cisco nat定義的4種address
inside local ip address :
the ip address assigned to a host on the inside network
內部網路使用的ip,使用rfc1918的private ip,通常在含有ip nat inside命令的介面
inside global ip address :
a legistimate ip address represents one or more inside local ip address to the outside world
通常是由isp分配的合法public ip,通常在含有ip nat outside命令的介面,用來代表本地內網ip連到外網
outside global ip address :
the address was allocated from a globally routable address space and asssigned to a host on the outside network
通常是由isp分配的合法public ip,但不在本地
outside local ip address :
the ip address of an outside host as it appears to the inside network
內部網路使用的ip,使用rfc1918的private ip,但不在本地的
主機送出封包時透過nat的流程:
在進入nat之前的來源位置稱為inside local ip,目地位置稱為outside local ip
從nat出來後來源位置稱為inside global ip,目地位置稱為outside global ip
………………..
設定靜態NAT
1
指定一對一的轉換命令
(config)#[no] ip nat inside source static < inside local> < inside global>
會把inside local ip改為inside global ip
[no]選擇性參數,可移除靜態nat命令
ps:設定一次即可覆蓋原有的設定
2
指定有inside local ip的介面為進入
(config-if)#ip nat inside
3
指定有inside global ip的介面為出去
(config-if)#ip nat outside
ex:設定從eth1介面192.1.1.1的位置會轉到eth0介面10.117.1.1
(config)#ip nat inside source static 192.1.1.1 10.117.1.1
(config)#int ethernet 1
(config-if)#ip addr 192.1.1.1 255.255.255.0
(config-if)#ip nat inside
(config-if)#int ethernet 0
(config-if)#ip addr 10.117.1.1 255.255.255.0
(config-if)#ip nat outside
…………………
設定動態NAT
1
用acl定義可接受的來源ip
(config)#access-list < acl-num> permit < source net> < wildcard>
ps:來源ip的界面要設為ip nat inside
2
新增nat pool放置可轉換的ip
(config)#ip nat pool < poolname> < ip range> netmask < mask|prefix-length>
ps:可轉換的ip介面要設為ip nat outside
3
將來源ip轉到可轉換的
(config)#ip nat inside source list < acl-num> pool < poolname>
ex:
設eth0 ip為10.1.1.1/24,serial0 ip為192.16.2.1/24
將10.1.1.0/24的ip動態轉換到192.20.2.0/24的ip
(config)#access-list 1 permit 10.1.1.0 0.0.0.255
(config)#ip nat pool dyn-nat 192.20.2.1 192.20.2.254 netmask 255.255.255.0
(config)#ip nat inside source list 1 pool dyn-nat
(config)#interface Ethernet0
(config-if)#ip nat inside
(config-if)#interface Serial0
(config-if)#ip nat outside
………………..
設定PAT
1
用acl定義可接受的來源ip
(config)#access-list < acl-num> permit < source net> < wildcard>
ps:來源ip的介面要設為ip nat inside
2
將來源ip轉到可轉換的
(config)#ip nat inside source list < acl-num> < int < out int>|pool < poolname>> overload
ps:出去的介面要設為ip nat outside
ex:
允許在eth0介面的160.10.1.1/24 ip轉換成175.10.1.1/24,在從serial0介面轉出
(config)# access-list 1 permit 160.10.1.0 0.0.0.255
(config)# ip nat inside source list 1 interface serial0 overload
(config)# interface Ethernet 0
(config-if)# ip nat inside
(config-if)# interface serial 0
(config-if)# ip nat outside
若使用pool < poolname>,則要在定義可轉換的pool,如下
(config)#ip nat pool < poolname> < ip range> netmask < mask>
ex:
允許在eth0介面的192.168.1.0/24 ip轉換成192.168.2.1/29-192.168.2.6/29,在從serial0介面轉出
(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(config)#ip nat inside source list 1 pool natdyn overload
(config)#ip nat pool natdyn 192.168.2.1 192.168.2.6 netmask 255.255.255.248
(config)#interface ethernet 0
(config-if)#ip nat inside
(config-if)#interface serial 0
(config-if)#ip nat outside
ps:cisco 700系統支援PAT是一特色
………………..
設定nat table的逾時時間
(config)#ip nat translation timeout < timeout_ seconds>
預設是24小時沒用位址就會從nat table上清除
指定nat table項目最大值
(config)#ip nat translation max-entries < count>
ps:
(config)#ip nat
inside:Inside address translation
source:Source address translation
list:Specify access list describing local addresses
static
destination:destination address translation
list
static
pool
………………..
開啟nat的除錯功能
#debug ip nat [detail]
可即時顯示nat的運作於每個被轉換的數據包
加detail可以產生將進行轉換之封包的描述,一些有關錯誤,例外狀況相關資訊,像是分配總體地址失敗的一些資訊等等
畫面大致如下
router:NAT : s=192.1.1.1 -> 10.17.1.1, d=10.1.0.1 [10117] //192.1.1.1被轉換成10.17.1.1,並送到10.1.0.1
router:NAT* : s=10.1.0.1, d=10.17.1.1->192.1.1.1 [10117] //加*表示從10.1.0.1送回給10.17.1.1,並轉成192.1.1.1
ps:[10117]表示ip的識別編號
查看nat的統計
#show ip nat statistics
會顯示NAT組態的summary
畫面大致如下
Total active translations: 1 (0 static, 1 dynamic; 1 extended) //active translation類型數量
Outside interfaces: Serial0
Inside interfaces: Ethernet0
Hits: 5 Misses: 5
Expired translations: 5
Dynamic mappings:
— Inside Source
Access list + 2interface Serial0 refcount 0
顯示ip nat的轉換表
#show ip nat translations *
畫面大致如下
Pro Inside global Inside local Outside local Outside global
— 192.2.2.2 160.1.1.1 — —
表示若來源為160.1.1.1則為改為來源192.2.2.2
清除ip nat的轉換表
#clear ip nat translation *
僅刪除動態nat
………………………..
cisco建議的除錯步驟
1
確認組態:
Based on the configuration, clearly define what NAT is supposed to achieve
以組態設定為基礎,清楚定義什麼是NAT要達到的
2
確認nat table:
Verify that correct translations exist in the translation table
確認在轉換表格當中記載的是正確的轉換資訊
3
用show和debug確認:
Verify the translation is occurring by using show and debug commands
用show和debug命令來確認轉換的進行
4
檢查封包和路由:
Review in detail what is happening to the packet and verify that routers have the correct routing information to move the packet along
仔細檢查到底封包發生了什麼問題,並確認路由器有正確的路由資訊來傳送封包
cisco IOS NAT支援下列的交通型態
ICMP
FTP, including PORT and PASV commands
NetBIOS over TCP/IP, datagram, name, and session services
RealNetworks’ RealAudio
White Pines’ CUSeeMe
Xing Technologies’ StreamWorks
DNS “A” and “PTR” queries(查詢)
H.323/Microsoft NetMeeting, IOS versions 12.0(1)/12.0(1)T and later
VDOnet’s VDOLive, IOS versions 11.3(4)11.3(4)T and later
VXtreme’s Web Theater, IOS versions 11.3(4)11.3(4)T and later
IP Multicast, IOS version 12.0(1)T with source address translation only(只具備原始地址轉換)
cisco IOS 的NAT不支援下列的交通型態
Routing table updates(路由表格更新)
DNS zone transfers(區域轉換)
BOOTP
talk and ntalk protocols
SNMP