网络地址转换NAT四种方式及访问控制策略ACL应用.docx
《网络地址转换NAT四种方式及访问控制策略ACL应用.docx》由会员分享,可在线阅读,更多相关《网络地址转换NAT四种方式及访问控制策略ACL应用.docx(8页珍藏版)》请在冰豆网上搜索。
![网络地址转换NAT四种方式及访问控制策略ACL应用.docx](https://file1.bdocx.com/fileroot1/2022-11/27/db9e1997-f58c-4cb9-bd13-c26ff4793e56/db9e1997-f58c-4cb9-bd13-c26ff4793e561.gif)
网络地址转换NAT四种方式及访问控制策略ACL应用
NAT实验总结:
在配置静态NAT/动态NAT/NAPT时映射外部地址不能使用外部接口地址,要不会出现IP冲突
网络搭建配置情况
[LSW1]
interfaceVlanif1
ipaddress192.168.1.1255.255.255.0
#
interfaceVlanif2
ipaddress192.168.2.1255.255.255.0
#
interfaceVlanif3
ipaddress172.16.1.1255.255.255.0
#
interfaceVlanif4
ipaddress172.16.2.1255.255.255.0
#
interfaceEthernet0/0/2
portlixxxxnk-typeaccess
portdefaultvlan2
#
interfaceEthernet0/0/3
portlixxxxnk-typeaccess
portdefaultvlan3
#
interfaceEthernet0/0/4
portlixxxxnk-typeaccess
portdefaultvlan4
#
iproute-static0.0.0.00.0.0.0192.168.1.254
#
[AR1]
#
interfaceGigabitEthernet0/0/0
ipaddress192.168.1.254255.255.255.0
#
interfaceGigabitEthernet0/0/1
ipaddress10.0.0.1255.0.0.0
#
rip1
version2
network10.0.0.0
#
iproute-static172.16.0.0255.255.0.0192.168.1.1
iproute-static192.168.0.0255.255.0.0192.168.1.1
#
[AR2]
#
interfaceGigabitEthernet0/0/0
ipaddress10.0.0.2255.0.0.0
#
interfaceGigabitEthernet0/0/1
ipaddress20.0.0.1255.0.0.0
#
rip1
version2
network20.0.0.0
network10.0.0.0
#
[AR3]
#
interfaceGigabitEthernet0/0/0
ipaddress20.0.0.2255.0.0.0
#
interfaceGigabitEthernet0/0/1
ipaddress180.1.1.1255.255.255.0
#
rip1
version2
network20.0.0.0
#
iproute-static0.0.0.00.0.0.010.0.0.1
#
ACL访问控制策略
简单ACL
[LSW1]
#
aclnumber2000
rule1denysource172.16.1.20
#
interfaceEthernet0/0/5
traffic-filteroutboundacl2000
#
高级ACL
[LSW1]
#
aclnumber3000
rule1denyipsource192.168.2.00.0.0.255destination20.0.0.10
#
interfaceEthernet0/0/5
traffic-filteroutboundacl3000
#
静态NAT
[AR1]
#
interfaceGigabitEthernet0/0/1
natstaticglobal10.0.0.3inside192.168.1.2netmask255.255.255.255
natstaticenable
#
验证静态NAT
使用抓包工具可以看到静态映射访问AR3时使用的IP地址是10.0.0.3
动态NAT
[AR1]
#
nataddress-group110.0.0.410.0.0.5
#
aclnumber2000
rule1permitsource192.168.2.00.0.0.255
#
interfaceGigabitEthernet0/0/1
natoutbound2000address-group1
#
验证
NAPT(端口映射)
[AR3]
#
interfaceGigabitEthernet0/0/0
natserverprotocoltcpglobal20.0.0.38080inside180.1.1.2www
#
使用AR1下的http客户端进行访问验证已成功访问
EasyIP
[AR1]
#
aclnumber2001
rule1permitsource172.16.0.00.0.255.255
#
interfaceGigabitEthernet0/0/1
natoutbound2001
#