x*********n
发帖数: 28013 | 1 不好意思,偷了个懒。我发包子答谢。
interface FastEthernet0/0
ip address 209.254.138.1 255.255.255.224 secondary
ip address 10.16.67.1 255.255.255.0
ip helper-address 10.16.64.20
no ip redirects
no ip proxy-arp
ip nat inside--------------------------
speed auto
half-duplex
no cdp enable
!
interface Serial0/0
bandwidth 1544
no ip address
no ip redirects
encapsulation frame-relay IETF
fair-queue 64 64 0
frame-relay lmi-type ansi
crypto map vpn
!
interface Serial0/0.1 point-to-point
ip address 209.254.131.50 255.255.255.252
ip nat outside----------------------------------------------------
no cdp enable
frame-relay interface-dlci 100
crypto map vpn
!
ip nat inside source list 101 interface Serial0/0.1 overload
ip nat inside source static tcp 10.16.67.42 1500 209.254.138.2 1500
extendable
ip nat inside source static udp 10.16.67.42 1500 209.254.138.2 1500
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
no logging trap
access-list 101 deny ip 10.16.67.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.16.67.0 0.0.0.255 any
access-list 150 permit ip 10.16.67.0 0.0.0.255 10.0.0.0 0.255.255.255
no cdp run
我的理解是NAT只是ip的转换,router的fa0/0inside IP是10.16.67.1,outside就给他
一个代号,209.254.138.1。
那么ip nat inside source static tcp 10.16.67.42 1500 209.254.138.2 1500
extendable是什么意思呢?10.16.67.42是一个dhcp server,然后所有的LAN IP都通过
nat转成209.254.138.2? |
x*********n
发帖数: 28013 | 2 NAT具有block IP的作用么?还是只是换个IP? |
s*****g
发帖数: 1055 | 3 First line of NAT configuration(ip nat inside) is called PAT, it is mostly
used for Internet access,i.e, flow can only be created when traffic is
initiated from inside, second and third line are called static NAT, your
client must have a TCP/UDP service running on port 1500 which can be
accessible from Internet. When there is a overlapping of NAT rules, static
translation rules take precedence.
PAT will provide basic security, but static NAT does not. |
j*a
发帖数: 14423 | 4 wa kao, 这个配置好难,谁给小弟弟看看帮帮忙,我是不会。
【在 x*********n 的大作中提到】
: 不好意思,偷了个懒。我发包子答谢。
: interface FastEthernet0/0
: ip address 209.254.138.1 255.255.255.224 secondary
: ip address 10.16.67.1 255.255.255.0
: ip helper-address 10.16.64.20
: no ip redirects
: no ip proxy-arp
: ip nat inside--------------------------
: speed auto
: half-duplex
|
a***n
发帖数: 262 | 5 what is not working?
the ip address 209.254.138.1 255.255.255.224 secondary
looks strange to me on the interface w/ ip nat inside
the ping will use the outgoing interface IP by default.
so if you ping 10.16.67.151, it will originate from fa0/0
primary IP. You can always specify the source int to be sure.
【在 x*********n 的大作中提到】
: 不好意思,偷了个懒。我发包子答谢。
: interface FastEthernet0/0
: ip address 209.254.138.1 255.255.255.224 secondary
: ip address 10.16.67.1 255.255.255.0
: ip helper-address 10.16.64.20
: no ip redirects
: no ip proxy-arp
: ip nat inside--------------------------
: speed auto
: half-duplex
|
x*********n
发帖数: 28013 | 6 nothing is wrong,just copy from one customer site,and dont know it。
【在 a***n 的大作中提到】
: what is not working?
: the ip address 209.254.138.1 255.255.255.224 secondary
: looks strange to me on the interface w/ ip nat inside
: the ping will use the outgoing interface IP by default.
