apeared to inside network.
1- IP nat inside source :
Changing the source when packet traveling from inside to outside and changing destination when packet is travelling from outside to inside.
ip nat inside source static inside local inside global
inside 'dan outside 'a source ip değiştirir.
inside local => inside global
outside'dan inside destination ip değişir
inside global => i inside local
ip nat inside source static inside local inside global
inside 'dan outside 'a source ip değiştirir.
inside local => inside global
outside'dan inside destination ip değişir
inside global => i inside local
2- IP nat inside destination : The same as inside source but different usage
changing destination when packet is travelling from outside to inside and changing the source when packet traveling from inside to outside and .
3- IP nat outside source
changing the source when packet traveling from outside to inside and changing destination when packet is travelling from inside to outside
ip nat outside source static outside global outside local
inside dan outside 'a destination ip değiştirir.
outside local => outside global
outside dan inside 'da source ip değiştirir.
outside global => outside local
ip nat outside source static outside global outside local
inside dan outside 'a destination ip değiştirir.
outside local => outside global
outside dan inside 'da source ip değiştirir.
outside global => outside local
4- IP nat outside destination:
It is not defined. Or I have not seen it
The packet follows these steps on outside interface;1 - InBOUND ACL
2- NAT
3- Policy ROUTING
4- ROUTING
5- IPSEC Encryption
6- OUTBOUND ACL
and inside interface ;
1 - InBOUND ACL
2- Policy ROUTING
3- ROUTING
4- NAT
5- IPSEC Encryption
6- OUTBOUND ACL
Simply you have two options for nat that works asymmetric type from outside to inside interface than inside to outside.
First;
Source Nat: You change source address of packet. If you reach some website or google you have to change your source ip address it is necassary if you want to go outside from your network.
For juniper:
set security nat source rule-set ALI from zone WAN
set security nat source rule-set ALI to zone INTERNET
set security nat source rule-set ALI rule RULE1 match source-address 172.19.200.200/32
set security nat source rule-set ALI rule RULE1 match destination-address 8.8.8.8/32
set security nat source rule-set ALI rule RULE1 then source-nat interface
Cisco;
You have to create a access list then you can type your outside interface.
[ ip access-list extended INTERNET_NAT_ACL
permit ip 10.0.0.0 0.255.255.255 any
ip nat inside source list INTERNET_NAT_ACL interface GigabitEthernet0/0/0 overload
or
ip access-list extended INTERNET_NAT_ACL
permit ip 10.0.0.0 0.255.255.255 any
ip nat pool NAT 100.1.1.5 100.1.1.6 prefix-length 29
ip nat inside source list INTERNET_NAT_ACL pool NAT overload
or
access-list 10 permit 10.0.0.0 0.255.255.255
route-map NAT permit 10
match ip address 10
match interface GigabitEthernet0/0/0
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
]
interface GigabitEthernet0/0/2
description Fiber link between R1&R2
ip address 10.1.1.49 255.255.255.252
ip nat inside
interface GigabitEthernet0/0/0
description Internet connection
ip address 1.1.1.1 255.255.255.252 secondary
ip address 95.0.208.142 255.255.255.128
ip nat outside
Huawei
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 119.84.111.1 24
[R1]acl 3000
[R1-acl-adv-3000]rule 5 permit tcp source 10.0.4.254 0.0.0.0 destination 119.84.111.3 0.0.0.0 destination-port eq 23
[R1-acl-adv-3000]rule 15 deny ip
[R1]nat address-group 1 119.84.111.240 119.84.111.243
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]nat outbound 3000 address-group 1
Second Nat way Destination Nat;(Statik or Dynamic)
If somebody want to access your inside network from the outside network , you have to change destination address of this packet. For ınstance google or yahoo want to establish a session with your ip address , You have to use destination nat , google knows just your outside ip address , not knows your inside address(it is destination nat)
Juniper;
set security nat destination rule-set U_DNAT from zone UNTRUST
set security nat destination pool Web-pool address 192.168.2.1/32
set security nat destination pool Web-pool address port 80
set security nat destination rule-set U_DNAT rule Web–rule match source-address 0.0.0.0/0
set security nat destination rule-set U_DNAT rule Web–rule match destination-address 5.10.15.80/32 set security nat destination rule-set U_DNAT rule Web–rule match destination-port 80
set security nat destination rule-set U_DNAT rule Web–rule then destination-nat pool Web-pool
also You apply static nat
set security nat static rule-set U_StNAT from zone UNTRUST
set security nat static rule-set U_StNAT rule Web–rule match destination-address 5.10.15.80/32
set security nat static rule-set U_StNAT rule Web–rule then static-nat prefix 192.168.2.1/32
Cisco
ip nat inside source static tcp 10.34.20.101 1723 82.222.6.201 1723 extendable
ip nat inside source static udp 10.34.20.90 1194 95.0.208.140 1194 extendable
I will give an example ;
R1;
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.128
ip nat inside
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.1.129 255.255.255.128
ip nat inside
!
