NAT 강사 김성훈. Scaling the Network with NAT and PAT Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다. NAT 를 구성할 수 있다. NAT 와 PAT 의 구성을

NAT

강사 김성훈

Scaling the Network with NAT and PAT

Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다 . NAT 를 구성할 수 있다 . NAT 와 PAT 의 구성을 검증할 수 있다 .

* Introducing NAT and PAT

Network Address Translation

Internet

Inside

10.1.1.1Inside Local IP

Address

10.1.1.210.1.1.1

NAT table

Inside Global IP Address

171.69.58.80171.69.58.81

10.1.1.2

SA10.0.0.1

SA171.69.58.80

Outside

Global Unique IP address 를 쓰지 않고 호스트들을 Internet 에 연결하는 경우에 사용될 수 있다 .

새로운 ISP 에 연결시 기존의 IP Address 를 바꾸지 않기 위해서 사용될 수 있다.

중복되는 Address 를 갖는 두 intranet 을 연결 시에 사용될 수 있다 .

NAT 의 사용

Port Address Translation

10.6.1.2PAT

10.6.1.6

Internet/Intranet

My Network Internet

SA10.6.1.2:2031

SA10.6.1.6:1506

SA171.69.68.10.2031

SA171.69.68.10.1506

Inside Local IP Address

10.6.1.2:203110.6.1.6:1506

NAT table


171.69.68.10:2031171.69.68.10:1506

Private Network 상의 호스트들이 Public Network 상에서 통신할 수 있게 한다 . 공인 IP address 를 절약한다 . 10.6.1.0 네트워크의 Local Node 들이 외부 네트워크에 Access 하는 경우 , Sou

rce Address 는 라우터에서 171.69.68.10 으로 Translation 된다 .

PAT 의 사용

Translating Inside Source Addresses

* Translating Inside Source Addresses

1.1.1.2

1.1.1.1

Inside

SA1.1.1.1

Internet

Outside

SA2.2.2.2

DA1.1.1.1

DA2.2.2.2

Host B 9.6.7.3

1

2

3 45

Inside Local IP Address

1.1.1.21.1.1.1

NAT table


2.2.2.32.2.2.2

Inside Interfac

e

Outside Interfac

e

Configuring Static Translation

Router(config)#ip nat inside source static local-ip global-ip

Router(config-if)#ip nat inside

Router(config-if)#ip nat outside

inside local address 를 inside global address 로 Mapping 한다 .

inside network 에 연결된 Interface 이다 .

outside 에 network 에 연결된 Interface 이다 .

Enabling Static NAT Address Mapping Example

Interface s0Ip address 192.168.1.1 255.255.255.0Ip nat outside!Interface e0Ip add 10.1.1.1 255.255.255.0Ip nat inside!Ip nat inside source static 10.1.1.2 200.168.1.2

Interface s0Ip address 192.168.1.1 255.255.255.0Ip nat outside!Interface e0Ip add 10.1.1.1 255.255.255.0Ip nat inside!Ip nat inside source static 10.1.1.2 200.168.1.2

10.1.1.2

Internet

SA10.1.1.2

5

10.1.1.1 192.1.168.1.2

s0e0

SA200.168.1.2

Configuring Dynamic Translation

Router(config)#ip nat pool name start-ip end-ip{netmask netmask | prefix-length prefix-length}

할당할 global address 의 pool 을 지정한다 .

Router(config)#access-list access-list-number permit source [source-wildcard}

변환할 inside local address 들의 standard IP access-list 를 정의 한다 .

Router(config)#ip nat inside source list aceess-list-number pool name

전단계에서 정의한 access-list 를 이용하여 Dynamic Source Translation을 설정한다 .

Dynamic Address Translation Example

192.168.1.94

Ip nat pool Test_lab 188.69.233.1 188.69.233.254 netmask 255.255.255.0Ip nat inside source list 1 pool Test_lab!Interface serial 0 ip address 171.69.232.182 255.255.255.240 ip nat outside!Interface ethernet 0 ip address 192.168.1.94 255.255.255.0 ip nat inside!Access-list 1 permit 192.168.1.0 0.0.0.255

Ip nat pool Test_lab 188.69.233.1 188.69.233.254 netmask 255.255.255.0Ip nat inside source list 1 pool Test_lab!Interface serial 0 ip address 171.69.232.182 255.255.255.240 ip nat outside!Interface ethernet 0 ip address 192.168.1.94 255.255.255.0 ip nat inside!Access-list 1 permit 192.168.1.0 0.0.0.255

171.69.232.182

Host A 192.168.1.

100

Host B 192.168.1.

