2. Circumstances
All users on the LAN SanJose1 need access to a web server on SanJose2 and SanJose3. All hosts on the 192.168.1.0 network is converted into:
- 172.106.2.0 when accessing WebServer2 (172.106.1.2)
- Accessing the Web Server3 172.160.2.0 (172.160.1.2)
3. Implementation
Step 1:
Configuring the IP address of the router based on the diagram. Also, to simulate a Web server, you configure the router SanJose2 and SanJose3 WebServer as follows:
SanJose2 (config) # ip http server
SanJose3 (config) # ip http server
Do not use the routing protocol, so we configured static route to the SanJose1 to the Web Server on SanJose2 and SanJose3.
Default route is also configured to come on SanJose2 and SanJose3 network 192.168.1.0
SanJose1 (config) # ip route 172.106.1.0 255.255.255.0 10.0.0.3
SanJose1 (config) # ip route 172.160.1.0 255.255.255.0 10.0.0.2
SanJose2 (config) # ip route 0.0.0.0 0.0.0.0 10.0.0.1
SanJose3 (config) # ip route 0.0.0.0 0.0.0.0 10.0.0.1
Extend from SanJose2 ping (172.160.1.2) to SanJose3 (172.106.1.2).
Successful ping packet from SanJose2 by default route to 10.0.0.1 route, then be sent to the network 172.106.1.0 SanJose1 through user static route next hop 10.0.0.3
Step 2:
Create the address pool to the hosts on the network 192.168.1.0 (private address) out of the Internet. Also, create the ACL to allow only hosts on the 192.168.1.0 network will be accessing the network 172.106.1.0 and 172.160.1.0
SanJose1 (config) # ip nat pool pool106 172.106.2.1 172.106.2.254 prefix-length 24
SanJose1 (config) # ip nat pool pool160 172.160.2.1 172.160.2.254 prefix-length 24
SanJose1 (config) # access-list 106 permit ip 192.168.1.0 0.0.0.255 172.106.1.0 0.0.0.255
SanJose1 (config) # access-list 160 permit ip 192.168.1.0 0.0.0.255 172.160.1.0 0.0.0.255
Step 3:
Specify the inside and outside the NAT on SanJose1:
SanJose1 (config) # interface E0 / 0
SanJose1 (config) # ip nat outside
SanJose1 (config) # interface e1 / 0
SanJose1 (config) # ip nat inside
• NAT access list and route map used only when it needs to create a translation entry. If a translation entry exists, match with the traffic, the router will use that entry, and do not compare with the access list or route map.
• The difference between using the access list and route map is a translation entry is created.
• When using NAT translation to create a route map entry, it will always create a translation entry "full." Translation of this entry will include both inside and outside addresses, local and global, TCP or UDP port information.
• When using NAT translation entry to access list, it will create a simple translation entry. It only includes the IP address inside local, inside global and does not include TCP or UDP port information.
• We will check the operation of the NAT access list used to explain why it is not solving the problem, ideally in this case.
