Cisco NAT

From HackerNet
Revision as of 09:03, 7 June 2016 by Helikopter (talk | contribs)
Jump to: navigation, search

ip nat create flow-entries accelererar NAT-processen och är påslaget default i IOS-routrar.

Kolla om NAT funkar 

debug ip nat
telnet 1.1.1.1 /source lo0
who

Overload 

access-list 10 permit [ip-address] [wildcard-mask]
ip nat inside source list 10 interface [outside-interface] overload

Verify 

show ip nat translations
show ip nat statistics

Static NAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

NAT 

ip nat inside source static 192.168.0.20 10.10.10.20 [no-alias]

Med no-alias besvaras inte ARP-förfrågningar för den IP-adressen.

Verify 

show ip nat translations
show ip nat statistics
show ip alias

DYNAMIC är IP-adresser som används för NAT.

Dynamic NAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

NAT 

ip access-list standard CLIENT-LIST
 permit 192.168.0.0 0.0.0.15
ip nat pool DYNAMIC 10.10.10.15 10.10.10.19 prefix-length 29
ip nat inside source list CLIENT-LIST pool DYNAMIC

Verify 

show ip nat translations
show ip nat pool name DYNAMIC

Static PAT 

interface Gi0/1
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
interface Gi0/2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside

PAT 

ip nat inside source static tcp 192.168.0.55 80 10.10.10.10 80

Verify 

show ip nat translations

Static Policy NAT

Route Maps 

ip access-list extended TO_OUTSIDE
 permit ip 192.168.0.0 0.0.0.255 any
route-map TO_ISP1 permit 10
 match ip address TO_OUTSIDE
 match interface Gi0/0
ip nat inside source route-map TO_ISP1 interface Gi0/0 overload

Overlapping Subnets

Antingen får man NATa på båda sidorna eller bara ena.

TCP Load Distribution

Rotary address pool 

ip nat pool ROTARY prefix-length 24 type rotary
 address 10.0.0.10 10.0.0.10
 address 10.0.0.11 10.0.0.11
ip nat inside destination list DISTRIBUTE_LOAD pool ROTARY

HSRP

Primary/Backup

Stateful NAT 

show ip snat distributed verbose

NVI

Med Nat Virtual Interface kan man adressöversätta mellan VRF:er och man använder inte inside och outside med denna metod. 

interface Gi0/1
 ip nat enable
interface Gi0/2
 ip nat enable

show ip nat nvi translations

Default Interface

Reversible NAT

Dubbel-NAT, 172.20.0.10 kommunicerar mot 172.20.0.50 som natas till 30.0.0.5. 30.0.0.5 Ser trafik från 30.0.0.50. 

ip nat inside source static 172.20.0.10 30.0.0.50
ip nat outside source static 30.0.0.5 172.20.0.50 add-route

Utan add-route måste en statisk route användas för att peka 172.20.0.50 till outside interface. 

show ip nat translations

Static Extendable NAT

IPv6

NAT – Protocol Translation kan användas vid IPv4 till IPv6 migreringar och ger bi-directional connectivity mellan domänerna. 

interface gi 0/0
 ipv6 nat
interface gi 0/1
 ipv6 nat
ipv6 nat v6v4 source 3001:11:0:1::1 150.11.3.1
ipv6 nat v4v6 source static 150.11.2.2 2000::960b:0202
ipv6 nat prefix 2000::/96

NAT-PT kräver ett /96 prefix

Verify 

show ipv6 nat translations
Retrieved from "https://hackernet.se/index.php?title=Cisco_NAT&oldid=1831"