Cisco NAT

From HackerNet
Revision as of 10:48, 4 June 2016 by Helikopter (talk | contribs)
Jump to: navigation, search

ip nat create flow-entries är påslaget default i IOS-routrar.

Overload 

access-list 10 permit [ip-address] [wildcard-mask]
ip nat inside source list 10 interface [outside-interface] overload

Verify 

show ip nat translations

Static NAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

NAT 

ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias]

Använd no-alias om det inte ska arpas efter den IPn på outside.

Verify 

show ip nat translations

Dynamic NAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

NAT 

ip access-list standard CLIENT-LIST
 permit 192.168.0.0 0.0.0.15
ip nat pool DYNAMIC 10.10.10.15 10.10.10.19 prefix-length 29
ip nat inside source list CLIENT-LIST pool DYNAMIC

Verify 

show ip nat translations
show ip nat pool name DYNAMIC

Static PAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

PAT 

ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80

Verify 

show ip nat translations

Static NAT and IP Aliasing

Utan alias besvaras inte ARP-förfrågningar för den IP-adressen. 

ip nat inside source static 192.168.0.20 10.10.10.20 no-alias

Verify 

show ip alias

Static Policy NAT

Route Maps 

ip access-list extended TO_OUTSIDE
 permit ip 192.168.0.0 0.0.0.255 any
route-map TO_ISP1 permit 10
 match ip address TO_OUTSIDE
 match interface Gi0/0
ip nat inside source route-map TO_ISP1 interface Gi0/0 overload

Overlapping Subnets

Antingen får man NATa på båda sidorna eller bara ena.

TCP Load Distribution

Rotary address pool 

ip nat pool ROTARY prefix-length 24 type rotary
 address 10.0.0.10 10.0.0.10
 address 10.0.0.11 10.0.0.11
ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY

HSRP

Stateful NAT

Primary/Backup 

show ip snat distributed verbose

NVI

Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte inside och outside med denna metod. 

interface Gi0/1
 ip nat enable
interface Gi0/2
 ip nat enable

show ip nat nvi translations

Default Interface

Reversible NAT

Dubbel-NAT, 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50. 

ip nat inside source static 172.20.0.10 30.0.0.50
ip nat outside source static 30.0.0.5 172.20.0.50 add-route

Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface. 

show ip nat translations

Static Extendable NAT

Verify 

show ip alias | i dynamic
show ip nat statistics
show ip snat distributed
show ip snat distributed verbose

Kolla om NAT funkar 

telnet 1.1.1.1 /source lo0
who

Debug 

debug ip nat
Retrieved from "https://hackernet.se/index.php?title=Cisco_NAT&oldid=1825"