Cisco路由器静态内部源地址转换实验

实验网络拓扑：

实验目的：R2路由器配置了NAT，把源地址10.1.1.2/24（R1路由器F0/1 IP地址，在这里称为内部地址）转换为195.1.1.1/32（模拟公网IP地址，在这里称为外部地址），提供外网用户访问。R1和R4模拟PC。
路由器配置：
R2路由器：
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet1/1
 ip address 195.1.1.4 255.255.255.0
 ip nat outside
!
ip nat inside source static 10.1.1.2 195.1.1.1
ip classless
ip route 152.1.1.2 255.255.255.255 Ethernet1/1
no ip http server
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R3路由器：
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
 ip address 195.1.1.10 255.255.255.0
!        
interface Ethernet1/1
 ip address 152.1.1.1 255.255.255.0
!
no ip address
shutdown
!
ip classless
no ip http server
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R1路由器：
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/1
 ip address 10.1.1.2 255.255.255.0
duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
no ip http server
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R4路由器：
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
 ip address 152.1.1.2 255.255.255.0
duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 152.1.1.1
no ip http server
!
line con 0
 transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
监测配置：
从R1路由器ping 152.1.1.2（R4路由器F0/0 IP地址），用debug ip packet命令分析到达R4的报文，命令执行结果如下：
R1#debug ip packetIP packet debugging is on
R1#ping 152.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/37/68 ms
R1#
00:21:28: IP: s=10.1.1.2 (local), d=152.1.1.2 (FastEthernet0/1), len 100, sending <-----ICMP ECHO00:21:28: IP: s=152.1.1.2 (FastEthernet0/1), d=10.1.1.2 (FastEthernet0/1), len 100, rcvd 3 <-----ICMP ECHO REPLY
在R2路由器上执行debug ip nat命令可以看到源IP地址（10.1.1.2）已经转换为195.1.1.1，这是个双向转换过程，而返回报文到195.1.1.1的目标地址也转回到10.1.1.2了，如下所示：
R2#debug ip nat
IP NAT debugging is on
00:21:27: NAT*: s=10.1.1.2->195.1.1.1, d=152.1.1.2 [30]
00:21:27: NAT*: s=152.1.1.2, d=195.1.1.1->10.1.1.2 [30]
以上也称为一对一的静态IP映射，相当于Juniper NetScreen产品中的MIP。