View
254
Download
4
Category
Preview:
Citation preview
NAT
강사 김성훈
Scaling the Network with NAT and PAT
Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다 . NAT 를 구성할 수 있다 . NAT 와 PAT 의 구성을 검증할 수 있다 .
* Introducing NAT and PAT
Network Address Translation
Internet
Inside
10.1.1.1Inside Local IP
Address
10.1.1.210.1.1.1
NAT table
Inside Global IP Address
171.69.58.80171.69.58.81
10.1.1.2
SA10.0.0.1
SA171.69.58.80
Outside
Global Unique IP address 를 쓰지 않고 호스트들을 Internet 에 연결하는 경우에 사용될 수 있다 .
새로운 ISP 에 연결시 기존의 IP Address 를 바꾸지 않기 위해서 사용될 수 있다.
중복되는 Address 를 갖는 두 intranet 을 연결 시에 사용될 수 있다 .
NAT 의 사용
Port Address Translation
10.6.1.2PAT
10.6.1.6
Internet/Intranet
My Network Internet
SA10.6.1.2:2031
SA10.6.1.6:1506
SA171.69.68.10.2031
SA171.69.68.10.1506
Inside Local IP Address
10.6.1.2:203110.6.1.6:1506
NAT table
Inside Global IP Address
171.69.68.10:2031171.69.68.10:1506
Private Network 상의 호스트들이 Public Network 상에서 통신할 수 있게 한다 . 공인 IP address 를 절약한다 . 10.6.1.0 네트워크의 Local Node 들이 외부 네트워크에 Access 하는 경우 , Sou
rce Address 는 라우터에서 171.69.68.10 으로 Translation 된다 .
PAT 의 사용
Translating Inside Source Addresses
* Translating Inside Source Addresses
1.1.1.2
1.1.1.1
Inside
SA1.1.1.1
Internet
Outside
SA2.2.2.2
DA1.1.1.1
DA2.2.2.2
Host B 9.6.7.3
1
2
3 45
Inside Local IP Address
1.1.1.21.1.1.1
NAT table
Inside Global IP Address
2.2.2.32.2.2.2
Inside Interfac
e
Outside Interfac
e
Configuring Static Translation
Router(config)#ip nat inside source static local-ip global-ip
Router(config-if)#ip nat inside
Router(config-if)#ip nat outside
inside local address 를 inside global address 로 Mapping 한다 .
inside network 에 연결된 Interface 이다 .
outside 에 network 에 연결된 Interface 이다 .
Enabling Static NAT Address Mapping Example
Interface s0Ip address 192.168.1.1 255.255.255.0Ip nat outside!Interface e0Ip add 10.1.1.1 255.255.255.0Ip nat inside!Ip nat inside source static 10.1.1.2 200.168.1.2
Interface s0Ip address 192.168.1.1 255.255.255.0Ip nat outside!Interface e0Ip add 10.1.1.1 255.255.255.0Ip nat inside!Ip nat inside source static 10.1.1.2 200.168.1.2
10.1.1.2
Internet
SA10.1.1.2
5
10.1.1.1 192.1.168.1.2
s0e0
SA200.168.1.2
Configuring Dynamic Translation
Router(config)#ip nat pool name start-ip end-ip{netmask netmask | prefix-length prefix-length}
할당할 global address 의 pool 을 지정한다 .
Router(config)#access-list access-list-number permit source [source-wildcard}
변환할 inside local address 들의 standard IP access-list 를 정의 한다 .
Router(config)#ip nat inside source list aceess-list-number pool name
전단계에서 정의한 access-list 를 이용하여 Dynamic Source Translation을 설정한다 .
Dynamic Address Translation Example
192.168.1.94
Ip nat pool Test_lab 188.69.233.1 188.69.233.254 netmask 255.255.255.0Ip nat inside source list 1 pool Test_lab!Interface serial 0 ip address 171.69.232.182 255.255.255.240 ip nat outside!Interface ethernet 0 ip address 192.168.1.94 255.255.255.0 ip nat inside!Access-list 1 permit 192.168.1.0 0.0.0.255
Ip nat pool Test_lab 188.69.233.1 188.69.233.254 netmask 255.255.255.0Ip nat inside source list 1 pool Test_lab!Interface serial 0 ip address 171.69.232.182 255.255.255.240 ip nat outside!Interface ethernet 0 ip address 192.168.1.94 255.255.255.0 ip nat inside!Access-list 1 permit 192.168.1.0 0.0.0.255
171.69.232.182
Host A 192.168.1.
100
Host B 192.168.1.