: so if you ping 10.16.67.151, it will originate from fa0/0
: primary IP. You can always specify the source int to be sure.
|
m**t
发帖数: 1292 | 7 i know little abot cisco router, but this line seems spooky, try removing it
access-list 101 deny ip 10.16.67.0 0.0.0.255 10.0.0.0 0.255.255.255 |
x*********n
发帖数: 28013 | 8 多谢,讲的很好,做了一下笔记。
【在 s*****g 的大作中提到】
: First line of NAT configuration(ip nat inside) is called PAT, it is mostly
: used for Internet access,i.e, flow can only be created when traffic is
: initiated from inside, second and third line are called static NAT, your
: client must have a TCP/UDP service running on port 1500 which can be
: accessible from Internet. When there is a overlapping of NAT rules, static
: translation rules take precedence.
: PAT will provide basic security, but static NAT does not.
|
s*****g
发帖数: 1055 | 9 No, you can not remove it, you want traffic to internal RFC1918 addresses to
be exempted from NAT translation.
it
【在 m**t 的大作中提到】
: i know little abot cisco router, but this line seems spooky, try removing it
: access-list 101 deny ip 10.16.67.0 0.0.0.255 10.0.0.0 0.255.255.255
|
s*****g
发帖数: 1055 | 10 It is a common configuration when you have public IPs in the LAN also. In this customer's case, their ISP link is
a /30, so they need extra public IPs for NAT, easiest way is to park the IP range in any up interface.
【在 a***n 的大作中提到】
: what is not working?
: the ip address 209.254.138.1 255.255.255.224 secondary
: looks strange to me on the interface w/ ip nat inside
: the ping will use the outgoing interface IP by default.
: so if you ping 10.16.67.151, it will originate from fa0/0
: primary IP. You can always specify the source int to be sure.
|
|
|
j*a
发帖数: 14423 | 11 we use static route and redistribution
【在 s*****g 的大作中提到】
: It is a common configuration when you have public IPs in the LAN also. In this customer's case, their ISP link is
: a /30, so they need extra public IPs for NAT, easiest way is to park the IP range in any up interface.
|
m**t
发帖数: 1292 | 12 hmmm, ACL should have nothing to do with NAT. but anyways I am almost cisco
CLI blind, lol |
z**r
发帖数: 17771 | 13 ACL和NAT很相关呀,确定哪些traffic应该被translate,哪些不应该
cisco
【在 m**t 的大作中提到】
: hmmm, ACL should have nothing to do with NAT. but anyways I am almost cisco
: CLI blind, lol
|
x*********n
发帖数: 28013 | 14 嗯。
【在 z**r 的大作中提到】
: ACL和NAT很相关呀,确定哪些traffic应该被translate,哪些不应该
:
: cisco
|
m**t
发帖数: 1292 | 15 明白了,这里ACL 是个 source pool.
如果我有个ACL 给安全用的:
access-list 110 permit host 192.168.1.100 eq ftp-data any
把这个放到 ip nat rule 里会怎么死法? |
x*********n
发帖数: 28013 | 16 nat里面有个功能是pool的,可以直接定义。
ACL不是global config,有direction,你得apply到interface下,才有用,和poliy-
map一样,不service-policy under interface,就是nothing。
access-map是global的,没有direction的,用了,直接就block了。
说错了还请大侠指正啊。
【在 m**t 的大作中提到】
: 明白了,这里ACL 是个 source pool.
: 如果我有个ACL 给安全用的:
: access-list 110 permit host 192.168.1.100 eq ftp-data any
: 把这个放到 ip nat rule 里会怎么死法?
|
m**t
发帖数: 1292 | 17 看了juniper 也类似的设计. 就是各种RULE 和policy 在data plane 顺序或并行处理的问
题。 具体到ACCESS LIST, 有多种ACCESS LIST, 大概在CLI 有SYNTAX 检查,MATCH
OPTIONS 在不同CONTEXT 下有不同。 在DATA PLANE 都可以做到ASIC 或 NPU 里面,最好不
要太复杂。
【在 x*********n 的大作中提到】
: nat里面有个功能是pool的,可以直接定义。
: ACL不是global config,有direction,你得apply到interface下,才有用,和poliy-
: map一样,不service-policy under interface,就是nothing。
: access-map是global的,没有direction的,用了,直接就block了。
: 说错了还请大侠指正啊。
|
