegeneric,totaladdresses98,allocated2(2%),misses//共982QueuedPackets:0任務5：PATPAToverloadPAT實驗拓撲如圖2步驟1：配置路由器R1NATR1(config)#ipnatpoolNAT00netmaskR1(config)#ipnatinsidesourcelist1poolNAToverload//配置PATR1(config)#access-list1permit55R1(config)#interfaceg0/0R1(config-if)#ipnatinsideR1(config-if)#ipnatoutside在PC（路由器R2）的WWWPC2telnetping（路由器R2的環(huán)回接口），調試結果如下：debugip*Mar401:53:47.983:NAT*:s=->,d=*Mar401:53:47.995:NAT*:s=,d=->*Mar401:54:03.015:NAT*:s=->,d=*Mar401:54:03.219:NAT*:s=,d=->showipnatR1#showip