Difference between revisions of "Cisco NAT"
From HackerNet
Helikopter (talk | contribs) |
Helikopter (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | '''ip nat create flow-entries''' är påslaget default i IOS-routrar. | + | '''ip nat create flow-entries''' accelererar NAT-processen och är påslaget default i IOS-routrar. |
| + | |||
| + | Kolla om NAT funkar | ||
| + | debug ip nat | ||
| + | telnet 1.1.1.1 /source lo0 | ||
| + | who | ||
==Overload== | ==Overload== | ||
| Line 6: | Line 11: | ||
Verify | Verify | ||
show ip nat translations | show ip nat translations | ||
| + | show ip nat statistics | ||
==Static NAT== | ==Static NAT== | ||
| Line 16: | Line 22: | ||
NAT | NAT | ||
ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias] | ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias] | ||
| − | '' | + | ''Med no-alias besvaras inte ARP-förfrågningar för den IP-adressen.'' |
Verify | Verify | ||
show ip nat translations | show ip nat translations | ||
| + | show ip nat statistics | ||
| + | show ip alias | ||
| + | ''DYNAMIC är IP-adresser som används för NAT.'' | ||
==Dynamic NAT== | ==Dynamic NAT== | ||
| Line 48: | Line 57: | ||
Verify | Verify | ||
show ip nat translations | show ip nat translations | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==Static Policy NAT== | ==Static Policy NAT== | ||
| Line 76: | Line 79: | ||
==HSRP== | ==HSRP== | ||
| + | Primary/Backup | ||
| + | |||
Stateful NAT | Stateful NAT | ||
| − | |||
| − | |||
show ip snat distributed verbose | show ip snat distributed verbose | ||
| Line 100: | Line 103: | ||
==Static Extendable NAT== | ==Static Extendable NAT== | ||
| + | |||
| + | ==IPv6== | ||
| + | NAT – Protocol Translation kan användas vid IPv4 till IPv6 migreringar och ger bi-directional connectivity mellan domänerna. | ||
| + | interface gi 0/0 | ||
| + | ipv6 nat | ||
| + | interface gi 0/1 | ||
| + | ipv6 nat | ||
| + | ipv6 nat v6v4 source 3001:11:0:1::1 150.11.3.1 | ||
| + | ipv6 nat v4v6 source static 150.11.2.2 2000::960b:0202 | ||
| + | ipv6 nat prefix 2000::/96 | ||
| + | NAT-PT kräver ett /96 prefix | ||
Verify | Verify | ||
| − | show | + | show ipv6 nat translations |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[[Category:Cisco]] | [[Category:Cisco]] | ||
Revision as of 09:03, 7 June 2016
ip nat create flow-entries accelererar NAT-processen och är påslaget default i IOS-routrar.
Kolla om NAT funkar
debug ip nat telnet 1.1.1.1 /source lo0 who
Contents
Overload
access-list 10 permit [ip-address] [wildcard-mask] ip nat inside source list 10 interface [outside-interface] overload
Verify
show ip nat translations show ip nat statistics
Static NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias]
Med no-alias besvaras inte ARP-förfrågningar för den IP-adressen.
Verify
show ip nat translations show ip nat statistics show ip alias
DYNAMIC är IP-adresser som används för NAT.
Dynamic NAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
NAT
ip access-list standard CLIENT-LIST permit 192.168.0.0 0.0.0.15 ip nat pool DYNAMIC 10.10.10.15 10.10.10.19 prefix-length 29 ip nat inside source list CLIENT-LIST pool DYNAMIC
Verify
show ip nat translations show ip nat pool name DYNAMIC
Static PAT
interface Gi0/1 ip address 10.10.10.10 255.255.255.0 ip nat outside interface Gi0/2 ip address 192.168.0.1 255.255.255.0 ip nat inside
PAT
ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80
Verify
show ip nat translations
Static Policy NAT
Route Maps
ip access-list extended TO_OUTSIDE permit ip 192.168.0.0 0.0.0.255 any route-map TO_ISP1 permit 10 match ip address TO_OUTSIDE match interface Gi0/0 ip nat inside source route-map TO_ISP1 interface Gi0/0 overload
Overlapping Subnets
Antingen får man NATa på båda sidorna eller bara ena.
TCP Load Distribution
Rotary address pool
ip nat pool ROTARY prefix-length 24 type rotary address 10.0.0.10 10.0.0.10 address 10.0.0.11 10.0.0.11 ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY
HSRP
Primary/Backup
Stateful NAT
show ip snat distributed verbose
NVI
Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte inside och outside med denna metod.
interface Gi0/1 ip nat enable interface Gi0/2 ip nat enable
show ip nat nvi translations
Default Interface
Reversible NAT
Dubbel-NAT, 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50.
ip nat inside source static 172.20.0.10 30.0.0.50 ip nat outside source static 30.0.0.5 172.20.0.50 add-route
Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface.
show ip nat translations
Static Extendable NAT
IPv6
NAT – Protocol Translation kan användas vid IPv4 till IPv6 migreringar och ger bi-directional connectivity mellan domänerna.
interface gi 0/0 ipv6 nat interface gi 0/1 ipv6 nat ipv6 nat v6v4 source 3001:11:0:1::1 150.11.3.1 ipv6 nat v4v6 source static 150.11.2.2 2000::960b:0202 ipv6 nat prefix 2000::/96
NAT-PT kräver ett /96 prefix
Verify
show ipv6 nat translations
