[原创]BSCI第一章实验2之任务4(人邮自学指南BSCI)

本次实验在任务3的基础上进行了改进,因为在任务3情况下NAT有致命弱点,所以本次实验改用route-map路由映射表来进行,此时路由器的NAT表条目将不再是只有内部本地和全局本地,还会有TCP/UDP等端口信息,这样就可以每次唯一的确定一个会话.本次实验与任务3
不同的地方就是在P1R1有所不同,其他不变.

P1R1的配置(红色部分是不同的部分,要删除任务3中NAT命令):
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1-2514
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.0.0.0
!
interface Ethernet0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!        
interface Ethernet1
 no ip address
 shutdown
!        
interface Serial0
 ip address 172.31.1.1 255.255.255.0
 ip nat outside
 encapsulation frame-relay
 no arp frame-relay
 frame-relay map ip 172.31.1.2 102 broadcast
 frame-relay map ip 172.31.1.5 105 broadcast
 no frame-relay inverse-arp
!        
interface Serial1
 ip address 10.1.0.1 255.255.255.0
 ip nat outside
 clock rate 125000
!        
ip nat pool bbr 192.168.1.1 192.168.1.254 prefix-length 24
ip nat pool pod 10.1.0.64 10.1.0.95 netmask 255.255.255.0
ip nat inside source route-map to-bbr pool bbr
ip nat inside source route-map to-pod pool pod
ip http server
ip classless
ip route 10.0.0.0 255.0.0.0 172.31.1.5
!        
!        
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!        
route-map to-bbr permit 10
 match ip address 100
!        
route-map to-pod permit 10
 match ip address 101
!        
!        
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login   
!        
end  

结果分析:
r3-2514#ping 10.254.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/52/60 ms

此时R1上调试信息:
*Mar  1 01:04:02.475: NAT: s=10.1.1.3->192.168.1.1, d=10.254.0.5 [35]
*Mar  1 01:04:02.519: NAT*: s=10.254.0.5, d=192.168.1.1->10.1.1.3 [35]
*Mar  1 01:04:02.527: NAT*: s=10.1.1.3->192.168.1.1, d=10.254.0.5 [36]
*Mar  1 01:04:02.571: NAT*: s=10.254.0.5, d=192.168.1.1->10.1.1.3 [36]
*Mar  1 01:04:02.579: NAT*: s=10.1.1.3->192.168.1.1, d=10.254.0.5 [37]
*Mar  1 01:04:02.623: NAT*: s=10.254.0.5, d=192.168.1.1->10.1.1.3 [37]
*Mar  1 01:04:02.631: NAT*: s=10.1.1.3->192.168.1.1, d=10.254.0.5 [38]
*Mar  1 01:04:02.671: NAT*: s=10.254.0.5, d=192.168.1.1->10.1.1.3 [38]
*Mar  1 01:04:02.683: NAT*: s=10.1.1.3->192.168.1.1, d=10.254.0.5 [39]
r1-2514(config)#do show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.1.1:7     10.1.1.3:7         10.254.0.5:7       10.254.0.5:7

接着PING 10.1.0.2看这次是否成功:
r3-2514#ping 10.1.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms

再看看R1上调试信息:
*Mar  1 01:04:58.763: NAT: s=10.1.1.3->10.1.0.65, d=10.1.0.2 [40]
*Mar  1 01:04:58.787: NAT*: s=10.1.0.2, d=10.1.0.65->10.1.1.3 [40]
*Mar  1 01:04:58.799: NAT*: s=10.1.1.3->10.1.0.65, d=10.1.0.2 [41]
*Mar  1 01:04:58.823: NAT*: s=10.1.0.2, d=10.1.0.65->10.1.1.3 [41]
*Mar  1 01:04:58.831: NAT*: s=10.1.1.3->10.1.0.65, d=10.1.0.2 [42]
*Mar  1 01:04:58.855: NAT*: s=10.1.0.2, d=10.1.0.65->10.1.1.3 [42]
*Mar  1 01:04:58.863: NAT*: s=10.1.1.3->10.1.0.65, d=10.1.0.2 [43]
*Mar  1 01:04:58.887: NAT*: s=10.1.0.2, d=10.1.0.65->10.1.1.3 [43]
*Mar  1 01:04:58.895: NAT*: s=10.1.1.3->10.1.0.65, d=10.1.0.2 [44]
*Mar  1 01:04:58.919: NAT*: s=10.1.0.2, d=10.1.0.65->10.1.1.3 [44]

r1-2514(config)#do show ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.0.65:8       10.1.1.3:8         10.1.0.2:8         10.1.0.2:8

两次PING路由器对每个都进行了单独的NAT转换,相互不影响.同样的道理,如果我们不用ROUTE-MAP路由映射表,改用任务3里的配置加上OVERLOAD将会得到同样的效果.