Documente Academic
Documente Profesional
Documente Cultură
ro
CCNA4 Connecting Networks
10.0.0.0 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 192.168.255.255
Problema care apare este ca anumite hosturi interne deci cu IP privat trebuie sa acceseze reteua
internet. NAT rezolva aceasta problema modificand adresele IP sursa sau destinatie din headerul IP.
Pentru fiecare pachet translatat, routerul va memora in NAT table sesiunea initiala (IP_sursa_privat
-> IP_sursa_public_nou -> IP_Public_destinatie). Atunci cand traficul se intoarce, pachetele ajung la
acelasi router de granita care inspecteaza headerul IP si pe baza IP-ului destinatie va gasi in tabelul
NAT IP-ul privat initial, astfel incat sa poata translata traficul (modifica IP_destinatie_public cu
IP_intern) si sa trimita pachetul in interior la hostul care a originat initial cererea.
Adrese LOCALE adrese IP ale hosturilor din inside, vazute din inside;
Adresele GLOBALE adrese IP din outside; (de cele mai multe ori publice, insa nu este obligatoriu)
INSIDE LOCAL - Adresele IP interne care sunt translatate de un router NAT;
INSIDE GLOBAL Adrese IP externe in care sunt translatate adresele interne (inside local);
OUTSIDE GLOBAL Adrese IP externe destinatie, vazute din exterior/outside;
OUTSIDE LOCAL Adrese IP externe destinatie vazute de hosturile din interior;
(pot fi sau nu diferite de cele outside global);
http://packetlife.net/blog/2010/jan/7/understanding-nat-address-types/
Atentie!
NAT-ul dinspre INSIDE spre OUTSIDE se face dupa rutare!
NAT-ul dinspre OUTSIDE spre INSIDE se face inainte de rutare!
INSIDE NAT configurat prin comanda (config)#ip nat inside specifica adresele sursa
interne (INSIDE_LOCAL) care vor fi translatate in adrese sursa externe (INSIDE_GLOBAL)
OUTSIDE NAT configurat prin comanda (config)#ip nat outside specifica adresele
destinatie interne (OUTSIDE_LOCAL) care vor fi translatate in adrese destinatie externe
(OUTSIDE_GLOBAL)
Exemplu:
Atentie! Atunci cand se foloseste acelasi IP de pe interfata outside, tot traficul catre router va fi
//configurare acl standard pentru specificare adrese IP interne care sa fie translatate;
(config)#access-list 1-99 permit IP_SURSA [WILDCARD_SURSA]
//configurare NAT dinamic; specificare ACL pt. IP-uri interne si pool pt. IP-uri externe;
(config)#ip nat inside source list NR_ACL NUME_NAT_POOL overload
//definire tip de interfata
(config-if)#ip nat inside
(config-if)#ip nat outside
PAT uses unique source port numbers on the Inside Global IP address to distinguish between
translations. Because the port number is encoded in 16 bits, the total number could theoretically be
as high as 65,536 per IP address.
PAT will attempt to preserve the original source port, if this source port is already allocated PAT will
attempt to find the first available port number starting from the beginning of the appropriate port
group 0-511, 512-1023 or 1024-65535. If there is still no port available from the appropriate group
and more than one IP address is configured, PAT will move to the next IP address and try to allocate
the original source port again. This continues until it runs out of available ports and IP addresses.
III.3 Port Forwarding (Port Static NAT)
(config)#ip nat inside
OUTSIDE_PORT extensible
source
static
tcp
INSIDE_LOCAL
INSIDE_PORT
INSIDE_GLOBAL
ex:
(config)#ip nat inside source static tcp 10.0.0.1 80 200.0.0.1 80 extensible
TCP translations time out after 24 hours, unless a RST or FIN is seen on the stream, In which case it
times out in 1 minute.
Ex. config dynamic NAT (fara overload!)
R1#debug ip nat
*Mar 1 03:07:28.463: NAT*: s=10.0.0.10->100.0.0.5, d=200.0.0.100 [15733]
*Mar 1 03:07:28.539: NAT*: s=200.0.0.100, d=100.0.0.5->10.0.0.10 [14976]
R1#sh ip nat translations
Pro Inside global
Inside local
Outside local
Outside global
tcp 100.0.0.5:11139 10.0.0.10:11139 200.0.0.100:90
200.0.0.100:90
--- 100.0.0.5
10.0.0.10
R1#sh ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 0 extended)
Outside interfaces:
Ethernet0
Inside interfaces:
FastEthernet0
Hits: 40 Misses: 7
CEF Translated packets: 47, CEF Punted packets: 0
Expired translations: 3
Dynamic mappings:
-- Inside Source
[Id: 8] access-list 1 pool test refcount 1
pool test: netmask 255.255.255.0
start 100.0.0.5 end 100.0.0.10
type generic, total addresses 6, allocated 1 (16%), misses 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
-----
(pana expira!)
Resurse:
http://docwiki.cisco.com/wiki/Category:NAT
http://www.cisco.com/image/gif/paws/6450/nat.swf
http://packetlife.net/blog/2010/jan/7/understanding-nat-address-types/
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.sh
tml
http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_nat.html
http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper0918
6a0080091cb9.html