Difference between revisions of "Cisco NAT"
From HackerNet
Helikopter (talk | contribs) |
Helikopter (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | '''ip nat create flow-entries''' är påslaget default i IOS-routrar. | ||
| + | |||
==Overload== | ==Overload== | ||
access-list 10 permit [ip-address] [wildcard-mask] | access-list 10 permit [ip-address] [wildcard-mask] | ||
| Line 13: | Line 15: | ||
ip nat inside | ip nat inside | ||
NAT | NAT | ||
| − | ip nat inside source static 192.168.0.20 10.10.10.20 | + | ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias] |
| + | ''Använd no-alias om det inte ska arpas efter den IPn på outside.'' | ||
| + | |||
Verify | Verify | ||
show ip nat translations | show ip nat translations | ||
| Line 31: | Line 35: | ||
Verify | Verify | ||
show ip nat translations | show ip nat translations | ||
| + | show ip nat pool name DYNAMIC | ||
==Static PAT== | ==Static PAT== | ||
| Line 53: | Line 58: | ||
==Route Maps== | ==Route Maps== | ||
| + | ip access-list extended TO_OUTSIDE | ||
| + | permit ip 192.168.0.0 0.0.0.255 any | ||
| + | route-map TO_ISP1 permit 10 | ||
| + | match ip address TO_OUTSIDE | ||
| + | match interface Gi0/0 | ||
| + | ip nat inside source route-map TO_ISP1 interface Gi0/0 overload | ||
==Overlapping Subnets== | ==Overlapping Subnets== | ||
| Line 58: | Line 69: | ||
==TCP Load Distribution== | ==TCP Load Distribution== | ||
| + | Rotary address pool | ||
| + | ip nat pool ROTARY prefix-length 24 type rotary | ||
| + | address 10.0.0.10 10.0.0.10 | ||
| + | address 10.0.0.11 10.0.0.11 | ||
| + | ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY | ||
==HSRP== | ==HSRP== | ||
| + | Stateful NAT | ||
==Primary/Backup== | ==Primary/Backup== | ||
| + | show ip snat distributed verbose | ||
==NVI== | ==NVI== | ||
| + | Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte ''inside'' och ''outside'' med denna metod. | ||
| + | interface Gi0/1 | ||
| + | ip nat enable | ||
| + | interface Gi0/2 | ||
| + | ip nat enable | ||
| + | |||
| + | show ip nat nvi translations | ||
==Default Interface== | ==Default Interface== | ||
==Reversible NAT== | ==Reversible NAT== | ||
| + | Dubbel-NAT, 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50. | ||
| + | ip nat inside source static 172.20.0.10 30.0.0.50 | ||
| + | ip nat outside source static 30.0.0.5 172.20.0.50 add-route | ||
| + | Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface. | ||
| + | show ip nat translations | ||
==Static Extendable NAT== | ==Static Extendable NAT== | ||
Revision as of 10:48, 4 June 2016
ip nat create flow-entries är påslaget default i IOS-routrar.
Contents
Overload
access-list 10 permit [ip-address] [wildcard-mask] ip nat inside source list 10 interface [outside-interface] overload
Verify
show ip nat translations
Static NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias]
Använd no-alias om det inte ska arpas efter den IPn på outside.
Verify
show ip nat translations
Dynamic NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip access-list standard CLIENT-LIST permit 192.168.0.0 0.0.0.15 ip nat pool DYNAMIC 10.10.10.15 10.10.10.19 prefix-length 29 ip nat inside source list CLIENT-LIST pool DYNAMIC
Verify
show ip nat translations show ip nat pool name DYNAMIC
Static PAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
PAT
ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80
Verify
show ip nat translations
Static NAT and IP Aliasing
Utan alias besvaras inte ARP-förfrågningar för den IP-adressen.
ip nat inside source static 192.168.0.20 10.10.10.20 no-alias
Verify
show ip alias
Static Policy NAT
Route Maps
ip access-list extended TO_OUTSIDE permit ip 192.168.0.0 0.0.0.255 any route-map TO_ISP1 permit 10 match ip address TO_OUTSIDE match interface Gi0/0 ip nat inside source route-map TO_ISP1 interface Gi0/0 overload
Overlapping Subnets
Antingen får man NATa på båda sidorna eller bara ena.
TCP Load Distribution
Rotary address pool
ip nat pool ROTARY prefix-length 24 type rotary address 10.0.0.10 10.0.0.10 address 10.0.0.11 10.0.0.11 ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY
HSRP
Stateful NAT
Primary/Backup
show ip snat distributed verbose
NVI
Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte inside och outside med denna metod.
interface Gi0/1 ip nat enable interface Gi0/2 ip nat enable
show ip nat nvi translations
Default Interface
Reversible NAT
Dubbel-NAT, 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50.
ip nat inside source static 172.20.0.10 30.0.0.50 ip nat outside source static 30.0.0.5 172.20.0.50 add-route
Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface.
show ip nat translations
Static Extendable NAT
Verify
show ip alias | i dynamic show ip nat statistics show ip snat distributed show ip snat distributed verbose
Kolla om NAT funkar
telnet 1.1.1.1 /source lo0 who
Debug
debug ip nat