101

Host C 10.1.1.1

Host D 172.16.1.1

s0e0

Overloading an Inside Global Address

1.1.1.2

1.1.1.1

Inside

SA1.1.1.1

Internet

SA2.2.2.2

DA1.1.1.1

DA2.2.2.2

Host B 9.6.7.3

1

2

3 45

NAT table Host B 6.5.4.7

DA2.2.2.2

4

Internet

Inside Global IP Address: Port

2.2.2.2:17232.2.2.2:1024

Outside Global IP Address: Port

6.5.4.7:239.6.7.3:23

Protocol

TCPTCP

Inside Local IP Address: Port

1.1.1.2:17231.1.1.1:1024

* Overloading an Inside Global Address

Configuring Overloading

Router(config)#access-list access-list-number permitsource source-wildcard

변환할 inside local address 들의 standard IP access-list 를 정의 한다 .

Router(config)#ip nat inside source listaccess-list-number interface interface overload

전단계에서 정의한 access-list 를 이용하여 Dynamic Source Translation을 설정한다 .

Overloading an Inside Global Address Example

hostname NAT_Router!interface ethernet 0 ip address 192.168.3.1 255.255.255.0 ip nat inside!interface ethernet 1 ip address 192.168.4.1 255.255.255.0 ip nat inside!interface serial 0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside!ip nat inside source list 1 interface serial 0 overload!ip route 0.0.0.0 0.0.0.0 serial 0!access-list 1 permit 192.168.3.0 0.0.0.255access-list 1 permit 192.168.4.0 0.0.0.255!

hostname NAT_Router!interface ethernet 0 ip address 192.168.3.1 255.255.255.0 ip nat inside!interface ethernet 1 ip address 192.168.4.1 255.255.255.0 ip nat inside!interface serial 0 description To ISP ip address 172.17.38.1 255.255.255.0 ip nat outside!ip nat inside source list 1 interface serial 0 overload!ip route 0.0.0.0 0.0.0.0 serial 0!access-list 1 permit 192.168.3.0 0.0.0.255access-list 1 permit 192.168.4.0 0.0.0.255!

192.168.3.7

5 s0e0

192.168.4.12

e1

192.168.3.1

192.168.4.1

172.17.38.1

Clearing the NAT Translation Table

* Verifying the NAT and PAT Configuration

Router#clear ip nat translation *

Clear all dynamic address translation entries

Router#clear ip nat translation inside global-ip local-ip [outside local-ip global-ip]

Clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation

Router#clear ip nat translation outside local-ip global-ip

clears a simple dynamic translation entry containing an outside translation

Router#clear ip nat translation protocol inside global-ipglobal-port local-ip local-port [outside local-iplocal-port global-ip global-port]

Clears an extended dynamic translation entry

Displaying Information with show Commands

Router#show ip nat translations

Displays active translations

Router#show ip nat statistics

Displays translation statistics

Router# show ip nat translations Pro Inside global Inside local outside local outside global --- 172.16.131.1 10.10.10.1 --- ---

Router# show ip nat translations Pro Inside global Inside local outside local outside global --- 172.16.131.1 10.10.10.1 --- ---

Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic, 0 extendes) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 -

Router# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic, 0 extendes) Outside interfaces: Ethernet0, Serial2.7 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 -

Sample Problem: Cannot Ping Remote Host

192.168.1.1/24

Host B 192.168.2.

2

e0e0

Host A 192.168.1.

2

10.1.1.1/24 10.1.1.2/24

192.168.2.1/24s0 s0

int e 0 ip address 192.168.2.1 255.255.255.0!int s 0 ip address 10.1.1.2 255.255.255.0router rip network 10.0.0.0 network 192.168.2.0


ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat inside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat outside!router rip network 10.0.0.0 network 192.168.1.0!access-list 1 permit 192.168.1.0 0.0.0.255

ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat inside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat outside!router rip network 10.0.0.0 network 192.168.1.0!access-list 1 permit 192.168.1.0 0.0.0.255

Solution: New Configuration

192.168.1.1/24

Host B 192.168.2.

2

e0e0

Host A 192.168.1.

2

10.1.1.1/24 10.1.1.2/24

192.168.2.1/24s0 s0



ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat outside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat inside!int loopback 0 ip address 172.16.17.1 255.255.255.0!router rip network 10.0.0.0 network 172.16.0.0!access-list 1 permit 192.168.1.0 0.0.0.255

ip nat pool test 172.16.17.20 172.16.17.30ip nat inside source list 1 pool test!int s0 ip address 10.1.1.1 255.255.255.0 ip nat outside!int e0 ip address 192.168.1.1 255.255.255.0 ip nat inside!int loopback 0 ip address 172.16.17.1 255.255.255.0!router rip network 10.0.0.0 network 172.16.0.0!access-list 1 permit 192.168.1.0 0.0.0.255

Using the debug ip nat Command

* Troubleshooting the NAT and PAT Configuration

Router# debug ip nat

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [4] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [5] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [6] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [2]

Router# debug ip nat

NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [0] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [0] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [2] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [3] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [1] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [4] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [5] NAT: s=10.1.1.1->192.168.2.1, d=172.16.2.2 [6] NAT*: s=172.16.2.2, d=192.168.2.1->10.1.1.1 [2]

inside-to-outside address translation

reply packet 의 NAT

Configuration 이 제대로 되었는가 ? NAT 명령을 참조하는 엑세스 리스트가 모든 필요한 네트워크들을 허가

(permit) 하였는가 ? NAT pool 에 충분한 주소들이 있는가 ? 라우터 인터페이스에 정확한 NAT inside 또는 NAT outside 를 지정

하였는가 ?

