天天看點
傳回

利用兩種不同的NAT配置實作兩個接口的雙向靜态NAT測試

一.測試拓撲:

<a href="http://s3.51cto.com/wyfs02/M02/72/AB/wKiom1Xqu-fSJK1NAADmqScmYXY158.jpg" target="_blank"></a>

二.測試需求

1.ServerA已經配置靜态一對一的位址實作從Interternet的通路

2.RouterA和RouterB為專線

3.需要ServerA通路ServerB的源位址映射為193.170.3.200

三.測試思路

1.利用nat和route-map實作按照需要進行NAT轉換

---實際測試,不能滿足要求

2.分2組nat,一組傳統方式ip nat inside、ip nat outside,另一組為ip nat enable

四.基本配置

1.伺服器ServerA:

interface Ethernet0/0

     ip address 172.16.10.200 255.255.255.0

     no shut

ip route 0.0.0.0 0.0.0.0 172.16.10.254

2.路由器RouterC:

     ip address 172.16.10.254 255.255.255.0   

     no shut 

interface Ethernet0/1

     ip address 10.1.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

3.路由器RouterA:

     ip address 202.100.1.1 255.255.255.0

     no shut  

     ip address 192.169.2.105 255.255.255.0

interface Ethernet0/2

     ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 202.100.1.2

ip route 172.16.10.0 255.255.255.0 10.1.1.2

ip route 192.168.92.0 255.255.255.0 192.169.2.106

     ip nat outside

     ip nat inside

ip access-list extended PAT

     deny   ip host 172.16.10.200 192.168.92.0 0.0.0.255

     permit ip 172.16.10.0 0.0.0.255 any

ip nat inside source list PAT interface Ethernet0/0 overload

ip nat inside source static 172.16.10.200 202.100.1.200

---驗證:

ServerA#ping 202.100.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 60/75/108 ms

Internet#debug ip icmp 

ICMP packet debugging is on

Internet#

*Mar  1 06:28:08.946: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

*Mar  1 06:28:10.942: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

*Mar  1 06:28:11.038: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

*Mar  1 06:28:11.138: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

*Mar  1 06:28:11.198: ICMP: echo reply sent, src 202.100.1.2, dst 202.100.1.200

4.路由器Internet:

     ip address 202.100.1.2 255.255.255.0

5.路由器RouterB:

     ip address 192.169.2.106 255.255.255.0

     ip address 192.168.92.254 255.255.255.0

ip route 172.16.10.0 255.255.255.0 192.169.2.105

五.NAT加route-map測試

A.路由器RouterA

1.定義ACL

ip access-list extended Inside

     permit ip host 172.16.10.200 host 192.168.92.64

ip access-list extended Outside

     permit ip host 172.16.10.200 any 

2.配置route-map

route-map Inside permit 10

     match ip address Inside

route-map Outside permit 10

     match ip address Outside 

3.删除原有的靜态NAT

no ip nat inside source static 172.16.10.200 202.100.1.200

no ip nat inside source list PAT interface Ethernet0/0 overload

4.配置帶 route-map的靜态NAT

ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside

ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside 

B.路由器RouterB

ip route 193.170.3.0 255.255.255.0 192.169.2.105

C.測試:

.....

Success rate is 0 percent (0/5)

ServerA#

*Mar  1 06:59:10.862: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200

*Mar  1 06:59:12.870: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200

*Mar  1 06:59:14.890: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200

*Mar  1 06:59:16.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200

*Mar  1 06:59:18.846: ICMP: echo reply sent, src 202.100.1.2, dst 172.16.10.200

ServerA#ping 192.168.92.64

Sending 5, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 84/121/160 ms

ServerB#debug ip icmp 

ServerB#

*Mar  1 00:55:06.027: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200

*Mar  1 00:55:06.187: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200

*Mar  1 00:55:06.339: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200

*Mar  1 00:55:06.427: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200

*Mar  1 00:55:06.495: ICMP: echo reply sent, src 192.168.92.64, dst 172.16.10.200

-----出去的時候沒有做源位址轉換

Internet#telnet 202.100.1.200

Trying 202.100.1.200 ... Open

User Access Verification

Password: 

ServerA&gt;show users

    Line       User       Host(s)              Idle       Location

   0 con 0                idle                 00:00:49   

*130 vty 0                idle                 00:00:00 202.100.1.2

  Interface    User               Mode         Idle     Peer Address

ServerA&gt;quit

ServerB#telnet 193.170.3.200

Trying 193.170.3.200 ... Open

   0 con 0                idle                 00:01:52   

*130 vty 0                idle                 00:00:00 192.168.92.64

-----從外面進來時做聊目标位址轉換

六.兩種NAT配合使用測試

A.RouterA删除前面配置的nat并恢複原始配置中的NAT配置

no ip nat inside source static 172.16.10.200 202.100.1.200 route-map Outside

no ip nat inside source static 172.16.10.200 193.170.3.200 route-map Inside 

     no ip nat outside

no route-map Inside permit 10

no route-map Outside permit 10

no ip access-list extended Inside

no ip access-list extended Outside

B.RouterA配置ip nat enable

     ip nat enable

C.配置靜态NAT:

ip nat source static 172.16.10.200 193.170.3.200

D.測試:

*Mar  1 01:18:22.823: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:18:24.807: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:18:26.819: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:18:28.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:18:30.779: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 07:24:07.350: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64

*Mar  1 07:24:09.342: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64

*Mar  1 07:24:11.334: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64

*Mar  1 07:24:13.286: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64

*Mar  1 07:24:15.314: ICMP: dst (193.170.3.200) host unreachable sent to 192.168.92.64

----發現此時RouterA對回包沒有做目标位址轉換,把包丢給了Internet路由器

D.路由器RouterA增加secondary位址并測試:

ip address 193.170.3.1 255.255.255.0 secondary

!.!.!

Success rate is 60 percent (3/5), round-trip min/avg/max = 128/153/168 ms

*Mar  1 01:31:28.219: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:31:28.399: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:31:30.379: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:31:30.531: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

*Mar  1 01:31:32.515: ICMP: echo reply sent, src 192.168.92.64, dst 193.170.3.200

----通了,但是很有規律的丢包,并且比較嚴重

ServerA#ping 192.168.92.64 repeat 100

Sending 100, 100-byte ICMP Echos to 192.168.92.64, timeout is 2 seconds:

!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.

!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.

Success rate is 50 percent (50/100), round-trip min/avg/max = 56/128/204 ms

七.使用loopback口和兩種NAT配合使用測試

---經過上面配置後,有50%的丢包,測試可能是e0/2同時配置了兩種NAT,是以增加loopback口,取消原先e0/2的ip nat enable

A.路由器RouterA增加loopback0,配置ip nat enable

interface Loopback0

     ip address 1.1.1.1 255.255.255.252

B.路由器RouterA配置route-map并在e0/2接口應用

ip access-list extended ToServerB

route-map ToServerB permit 10

     match ip address ToServerB

     set interface Loopback0

     no  ip nat enable

     ip policy route-map ToServerB

C.經過上述配置後仍然還有50%的丢包,于是儲存配置,重新開機RouterA,此時沒有丢包

-----這時采用第六步的配置也是正常的,說明可能是模拟器的緣故導緻

本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/1691596,如需轉載請自行聯系原作者

測試技術 網絡架構 企業級網絡架構 網絡參考架構 網絡架構是什麼 網絡架構系統 技術架構選擇
上一篇: Jenkins的持續內建及自動化部署在測試和生産環境中的運用系列
下一篇: oracle中bulk collect into用法

繼續閱讀