NAT Support for Multiple Pools Using Route Ma…
2008-02-23 04:55:39来源:互联网 阅读 ()
ip nat inside source list 118 pool pool118 interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside !--- Marks the interface as connected to the inside. interface ethernet1 ip address 10.1.2.1 255.255.255.0 ip nat outside !--- Marks the interface as connected to the outside. access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255 !--- Defines the access-list mentioning those addresses !--- that are to be translated. access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255
Refer to IP Addressing and Services Commands for more information on these commands.
Host 1 to Host 2
Here is what happens when Host 1 Telnets to Host 2.
Packet on (Network 1) s:10.1.1.2(1024) d:131.108.1.2(23) Packet on (Network 2) s:131.108.2.1(1024) d:131.108.1.2(23) (after NAT)
Because an access list was used by NAT to match this traffic a simple translation entry is created, which only includes inside translation information and no protocol or port information:
inside outside local global global local 10.1.1.2 131.108.2.1 ---- ----
Return packet: Host 2 to Host 1:
Packet on (Network 2) s:131.108.1.2(23) d:131.108.2.1(1024) Packet on (Network 1) s:131.108.1.2(23) d:10.1.1.2(1024) (after NAT)
Host 1 to Host 3
With the above simple translation in place, here is what happens when Host 1 also Telnets to Host 3:
Packet on (Network 1) s:10.1.1.2(1025) d:131.118.1.2(23) Packet on (Network 2) s:131.108.2.1(1025) d:131.118.1.2(23) (after NAT)
We can see that there is a problem. Packets going from 10.1.1.0 hosts to 131.118.1.0 hosts should get translated into 131.118.2.0, not 131.108.2.0. The reason that this happens is because there is already a NAT translation entry for 10.1.1.2 <--> 131.108.2.1 which also matches the traffic between Host 1 and Host 3. Therefore, this translation entry will be used and access lists 108 and 118 are not checked.
While the simple translation entry is in place in the NAT translation table, it can be used by any outside user on any outside host to send a packet to Host 1 as long as the outside user uses the inside global address (131.108.2.1) for Host 1. Normally a static NAT translation would be needed to allow this.
Route Map Approach
The correct way to configure the example in this document is to use route maps. With a route map approach, you would do the following to translate the hosts on 10.1.1.0:
ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24 ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24 ip nat inside source route-map MAP-108 pool pool-108 !--- Establishes dynamic source translation, specifying !--- the route-map MAP-108 which is defined below. ip nat inside source route-map MAP-118 pool pool-118 !--- Establishes dynamic source translation, specifying the route-map MAP-118. !--- Here, the route-maps are consulted instead of !--- access-lists (as in the previous case). interface ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside interface ethernet1 ip address 10.1.2.1 255.255.255.0 ip nat outside access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255 access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255 route-map MAP-108 permit 10 !--- Defines the Route-map MAP-108. match ip address 108 !--- Specifies the criteria for translation. Here, the IP !--- address mentioned in the access-list 108 is translated. !--- The translation is defined. in the ip nat inside source route-map MAP-108 pool pool-108 command route-map MAP-118 permit 10 !--- Defines the Route-map MAP-108. match ip address 118 !--- The IP address mentioned in the access-list 118 is translated. !--- The translation is defined in the !--- ip nat inside source route-map MAP-118 pool pool-118 command.
Refer to IP Addressing and Services Commands for more information on these commands.
Host 1 to Host 2
Here is what happens when Host 1 Telnets to Host 2:
Packet on (Network 1) s:10.1.1.2(1024) d:131.108.1.2(23) Packet on (Network 2) s:131.108.2.1(1024) d:131.108.1.2(23) (after NAT)标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