101
Host C 10.1.1.1
Host D 172.16.1.1
s0e0
Overloading an Inside Global Address
1.1.1.2
1.1.1.1
Inside
SA1.1.1.1
Internet
SA2.2.2.2
DA1.1.1.1
DA2.2.2.2
Host B 9.6.7.3
1
2
3 45
NAT table Host B 6.5.4.7
DA2.2.2.2
4
Internet
Inside Global IP Address: Port
2.2.2.2:17232.2.2.2:1024
Outside Global IP Address: Port
6.5.4.7:239.6.7.3:23
Protocol
TCPTCP
Inside Local IP Address: Port
1.1.1.2:17231.1.1.1:1024
* Overloading an Inside Global Address
Configuring Overloading
Router(config)#access-list access-list-number permitsource source-wildcard
변환할 inside local address 들의 standard IP access-list 를 정의 한다 .
Router(config)#ip nat inside source listaccess-list-number interface interface overload
전단계에서 정의한 access-list 를 이용하여 Dynamic Source Translation을 설정한다 .
Overloading an Inside Global Address Example
hostname NAT_Router!interface ethernet 0 ip address 192.168.3.1 255.255.255.0 ip nat inside!interface ethernet 1 ip address 192.168.4.1 255.255.255.0 ip nat inside!interface serial 0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside!ip nat inside source list 1 interface serial 0 overload!ip route 0.0.0.0 0.0.0.0 serial 0!access-list 1 permit 192.168.3.0 0.0.0.255access-list 1 permit 192.168.4.0 0.0.0.255!
hostname NAT_Router!interface ethernet 0 ip address 192.168.3.1 255.255.255.0 ip nat inside!interface ethernet 1 ip address 192.168.4.1 255.255.255.0 ip nat inside!interface serial 0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside!ip nat inside source list 1 interface serial 0 overload!ip route 0.0.0.0 0.0.0.0 serial 0!access-list 1 permit 192.168.3.0 0.0.0.255access-list 1 permit 192.168.4.0 0.0.0.255!
192.168.3.7
5 s0e0
192.168.4.12
e1
192.168.3.1
192.168.4.1
172.17.38.1
Clearing the NAT Translation Table
* Verifying the NAT and PAT Configuration
Router#clear ip nat translation *
Clear all dynamic address translation entries
Router#clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]
Clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation
Router#clear ip nat translation outside local-ip global-ip
clears a simple dynamic translation entry containing an outside translation
Router#clear ip nat translation protocol inside global-ipglobal-port local-ip local-port [outside local-iplocal-port global-ip global-port]
Clears an extended dynamic translation entry
Displaying Information with show Commands
Router#show ip nat translations
Displays active translations
Router#show ip nat statistics
Displays translation statistics
Router# show ip nat translations Pro Inside global Inside local outside local outside global --- 172.16.131.1 10.10.10.1 --- ---
Router# show ip nat translations Pro Inside global Inside local outside local outside global --- 172.16.131.1 10.10.10.1 --- ---
Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic, 0 extendes) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 -
Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic, 0 extendes) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 -
Sample Problem: Cannot Ping Remote Host
192.168.1.1/24
Host B 192.168.2.
2
e0e0
Host A 192.168.1.
2
10.1.1.1/24 10.1.1.2/24
192.168.2.1/24s0 s0
int e 0 ip address 192.168.2.1 255.255.255.0!int s 0 ip address 10.1.1.2 255.255.255.0router rip network 10.0.0.0 network 192.168.2.0
int e 0 ip address 192.168.2.1 255.255.255.0!int s 0 ip address 10.1.1.2 255.255.255.0router rip network 10.0.0.0 network 192.168.2.0
ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat inside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat outside!router rip network 10.0.0.0 network 192.168.1.0!access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat inside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat outside!router rip network 10.0.0.0 network 192.168.1.0!access-list 1 permit 192.168.1.0 0.0.0.255
Solution: New Configuration
192.168.1.1/24
Host B 192.168.2.
2
e0e0
Host A 192.168.1.
2
10.1.1.1/24 10.1.1.2/24
192.168.2.1/24s0 s0
int e 0 ip address 192.168.2.1 255.255.255.0!int s 0 ip address 10.1.1.2 255.255.255.0router rip network 10.0.0.0 network 192.168.2.0
int e 0 ip address 192.168.2.1 255.255.255.0!int s 0 ip address 10.1.1.2 255.255.255.0router rip network 10.0.0.0 network 192.168.2.0
ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat outside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat inside!int loopback 0 ip address 172.16.17.1 255.255.255.0!router rip network 10.0.0.0 network 172.16.0.0!access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat outside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat inside!int loopback 0 ip address 172.16.17.1 255.255.255.0!router rip network 10.0.0.0 network 172.16.0.0!access-list 1 permit 192.168.1.0 0.0.0.255
Using the debug ip nat Command
* Troubleshooting the NAT and PAT Configuration
Router# debug ip nat
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [4] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [5] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [6] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [2]
Router# debug ip nat
NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [4] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [5] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [6] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [2]
inside-to-outside address translation
reply packet 의 NAT
Configuration 이 제대로 되었는가 ? NAT 명령을 참조하는 엑세스 리스트가 모든 필요한 네트워크들을 허가
(permit) 하였는가 ? NAT pool 에 충분한 주소들이 있는가 ? 라우터 인터페이스에 정확한 NAT inside 또는 NAT outside 를 지정
하였는가 ?
