关于双NAT实验请各位帮我看下

wangqimars · 发表于 2014-5-31 22:01:40

做了半天实在不通，请各位帮看看是哪里有问题：

基本拓扑如图：

请无视那个T0

R6、R7（C7200）为两个NAT服务器，算公网接入吧，R8、R9本来该是主机暂用路由代替（C2600），路由上配置了Rip，NAT，Loopback（测试用），以R8为例，测试结果如图：

即R8--R6通，R8-R6 loopback通，R8-R9通，但就是R8到R9的inside不通了，抓包数据请看下图：

这是从R7的F1/1口上抓的，应该是从85号开始。

各设备start conf如下：

R6：
!

!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 218.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
network 218.1.1.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool NAT 218.1.1.3 218.1.1.4 netmask 255.255.255.0
ip nat inside source list 1 pool NAT overload
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R7：
!

!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 218.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router rip
version 2
network 2.0.0.0
network 20.0.0.0
network 218.1.1.0
no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool NAT 218.1.1.5 218.1.1.6 netmask 255.255.255.0
ip nat inside source list 1 pool NAT overload
!
access-list 1 permit 20.1.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

R8：
!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R8
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0
no ip route-cache
duplex auto
speed auto
!
ip default-gateway 10.1.1.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R9：
!

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 20.1.1.2 255.255.255.0
no ip route-cache
duplex auto
speed auto
!
ip default-gateway 20.1.1.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

求教，可追分

吴绪城 · 发表于 2014-5-31 22:01:41

新建文本文档 (2).txt (3.39 KB, 下载次数: 2)

不知道你想的和我做的是否一樣

qq985760924 · 发表于 2014-5-31 22:23:08

看来你还是没有理解NAT，你两个路由器都做NAT了，你都做NAT了你怎么Ping通人家的内网。NAT是为了解决IPv4的地址不够用而研发的，NAT是为了去公网，把私有地址转换为共有的地址。

q0066421 · 发表于 2014-5-31 23:36:48

这样，假设你告诉我你的ip地址是192.168.1.101，我告诉你我的是192.168.15.3。
提问：我ping192.168.1.101能通吗？
静态nat才可以的。

Rockyw · 发表于 2014-6-1 10:44:14

路过了解一下

z247386032 · 发表于 2014-6-1 10:54:58

wangqimars · 发表于 2014-6-1 21:17:04

吴绪城发表于 2014-6-1 11:14
不知道你想的和我做的是否一樣

感谢您的解答，根据您的配置我搭了两个直连路由，用各自的loopback去ping对方的loopback结果是通的
但是当我在其中一个路由上再接出一个终端，并配置了默认路由（ping网关可通），再去跨网关ping另一个路由的时候，就不通了
已经在该路由上添了acl 1 permit any，求解

吴绪城 · 发表于 2014-6-2 00:27:06

..具體的配置沒看不好說。

账号		自动登录	找回密码
密码			论坛注册

[求助] 关于双NAT实验请各位帮我看下

最佳答案

浏览过的版块

客服中心

投诉建议