SanJose1 (config) # ip nat inside source list 106 pool pool106
SanJose1 (config) # ip nat inside source list 160 pool pool160
At the SanJose1 Host A Web Server access to the SanJose3 (address 172.106.1.2) and debug monitor results
SanJose1 # debug ip nat
IP NAT debugging is on
SanJose1 #
00:26:18: NAT *: s = 192.168.1.2-> 172.106.2.1, d = 172.106.1.2 [12415]
00:26:18: NAT *: s = 172.106.1.2, d = 172.106.2.1-> 192.168.1.2 [12415]
00:26:19: NAT *: s = 192.168.1.2-> 172.106.2.1, d = 172.106.1.2 [12416]
00:26:19: NAT *: s = 172.106.1.2, d = 172.106.2.1-> 192.168.1.2 [12416]
SanJose1 # show ip nat translations
172.106.2.1 192.168.1.2 --- --- ---
Use the debug ip nat on the router and SanJose2 SanJose1
At the SanJose1 Host A Web Server access to the SanJose3 (address 172.160.1.2) and debug monitor results
SanJose1 # debug ip nat
IP NAT debugging is on
SanJose1 #
00:26:18: NAT *: s = 192.168.1.2-> 172.106.2.1, d = 172.160.1.2 [12415]
00:26:18: NAT *: s = 172.160.1.2, d = 172.106.2.1-> 192.168.1.2 [12415]
00:26:19: NAT *: s = 192.168.1.2-> 172.106.2.1, d = 172.160.1.2 [12416]
00:26:19: NAT *: s = 172.160.1.2, d = 172.106.2.1-> 192.168.1.2 [12416]
SanJose1 # show ip nat translations
Pro Inside global Inside local Outside local Outside global
172.106.2.1 192.168.1.2 --- --- ---
2 we see in both cases, the host 192.168.1.2 is the external Internet address 172.106.2.1. This shows that, for the first NAT translation only when the host to the webserver on SanJose2, also host to the webserver when the match was found SanJose3 the NAT IP address of the host should not handle, but continue to allow this host out with IP the same, regardless ACL.
NOTE:
NAT can be considered mandatory ACL entries whenever a translation by disabling fast-switching on interface e1 / 0.
SanJose1 (config) # int e1 / 0
SanJose1 (config-if) # no ip route-cache
But this does not recommend as it began to use the router to process the resource. We will solve this problem in the following.
I debug ip packet for more information
SanJose1 # debug ip packet
IP packet debugging is on
SanJose1 #
00:29:42: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:29:43: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:29:44: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:29:45: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
SanJose1 # debug ip packet
IP packet debugging is on
SanJose1 #
00:30:23: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:30:24: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:30:25: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:30:26: IP: s = 172.106.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
Step 5:
Before you configure a route map, we give a few orders have been pre-configured as follows:
Undebug SanJose1 # ip nat
SanJose1 # clear ip nat translation *
SanJose1 # configure terminal
SanJose1 (config) # no ip nat inside source list 106 pool pool106
SanJose1 (config) # no ip nat inside source list 160 pool pool160
At this time we are still the pool has been defined as follows:
ip nat pool pool106 172.106.2.1 172.106.2.254 prefix-length 24
ip nat pool pool160 172.160.2.1 172.160.2.254 prefix-length 24
Now, I configure the route map to resolve the existing problems of access list.
Create an inside source route map and address pool as follows:
SanJose1 (config) # ip nat inside source route-map MAP-106 pool pool106
SanJose1 (config) # ip nat inside source route-map MAP-160 pool pool160
Create a route map:
SanJose1 (config) # route-map MAP-106 permit 10
SanJose1 (config-route-map) # match ip address 106
SanJose1 (config) # route-map MAP-160 permit 10
SanJose1 (config-route-map) # match ip address 160
Use the debug ip nat on the router and SanJose3 SanJose1
At the SanJose1 Host A Web Server access to the SanJose3 (address 172.106.1.2) and debug monitor results
SanJose1 # debug ip nat
IP NAT debugging is on
SanJose1 #
00:42:12: NAT: s = 192.168.1.2-> 172.106.2.2, d = 172.106.1.2 [12435]
00:42:12: NAT *: s = 172.106.1.2, d = 172.106.2.2-> 192.168.1.2 [12435]
00:42:13: NAT *: s = 192.168.1.2-> 172.106.2.2, d = 172.106.1.2 [12436]
00:42:13: NAT *: s = 172.106.1.2, d = 172.106.2.2-> 192.168.1.2 [12436]
00:42:14: NAT *: s = 192.168.1.2-> 172.106.2.2, d = 172.106.1.2 [12437]