Translation Not Installed in the Translation Table?
LAB Test (1) Standard IP Access List LAB
Router_A(config)# access-list 1 deny 192.168.1.0 0.0.0.255Router_A(config)# access-list 1 permit anyRouter_A(config)# interface ethernet 0Router_A(config-if)#ip access-group 1 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 1Router_A# ping 172.16.1.2Router_A# ping 192.168.1.2
Router_A(config)# access-list 1 deny 192.168.1.0 0.0.0.255Router_A(config)# access-list 1 permit anyRouter_A(config)# interface ethernet 0Router_A(config-if)#ip access-group 1 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 1Router_A# ping 172.16.1.2Router_A# ping 192.168.1.2
Router_B(config)#access-list 10 deny 10.0.0.0 0.255.255.255Router_B(config)#access-list 10 permit anyRouter_B(config)#interface ethernet 0Router_B(config-if)#ip access-group 10 outRouter_B(config-if)#exitRouter_B#sh running-configurationRouter_B#sh access-lists 10Router_B#ping 10.1.1.2Router_B#ping 172.16.1.1
Router_B(config)#access-list 10 deny 10.0.0.0 0.255.255.255Router_B(config)#access-list 10 permit anyRouter_B(config)#interface ethernet 0Router_B(config-if)#ip access-group 10 outRouter_B(config-if)#exitRouter_B#sh running-configurationRouter_B#sh access-lists 10Router_B#ping 10.1.1.2Router_B#ping 172.16.1.1
192.168.1.2
E0:10.1.1.1 E0:192.168.1.1
S0:172.16.1.2
S0:172.16.1.1
Router_A Router_B10.1.1.2
LAB Test (2) Extended IP Access List LAB (1)
Router_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 21 : FTPRouter_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 20 : FTP data
Router_A(config)# access-list 101 permit ip any anyRouter_A(config)# interface ethernet 0Router_A(config-if)# ip access-group 101 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 101Router_A#
Router_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 21 : FTPRouter_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 20 : FTP data
Router_A(config)# access-list 101 permit ip any anyRouter_A(config)# interface ethernet 0Router_A(config-if)# ip access-group 101 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 101Router_A#
192.168.1.2
E0:10.1.1.1 E0:192.168.1.1
S0:172.16.1.2
S0:172.16.1.1
Router_A Router_B10.1.1.2
LAB Test (2) Extended IP Access List LAB (2)
Router_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 21 : FTPRouter_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 20 : FTP dataRouter_B(config)# access-list 101 permit ip any anyRouter_B(config)# interface ethernet 0Router_B(config-if)# ip access-group 101 outRouter_B(config-if)# exitRouter_B# sh running-configurationRouter_B# sh access-lists 101Router_B#
Router_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 21 : FTPRouter_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 20 : FTP dataRouter_B(config)# access-list 101 permit ip any anyRouter_B(config)# interface ethernet 0Router_B(config-if)# ip access-group 101 outRouter_B(config-if)# exitRouter_B# sh running-configurationRouter_B# sh access-lists 101Router_B#
192.168.1.2
E0:10.1.1.1 E0:192.168.1.1
S0:172.16.1.2
S0:172.16.1.1
Router_A Router_B10.1.1.2
LAB Test (3) Vty Access LAB
Router(config)# access-list 12 deny 192.168.1.0 0.0.0.255Router(config)# access-list 12 permit anyRouter(config)# line vty 0 4Router(config-line)# access-class 12 inRouter(config-line)# exitRouter# sh running-configurationRouter# sh access-lists 12Router# telnet 192.168.1.1--PC 에서 telnet 실행Router# ping 192.168.1.1
Router(config)# access-list 12 deny 192.168.1.0 0.0.0.255Router(config)# access-list 12 permit anyRouter(config)# line vty 0 4Router(config-line)# access-class 12 inRouter(config-line)# exitRouter# sh running-configurationRouter# sh access-lists 12Router# telnet 192.168.1.1--PC 에서 telnet 실행Router# ping 192.168.1.1
Router(config)# access-list 22 deny 10.1.1.0 0.0.0.255Router(config)# access-list 22 permit anyRouter(config)# line vty 0 4Router(config-line)# access-class 22 inRouter(config-line)# exitRouter# sh running-configurationRouter# sh access-lists 22Router# telnet 172.16.1.1--PC 에서 telnet 실행Router# ping 172.16.1.1
Router(config)# access-list 22 deny 10.1.1.0 0.0.0.255Router(config)# access-list 22 permit anyRouter(config)# line vty 0 4Router(config-line)# access-class 22 inRouter(config-line)# exitRouter# sh running-configurationRouter# sh access-lists 22Router# telnet 172.16.1.1--PC 에서 telnet 실행Router# ping 172.16.1.1
192.168.1.2
E0:10.1.1.1 E0:192.168.1.1
S0:172.16.1.2
S0:172.16.1.1
Router_A Router_B10.1.1.2
Recommended