我设置了一个 GNS3 实验室,并尝试使用动态池实现 NAT 过载。请参阅图表
我遇到的问题是流量从 PC1 正确路由到 ISP1 或 ISP2。但是我认为转换不起作用,因为我在 ISP 路由器上看到了这一点。
*Oct 7 16:14:46.211: ICMP: echo reply sent, src 1.1.1.2, dst 192.168.0.101, topology BASE, dscp 0 topoid 0
ISP1#
*Oct 7 16:14:48.211: ICMP: echo reply sent, src 1.1.1.2, dst 192.168.0.101, topology BASE, dscp 0 topoid 0
以下是 Edge1 的配置:
interface Loopback0
ip address 167.69.0.1 255.255.0.0
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.0
ip nat inside
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface POS1/0
description "ISP1"
ip address 1.1.1.1 255.255.255.252
ip nat outside
!
interface POS2/0
description "ISP2"
ip address 2.2.2.1 255.255.255.252
ip nat outside
router eigrp 1
network 172.16.0.0 0.0.0.255
!
router bgp 10001
no synchronization
bgp log-neighbor-changes
network 167.69.0.0
neighbor 1.1.1.2 remote-as 65100
neighbor 2.2.2.2 remote-as 65200
maximum-paths 2
no auto-summary
ip nat pool overloadNAT 167.69.255.1 167.69.255.100 netmask 255.255.255.0
ip nat inside source list 100 pool overloadNAT
access-list 100 permit ip 192.168.0.0 0.0.0.255 any log
access-list 100 permit icmp 192.168.0.0 0.0.0.255 any log
以下是我从 Edge1 显示的 IP 路由:
Edge1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
B 1.0.0.0/8 [20/0] via 1.1.1.2, 01:15:59
C 1.1.1.0/30 is directly connected, POS1/0
L 1.1.1.1/32 is directly connected, POS1/0
2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 2.2.2.0/30 is directly connected, POS2/0
L 2.2.2.1/32 is directly connected, POS2/0
167.69.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 167.69.0.0/16 is directly connected, Loopback0
L 167.69.0.1/32 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/24 is directly connected, GigabitEthernet0/0
L 172.16.0.1/32 is directly connected, GigabitEthernet0/0
D 192.168.0.0/24 [90/28416] via 172.16.0.3, 02:06:17, GigabitEthernet0/0
[90/28416] via 172.16.0.2, 02:06:17, GigabitEthernet0/0
答案1
扩展 ACL 可能有效,但没有“log”关键字:
问:Cisco IOS NAT 是否支持带有“log”关键字的 ACL?
答:当您配置 Cisco IOS NAT 进行动态 NAT 转换时,ACL 用于识别可以转换的数据包。当前 NAT 架构不支持带有“log”关键字的 ACL。
答案2
答案是将扩展 ACL 更改为基本
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 11 permit 172.16.0.0 0.0.0.255