20442de 乾頤堂ADHCPserverallocatesnetworkaddressesanddeliversADHCPclientisahostthatrequestsanIPaddressandconfigurationfromaDHCPserver.DynamicHostConfigurationProtocolDHCPIPaddressallocationAutomaticallocation:ApermanentIPaddressisassignedtoaDynamicallocationAclientisassignedanIPaddressforalimitedManualallocation:AclientisassignedanIPaddressbythenetworkAssignedIPAddress-SP給企業(yè)級用戶分配的OptionsforconfiguringIPConfiguringaStaticProvider-AssignedIPConfiguresapublicIPRouter(config)#iRouter(config)#iproute0.0.0.00.0.0.0Createsadefaultroutethatpointstowardthenext-hopIPConfiguringaDHCPRouterautomaticallyinjectsdefaultroutebasedonoptionaldefaultgatewayparameterreceivedwithassignedIPaddress.CPE自動的通過默認(rèn)網(wǎng)關(guān)的參數(shù)注入一條默認(rèn)路由Publicvs.PrivateIPv4PrivateAddressA10.0.0.0toB172.16.0.0toC192.168.0.0toPublicAddressA1.0.0.0to11.0.0.0toB128.0.0.0to172.32.0.0toC192.0.0.0to192.169.0.0toNATallowsprivateuserstoaccesstheInternetbysharingoneormorepublicIPaddresses.TypesofAddressesinThesearethemostimportanttypesofaddressesinInsidelocal:HostontheinsideInsideglobal:UsuallyassignedbyanISPandallowsthecustomeroutsideaccessOutsideglobal:HostontheoutsideTypesofAddressesinNATTypesofThesearethetypesofStaticNAT:One-to-oneaddressDynamicNAT:Many-to-manyaddressNATOrderof IfIPSecthencheckinputaccessdecryption-forCET(CiscoEncryptionTechnology)orIPSeccheckinputaccesscheckinputrateinputredirecttowebpolicyNATinsidetooutside(localtoglobalcrypto(checkmapandmarkforcheckoutputaccessinspect(Context-basedAccessControlTCP

IfIPSecthencheckinputaccessdecryption-forCETorcheckinputaccesscheckinputrateinputredirecttowebNAToutsidetoinside(globaltolocalpolicycrypto(checkmapandmarkforcheckoutputaccessinspectTCPEnder 乾頤堂Example:ConfiguringstaticRouter(config)#Router(config)#interfaceGigabitEthernet0/1Router(config-if)#ipaddress209.165.201.1255.255.255.240Router(config-if)#ipnatoutsideRouter(config)#interfaceGigabitEthernet0/0Router(config-if)#ipaddress10.1.1.1255.255.255.0Router(config-if)#ipnatinsideRouter(config)#ipnatinsidesourcestatic10.1.1.2Trying202.100.1.1...OpenUserAccessPassword:Branch#showBranch#showipnatProInsidetcpInsideOutsideOutside202.100.1.2:29430tcp202.100.1.1:2873710.1.20.100:28737 --- -- --Ender 乾頤堂ipnatinsidesourcestatictcp10.1.20.10023202.100.1.14444HQ#telnet202.100.1.1Trying202.100.1.1,4444...UserAccessVerificationBranch#showipnatProInside Inside tcp tcp -nr -- --乾頤堂VerifyingStaticNATRouter#showipnatProInside InsideOutsideOutsidetcp---Router(config)#access-list1permit10.1.1.00.0.0.255—ACL攜帶掩碼，否則可能無效Router(config)#ipnatpoolNAT-POOL209.165.201.5209.165.201.10netmaskRouter(config)#interfaceGigabitEthernet0/1Router(config-if)#ipaddress209.165.201.1255.255.255.240Router(config-if)#ipnatoutsideRouter(config)#interfaceGigabitEthernet0/0Router(config-if)#ipaddress10.1.1.1255.255.255.0Router(config-if)#ipnatinsideRouter(config)#ipnatinsidesourcelist1poolNAT-Router#showipnatProInside InsideOutsideOutsideicmp---icmptcp---Router(config)#Router(config)#access-list1permit10.1.1.00.0.0.255Router(config)#interfaceGigabitEthernet0/0Router(config-if)#ipaddress10.1.1.1255.255.255.0Router(config-if)#ipnatinsideRouter(config-if)#interfaceGigabitEthernet0/1Router(config-if)#ipaddress209.165.201.1255.255.255.240Router(config#ipnatoutsideRouter(config)#ipnatinsidesourcelist1interfaceGi0/1VerifyingPATRouter#showipnatProInside InsideOutside OutsidetcptcpAreAddressesBeingRouter#Router#showipnatTotaltranslations:5(0static,5dynamic,5extended)OutsideInterfaces:Serial0InsideInterfaces:Ethernet0,Ethernet1Hits:42Misses:44<outputMonitorsNATaccess-list1permit10.1.1.100VerifiesthattheNATACLispermittingallnecessaryTodisplaydetaileddynamicdataandevents,youcanuseAdebugcommandcanintensivelyusedeviceresources.Usecarefullyonproductionequipment.AlwaysturnoffdebugaftertroubleshootingwiththenodebugallRouter#Router#debugipNAT*:s=10.1.1.100->209.165.201.1,d=172.16.1.100[103]NAT*:s=172.16.1.100,d=209.165.201.1->10.1.1.100[103]NAT*:s=10.1.1.100->209.165.201.1,d=172.16.1.100[104]NAT*:s=172.16.1.100,d=209.165.201.1->10.1.1.100[104]<outputDisplaysinformationabouteverypacketthatistranslatedbytheIftranslationsareoccurring,butthereisnoconnectivity,verifythattheremoterouterhasaroutetothetranslatedaddress.Branch#showBranch#showipCodes:L-local,C-connected,S-static,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticrouteo-ODR,P-periodicdownloadedstaticroute,+-replicatedrouteGatewayoflastresortis209.165.201.1tonetwork0.0.0.0C10.1.1.0/24isdirectlyconnected,GigabitEthernet0/0L10.1.1.2/32isdirectlyconnected,C209.165.201.0/27isdirectlyconnected,GigabitEthernet0/1S*0.0.0.0/0[1/0]via209.165.201.1HostAandhostBareunabletopingafteranewNATconfigurationisputinplace.<outputiproute0.0.0.00.0.0.0!access-list20permit0.0.0.0!interfaceipaddress10.1.1.1255.255.255.0ipnatoutside!interfaceipaddress209.165.200.1ipnat!ipnatinsidesourcelist20interfaceGigabitEthernet0/1Router#showipnatProRouter#showipnatProInside InsideOutsideOutsideTranslationsarenotTherouterinterfacesareincorrectlydefinedasNATinsideandNAToutside.Router#Router#showipnatTotalactivetranslations:0(0static,0dynamic;0extended)Outsideinterfaces:Insideinterfaces:<outputHowtofixRouter#Router#configureterminalRouter(config)#interfaceGigabitEthernet0/0Router(config-if)#ipnatinsideRouter(config-if)#ipnatVerifythattheaccesslistisStandardIPaccesslist10permit0.0.0.0,wildcardbitsHowtofixaccessVerifythattranslationsareoccurringandyouhaveconnectivitytotheremotenetwork.209.165.202.131:1Outside209.165.202.131:1OutsideOutsideInsidelocalProInsideglobalicmp209.165.201.1:1Router#showipnatPinging209.165.202.131with32bytesofReplyfrom209.165.202.131:bytes=32Replyfrom209.165.202.131:<output

time=70msTTL=127Provider-assignedIPaddressescanbeconfiguredonarouterstaticallyorcanbedynamically