Use debug ip packet and debug ip nat on the router and SanJose2 SanJose1
At the SanJose1 Host A Web Server access to the SanJose3 (address 172.160.1.2) and debug monitor results
SanJose1 # debug ip nat
IP NAT debugging is on
SanJose1 #
00:46:21: NAT *: s = 192.168.1.2-> 172.160.2.2, d = 172.160.1.2 [12455]
00:46:21: NAT *: s = 172.160.1.2, d = 172.160.2.2-> 192.168.1.2 [12455]
00:46:22: NAT *: s = 192.168.1.2-> 172.160.2.2, d = 172.160.1.2 [12456]
00:46:22: NAT *: s = 172.160.1.2, d = 172.160.2.2-> 192.168.1.2 [12456]
00:46:23: NAT *: s = 192.168.1.2-> 172.160.2.2, d = 172.160.1.2 [12457]
SanJose1 # debug ip packet
IP packet debugging is on
SanJose1 #
00:46:55: IP: s = 172.160.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:46:56: IP: s = 172.160.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
00:46:56: IP: s = 0.0.0.0 (Ethernet0 / 0), d = 255 255 255 255, len 328, rcvd 2
00:46:57: IP: s = 172.160.1.2 (Ethernet0 / 0), d = 192.168.1.2 (Ethernet1 / 0), g = 192.168.1.2, len 60, forward
Use the show ip nat translations verbose command on the router SanJose1:
SanJose1 # show ip nat translations verbose
Pro Inside global Inside local Outside local Outside global
icmp 172.160.2.2:512 192.168.1.2:512 172.160.1.2:512 172.160.1.2:512
create 00:01:39, use 00:00:46, left 00:00:13,
flags: extended, use_count: 0
tcp 172.160.2.1:23 10.0.0.1:23 10.0.0.2:11002 10.0.0.2:11002
create 00:02:41, use 00:00:05, left 00:00:54,
flags: extended, timing-out, use_count: 0
Dynamic NAT with multiple pools using route map has been configured successfully.
NOTE:
Route map to use static NAT translation was first introduced with Cisco IOS 12.2 (4) T and 12.2 (4) T2 for the Cisco 7500 series routers
NAT with access list used to create translation overload "full" as the route map
Reviews:
We see, both ACLs and use two mechanisms are route-map is using fast-swiching.
ACL, just create a translation entry for a host. Then, if the hosts that require outside (to the webserver), the NAT will not consider another destination or ACL entry that has been used at times to create before.
Route-map at the source address and destination address (destination) should it comply with our requirements.
4. Configuration
SanJose1 # show running-config
Building configuration ...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanJose1
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0 / 0
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Ethernet1 / 0
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
ip nat pool pool106 172.106.2.1 172.106.2.254 prefix-length 24
ip nat pool pool160 172.160.2.1 172.160.2.254 prefix-length 24
ip nat inside source route-map MAP-106 pool pool106
ip nat inside source route-map MAP-160 pool pool160
ip classless
ip route 172.106.1.0 255.255.255.0 10.0.0.3
ip route 172.160.1.0 255.255.255.0 10.0.0.2
!
access-list 106 permit ip 192.168.1.0 0.0.0.255 172.106.1.0 0.0.0.255
access-list 160 permit ip 192.168.1.0 0.0.0.255 172.160.1.0 0.0.0.255
route-map MAP-106 permit 10
match ip address 106
!
route-map MAP-160 permit 10
match ip address 160
!
!
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
End
SanJose2 # show run
Building configuration ...
Current configuration: 1058 bytes
!
Version 1.12
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanJose2
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
!
memory-size iomem 10
ip subnet-zero
no ip domain-lookup
!
interface Loopback0
ip address 172.160.1.2 255.255.255.0
!
interface FastEthernet0 / 0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
End
SanJose3 # show run
Building configuration ...
Current configuration: 926 bytes
!
Version 1.12
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SanJose3
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
!
interface Loopback0
ip address 172.106.1.2 255.255.255.0
!
interface Ethernet0 / 0
ip address 10.0.0.3 255.255.255.0
half-duplex
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
end
Use the command show ip nat translations on the router SanJose1: Pro Inside global Inside local Outside local Outside global Use the command show ip nat translations on the router SanJose1: Use the debug ip nat on the router and SanJose3 SanJose1 Step 4: Check:
