CCNA M6 C3 - Configuring IP Access Lists
Chia sẻ bởi Nguyễn Duy Diệu |
Ngày 29/04/2019 |
111
Chia sẻ tài liệu: CCNA M6 C3 - Configuring IP Access Lists thuộc Bài giảng khác
Nội dung tài liệu:
© 2002, Cisco Systems, Inc. All rights reserved.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Scaling the Network with
NAT and PAT
Objectives
Upon completing this lesson, you will be able to:
Describe the features and operation of NAT on Cisco routers
Use Cisco IOS commands to configure NAT, given a functioning router
Use show commands to identify anomalies in the NAT configuration, given an operational router
Use debug commands to identify events and anomalies in the NAT configuration, given an operational router
Network Address Translation
An IP address is either local or global.
Local IP addresses are seen in the inside network.
Port Address Translation
Translating Inside Source Addresses
Configuring Static Translation
Establishes static translation between an inside local address and an inside global address
Router(config)#ip nat inside source static local-ip global-ip
Marks the interface as connected to the inside
Router(config-if)#ip nat inside
Marks the interface as connected to the outside
Router(config-if)#ip nat outside
Enabling Static NAT
Address Mapping Example
Configuring Dynamic Translation
Establishes dynamic source translation, specifying the access list defined in the prior step
Router(config)#ip nat inside source list
access-list-number pool name
Defines a pool of global addresses to be allocated as needed
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
Defines a standard IP access list permitting those inside local addresses that are to be translated
Router(config)#access-list access-list-number permit
source [source-wildcard]
Dynamic Address Translation Example
Overloading an Inside Global Address
Configuring Overloading
Establishes dynamic source translation, specifying the access list defined in the prior step
Router(config)#ip nat inside source list
access-list-number interface interface overload
Defines a standard IP access list permitting those inside local addresses that are to be translated
Router(config)#access-list access-list-number permit
source source-wildcard
Overloading an Inside
Global Address Example
Clearing the NAT Translation Table
Clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation
Router#clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
Clears all dynamic address translation entries
Router#clear ip nat translation *
Clears a simple dynamic translation entry containing an outside translation
Router#clear ip nat translation outside
local-ip global-ip
Clears an extended dynamic translation entry
Router#clear ip nat translation protocol inside global-ip
global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
Displaying Information with show Commands
Displays translation statistics
Router#show ip nat statistics
Displays active translations
Router#show ip nat translations
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.131.1 10.10.10.1 --- ---
Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
Sample Problem: Cannot
Ping Remote Host
Solution: New Configuration
Using the debug ip nat Command
Router#debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
Translation Not Installed in the Translation Table?
Verify that:
The configuration is correct.
There are not any inbound access lists denying the packets from entering the NAT router.
The access list referenced by the NAT command is permitting all necessary networks.
There are enough addresses in the NAT pool.
The router interfaces are appropriately defined as NAT inside or NAT outside.
Summary
Cisco IOS NAT allows an organization with unregistered private addresses to connect to the Internet by translating those addresses into globally registered IP addresses.
You can translate your own IP addresses into globally unique IP addresses when communicating outside of your network.
Overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports, known also as PAT.
Once you have configured NAT, verify that it is operating as expected using the clear and show commands.
Sometimes NAT is blamed for IP connectivity problems when there is actually a routing problem.
© 2002, Cisco Systems, Inc. All rights reserved.
2
Scaling the Network with
NAT and PAT
Objectives
Upon completing this lesson, you will be able to:
Describe the features and operation of NAT on Cisco routers
Use Cisco IOS commands to configure NAT, given a functioning router
Use show commands to identify anomalies in the NAT configuration, given an operational router
Use debug commands to identify events and anomalies in the NAT configuration, given an operational router
Network Address Translation
An IP address is either local or global.
Local IP addresses are seen in the inside network.
Port Address Translation
Translating Inside Source Addresses
Configuring Static Translation
Establishes static translation between an inside local address and an inside global address
Router(config)#ip nat inside source static local-ip global-ip
Marks the interface as connected to the inside
Router(config-if)#ip nat inside
Marks the interface as connected to the outside
Router(config-if)#ip nat outside
Enabling Static NAT
Address Mapping Example
Configuring Dynamic Translation
Establishes dynamic source translation, specifying the access list defined in the prior step
Router(config)#ip nat inside source list
access-list-number pool name
Defines a pool of global addresses to be allocated as needed
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
Defines a standard IP access list permitting those inside local addresses that are to be translated
Router(config)#access-list access-list-number permit
source [source-wildcard]
Dynamic Address Translation Example
Overloading an Inside Global Address
Configuring Overloading
Establishes dynamic source translation, specifying the access list defined in the prior step
Router(config)#ip nat inside source list
access-list-number interface interface overload
Defines a standard IP access list permitting those inside local addresses that are to be translated
Router(config)#access-list access-list-number permit
source source-wildcard
Overloading an Inside
Global Address Example
Clearing the NAT Translation Table
Clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation
Router#clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
Clears all dynamic address translation entries
Router#clear ip nat translation *
Clears a simple dynamic translation entry containing an outside translation
Router#clear ip nat translation outside
local-ip global-ip
Clears an extended dynamic translation entry
Router#clear ip nat translation protocol inside global-ip
global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
Displaying Information with show Commands
Displays translation statistics
Router#show ip nat statistics
Displays active translations
Router#show ip nat translations
Router#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 172.16.131.1 10.10.10.1 --- ---
Router#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
…
Sample Problem: Cannot
Ping Remote Host
Solution: New Configuration
Using the debug ip nat Command
Router#debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
Translation Not Installed in the Translation Table?
Verify that:
The configuration is correct.
There are not any inbound access lists denying the packets from entering the NAT router.
The access list referenced by the NAT command is permitting all necessary networks.
There are enough addresses in the NAT pool.
The router interfaces are appropriately defined as NAT inside or NAT outside.
Summary
Cisco IOS NAT allows an organization with unregistered private addresses to connect to the Internet by translating those addresses into globally registered IP addresses.
You can translate your own IP addresses into globally unique IP addresses when communicating outside of your network.
Overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many-to-one) by using different ports, known also as PAT.
Once you have configured NAT, verify that it is operating as expected using the clear and show commands.
Sometimes NAT is blamed for IP connectivity problems when there is actually a routing problem.
* Một số tài liệu cũ có thể bị lỗi font khi hiển thị do dùng bộ mã không phải Unikey ...
Người chia sẻ: Nguyễn Duy Diệu
Dung lượng: |
Lượt tài: 4
Loại file:
Nguồn : Chưa rõ
(Tài liệu chưa được thẩm định)