Translation Not Installed in the Translation Table?

LAB Test (1) Standard IP Access List LAB

Router_A(config)# access-list 1 deny 192.168.1.0 0.0.0.255Router_A(config)# access-list 1 permit anyRouter_A(config)# interface ethernet 0Router_A(config-if)#ip access-group 1 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 1Router_A# ping 172.16.1.2Router_A# ping 192.168.1.2

Router_A(config)# access-list 1 deny 192.168.1.0 0.0.0.255Router_A(config)# access-list 1 permit anyRouter_A(config)# interface ethernet 0Router_A(config-if)#ip access-group 1 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 1Router_A# ping 172.16.1.2Router_A# ping 192.168.1.2

Router_B(config)#access-list 10 deny 10.0.0.0 0.255.255.255Router_B(config)#access-list 10 permit anyRouter_B(config)#interface ethernet 0Router_B(config-if)#ip access-group 10 outRouter_B(config-if)#exitRouter_B#sh running-configurationRouter_B#sh access-lists 10Router_B#ping 10.1.1.2Router_B#ping 172.16.1.1

Router_B(config)#access-list 10 deny 10.0.0.0 0.255.255.255Router_B(config)#access-list 10 permit anyRouter_B(config)#interface ethernet 0Router_B(config-if)#ip access-group 10 outRouter_B(config-if)#exitRouter_B#sh running-configurationRouter_B#sh access-lists 10Router_B#ping 10.1.1.2Router_B#ping 172.16.1.1

192.168.1.2

E0:10.1.1.1 E0:192.168.1.1

S0:172.16.1.2

S0:172.16.1.1

Router_A Router_B10.1.1.2

LAB Test (2) Extended IP Access List LAB (1)

Router_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 21 : FTPRouter_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 20 : FTP data

Router_A(config)# access-list 101 permit ip any anyRouter_A(config)# interface ethernet 0Router_A(config-if)# ip access-group 101 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 101Router_A#

Router_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 21 : FTPRouter_A(config)# access-list 101 deny tcp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 20 : FTP data

Router_A(config)# access-list 101 permit ip any anyRouter_A(config)# interface ethernet 0Router_A(config-if)# ip access-group 101 outRouter_A(config-if)# exitRouter_A# sh running-configurationRouter_A# sh access-lists 101Router_A#

192.168.1.2

E0:10.1.1.1 E0:192.168.1.1

S0:172.16.1.2

S0:172.16.1.1


LAB Test (2) Extended IP Access List LAB (2)

Router_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 21 : FTPRouter_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 20 : FTP dataRouter_B(config)# access-list 101 permit ip any anyRouter_B(config)# interface ethernet 0Router_B(config-if)# ip access-group 101 outRouter_B(config-if)# exitRouter_B# sh running-configurationRouter_B# sh access-lists 101Router_B#

Router_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 21 : FTPRouter_B(config)# access-list 101 deny tcp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 eq 20 : FTP dataRouter_B(config)# access-list 101 permit ip any anyRouter_B(config)# interface ethernet 0Router_B(config-if)# ip access-group 101 outRouter_B(config-if)# exitRouter_B# sh running-configurationRouter_B# sh access-lists 101Router_B#

192.168.1.2

E0:10.1.1.1 E0:192.168.1.1

S0:172.16.1.2

S0:172.16.1.1


LAB Test (3) Vty Access LAB

Router(config)# access-list 12 deny 192.168.1.0 0.0.0.255Router(config)# access-list 12 permit anyRouter(config)# line vty 0 4Router(config-line)# access-class 12 inRouter(config-line)# exitRouter# sh running-configurationRouter# sh access-lists 12Router# telnet 192.168.1.1--PC 에서 telnet 실행Router# ping 192.168.1.1




192.168.1.2

E0:10.1.1.1 E0:192.168.1.1

S0:172.16.1.2

S0:172.16.1.1


Documents

NAT 강사 김성훈. Scaling the Network with NAT and PAT Cisco 라우터에서의 NAT 의 특징 및 작동법을 안다. NAT 를 구성할 수 있다. NAT 와 PAT 의 구성을