NAT Support for Multiple Pools Using Route Ma…

ip nat inside source list 118 pool pool118 interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside !--- Marks the interface as connected to the inside. interface ethernet1 ip address 10.1.2.1 255.255.255.0 ip nat outside !--- Marks the interface as connected to the outside. access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255 !--- Defines the access-list mentioning those addresses !--- that are to be translated. access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255

Refer to IP Addressing and Services Commands for more information on these commands.

Host 1 to Host 2

Here is what happens when Host 1 Telnets to Host 2.

Packet on (Network 1) s:10.1.1.2(1024)     d:131.108.1.2(23)     Packet on (Network 2) s:131.108.2.1(1024)  d:131.108.1.2(23)   (after NAT)

Because an access list was used by NAT to match this traffic a simple translation entry is created, which only includes inside translation information and no protocol or port information:

inside                         outside         local        global          global         local        10.1.1.2     131.108.2.1       ----           ----

Return packet: Host 2 to Host 1:

Packet on (Network 2)  s:131.108.1.2(23)  d:131.108.2.1(1024)     Packet on (Network 1)  s:131.108.1.2(23)  d:10.1.1.2(1024)      (after NAT)

Host 1 to Host 3

With the above simple translation in place, here is what happens when Host 1 also Telnets to Host 3:

Packet on (Network 1)  s:10.1.1.2(1025)     d:131.118.1.2(23)     Packet on (Network 2)  s:131.108.2.1(1025)  d:131.118.1.2(23)   (after NAT)

We can see that there is a problem. Packets going from 10.1.1.0 hosts to 131.118.1.0 hosts should get translated into 131.118.2.0, not 131.108.2.0. The reason that this happens is because there is already a NAT translation entry for 10.1.1.2 <--> 131.108.2.1 which also matches the traffic between Host 1 and Host 3. Therefore, this translation entry will be used and access lists 108 and 118 are not checked.

While the simple translation entry is in place in the NAT translation table, it can be used by any outside user on any outside host to send a packet to Host 1 as long as the outside user uses the inside global address (131.108.2.1) for Host 1. Normally a static NAT translation would be needed to allow this.

Route Map Approach

The correct way to configure the example in this document is to use route maps. With a route map approach, you would do the following to translate the hosts on 10.1.1.0:

ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24     ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24     ip nat inside source route-map MAP-108 pool pool-108     !--- Establishes dynamic source translation, specifying      !--- the route-map MAP-108 which is defined below.      ip nat inside source route-map MAP-118 pool pool-118     !--- Establishes dynamic source translation, specifying the route-map MAP-118.     !--- Here, the route-maps are consulted instead of      !--- access-lists (as in the previous case).     interface ethernet0       ip address 10.1.1.1 255.255.255.0       ip nat inside     interface ethernet1       ip address 10.1.2.1 255.255.255.0       ip nat outside     access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255     access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255     route-map MAP-108 permit 10     !--- Defines the Route-map MAP-108.     match ip address 108     !--- Specifies the criteria for translation. Here, the IP      !--- address mentioned in the access-list 108 is translated.     !--- The translation is defined.         in the ip nat inside source route-map MAP-108 pool pool-108 command     route-map MAP-118 permit 10     !--- Defines the Route-map MAP-108.     match ip address 118     !--- The IP address mentioned in the access-list 118 is translated.      !--- The translation is defined in the      !--- ip nat inside source route-map MAP-118 pool pool-118 command.

Refer to IP Addressing and Services Commands for more information on these commands.

Host 1 to Host 2

Here is what happens when Host 1 Telnets to Host 2:

Packet on (Network 1) s:10.1.1.2(1024)     d:131.108.1.2(23)     Packet on (Network 2) s:131.108.2.1(1024)  d:131.108.1.2(23)   (after NAT)
			   
			   

                       标签：
                   
                   
版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com

特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有