Difference between revisions of "Cisco NAT"
Helikopter (talk | contribs) |
Helikopter (talk | contribs) |
||
| Line 53: | Line 53: | ||
ip address 192.168.0.1 255.255.255.0 | ip address 192.168.0.1 255.255.255.0 | ||
ip nat inside | ip nat inside | ||
| − | PAT | + | PAT / port forward |
ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80 | ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80 | ||
Verify | Verify | ||
| Line 79: | Line 79: | ||
==HSRP== | ==HSRP== | ||
| − | + | Stateful NAT with [[Cisco_HSRP|HSRP]]. During failovers, NAT translated IP addresses on devices may be different from the IP address before the failover, because no state information is exchanged between active and standby devices. HSRP Virtual IP Address (VIP) cannot be used by NAT pools. | |
| − | + | interface gi2 | |
| + | standby 100 name SNAT | ||
| + | ip nat stateful id 1 redundancy SNAT mapping-id 10 | ||
| + | ip nat pool SNATPOOL 10.1.1.1 10.1.1.9 prefix-length 24 | ||
| + | ip nat inside source route-map ROUTE-MAP pool SNATPOOL mapping-id 10 overload | ||
| + | |||
| + | Primary | ||
| + | ip nat stateful id 1 primary 10.10.10.10 peer 10.22.22.22 mapping-id 10 | ||
| + | Backup | ||
| + | ip nat stateful id 1 backup 10.2.2.2 peer 10.10.10.10 mapping-id 10 | ||
| + | |||
| + | Verify | ||
show ip snat distributed verbose | show ip snat distributed verbose | ||
| Line 94: | Line 105: | ||
==Default Interface== | ==Default Interface== | ||
| + | NAT Default interface innebär att all trafik som initieras utifrån och natas in går till en och samma IP men däremot kan trafik som initieras inifrån natas till interface IP (nat overload). | ||
| + | |||
| + | ip access-list standard ALL | ||
| + | permit any | ||
| + | ip nat inside source list ALL interface Gi2 overload | ||
| + | ip nat inside source static 172.16.0.20 interface Gi2 | ||
==Reversible NAT== | ==Reversible NAT== | ||
| − | Dubbel-NAT | + | Man kan konfigurera nat som endast funkar efter att ha blivit initierad från andra hållet. |
| + | |||
| + | ==Dubbel-NAT== | ||
| + | 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50. | ||
ip nat inside source static 172.20.0.10 30.0.0.50 | ip nat inside source static 172.20.0.10 30.0.0.50 | ||
ip nat outside source static 30.0.0.5 172.20.0.50 add-route | ip nat outside source static 30.0.0.5 172.20.0.50 add-route | ||
| Line 103: | Line 123: | ||
==Static Extendable NAT== | ==Static Extendable NAT== | ||
| + | Om man vill ha flera ip-adresser som ska natas till samma IP. | ||
| + | ip nat inside source static 10.1.1.1 20.0.0.20 extendable | ||
| + | ip nat inside source static 10.1.1.1 20.0.0.30 extendable | ||
==IPv6== | ==IPv6== | ||
Revision as of 18:10, 26 June 2016
ip nat create flow-entries accelererar NAT-processen och är påslaget default i IOS-routrar.
Kolla om NAT funkar
debug ip nat telnet 1.1.1.1 /source lo0 who
Contents
Overload
access-list 10 permit [ip-address] [wildcard-mask] ip nat inside source list 10 interface [outside-interface] overload
Verify
show ip nat translations show ip nat statistics
Static NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias]
Med no-alias besvaras inte ARP-förfrågningar för den IP-adressen.
Verify
show ip nat translations show ip nat statistics show ip alias
DYNAMIC är IP-adresser som används för NAT.
Dynamic NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip access-list standard CLIENT-LIST permit 192.168.0.0 0.0.0.15 ip nat pool DYNAMIC 10.10.10.15 10.10.10.19 prefix-length 29 ip nat inside source list CLIENT-LIST pool DYNAMIC
Verify
show ip nat translations show ip nat pool name DYNAMIC
Static PAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
PAT / port forward
ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80
Verify
show ip nat translations
Static Policy NAT
Route Maps
ip access-list extended TO_OUTSIDE permit ip 192.168.0.0 0.0.0.255 any route-map TO_ISP1 permit 10 match ip address TO_OUTSIDE match interface Gi0/0 ip nat inside source route-map TO_ISP1 interface Gi0/0 overload
Overlapping Subnets
Antingen får man NATa på båda sidorna eller bara ena.
TCP Load Distribution
Rotary address pool
ip nat pool ROTARY prefix-length 24 type rotary address 10.0.0.10 10.0.0.10 address 10.0.0.11 10.0.0.11 ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY
HSRP
Stateful NAT with HSRP. During failovers, NAT translated IP addresses on devices may be different from the IP address before the failover, because no state information is exchanged between active and standby devices. HSRP Virtual IP Address (VIP) cannot be used by NAT pools.
interface gi2 standby 100 name SNAT ip nat stateful id 1 redundancy SNAT mapping-id 10 ip nat pool SNATPOOL 10.1.1.1 10.1.1.9 prefix-length 24 ip nat inside source route-map ROUTE-MAP pool SNATPOOL mapping-id 10 overload
Primary
ip nat stateful id 1 primary 10.10.10.10 peer 10.22.22.22 mapping-id 10
Backup
ip nat stateful id 1 backup 10.2.2.2 peer 10.10.10.10 mapping-id 10
Verify
show ip snat distributed verbose
NVI
Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte inside och outside med denna metod.
interface Gi0/1 ip nat enable interface Gi0/2 ip nat enable
show ip nat nvi translations
Default Interface
NAT Default interface innebär att all trafik som initieras utifrån och natas in går till en och samma IP men däremot kan trafik som initieras inifrån natas till interface IP (nat overload).
ip access-list standard ALL permit any ip nat inside source list ALL interface Gi2 overload ip nat inside source static 172.16.0.20 interface Gi2
Reversible NAT
Man kan konfigurera nat som endast funkar efter att ha blivit initierad från andra hållet.
Dubbel-NAT
172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50.
ip nat inside source static 172.20.0.10 30.0.0.50 ip nat outside source static 30.0.0.5 172.20.0.50 add-route
Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface.
show ip nat translations
Static Extendable NAT
Om man vill ha flera ip-adresser som ska natas till samma IP.
ip nat inside source static 10.1.1.1 20.0.0.20 extendable ip nat inside source static 10.1.1.1 20.0.0.30 extendable
IPv6
NAT – Protocol Translation kan användas vid IPv4 till IPv6 migreringar och ger bi-directional connectivity mellan domänerna.
interface gi 0/0 ipv6 nat interface gi 0/1 ipv6 nat ipv6 nat v6v4 source 3001:11:0:1::1 150.11.3.1 ipv6 nat v4v6 source static 150.11.2.2 2000::960b:0202 ipv6 nat prefix 2000::/96
NAT-PT kräver ett /96 prefix
Verify
show ipv6 nat translations