interface FastEthernet0/1
ip address 90.1.1.1 255.255.255.0
ip nat outside
!
interface FastEthernet1/0
ip address 80.1.1.1 255.255.255.0
ip nat outside
and we can create access list and route map;
ip access-list extended R2
permit ip 192.168.1.0 0.0.0.127 any
ip access-list standard R3
permit 192.168.1.128 0.0.0.127
route-map R2MAP permit 1
match ip address R2 (they must come from access list R2)
set interface FastEthernet0/1 (They must go out on fa0/1)
!
route-map R3MAP permit 1
match ip address R3
set interface FastEthernet1/0
We apply pbr settings.
interface FastEthernet0/0.10
ip policy route-map R2MAP
!
interface FastEthernet0/0.20
ip policy route-map R3MAP
at the end of the day we can finish with nat
ip nat inside source route-map R2MAP interface FastEthernet0/1 overload
ip nat inside source route-map R3MAP interface FastEthernet1/0 overload
---
show security flow session nat
Session ID: 140262, Policy name: ptt-to-server/6, State: Active, Timeout: 60, Valid
In: 185.96.138.240/35200 (source ip) --> 10.127.148.11/8280(dest. ip) ;tcp, If: reth7.0, Pkts: 0, Bytes: 0
Out: 172.20.34.11/8280(dest. ip) --> 185.96.138.240/35200 (source);tcp, If: vlan.0, Pkts: 0, Bytes: 0
----
Load Stateful NAT , Nat Virtual Interface
Server Load Balancing Using Dynamic NAT
Steps
Define a pool of addresses containing the addresses of the real servers.
ip nat pool NATPOOL 10.1.1.1 10.1.1.3 prefix-length 24 type rotary
Define an access-list that permits the address of virtual-server.
access-list 1 permit host 172.16.2.3
Enable a dynamic translation of inside destination addresses.
ip nat inside destination list 1 pool NATPOOL
Now define NAT inside and the outside interfaces.
Interface gig0/0
ip address 10.1.1.4 255.255.255.0
Ip nat outside
Interface gig0/1
ip address 172.16.1.1 255.255.255.248
Ip nat inside
Stateful NAT;
R2 and R3 share nat table between them .
R4;
interface FastEthernet0/1
ip address 19.1.1.2 255.255.255.0
interface FastEthernet1/0
ip address 19.2.2.2 255.255.255.0
ip route 119.1.1.0 255.255.255.0 19.1.1.1
ip route 119.1.1.0 255.255.255.0 19.2.2.1 10
R2;
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
standby 1 ip 192.168.1.100
standby 1 timers 1 3
standby 1 priority 150
standby 1 preempt
standby 1 name SNAT
standby 1 track FastEthernet0/1 100
interface FastEthernet0/1
ip address 19.1.1.1 255.255.255.0
ip nat outside
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool mypool 119.1.1.1 119.1.1.10 prefix-length 24
ip nat inside source list 1 pool mypool mapping-id 100 overload
!
ip nat Stateful id 1 (this is like router id )
redundancy SNAT (you are member of Snat group)
mapping-id 100 (we added at ip nat inside configuration )
ip route 0.0.0.0 0.0.0.0 19.1.1.2
R3;
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat inside
standby 1 ip 192.168.1.100
standby 1 timers 1 3
standby 1 priority 90
standby 1 preempt
standby 1 name SNAT
standby 1 track FastEthernet1/0 100
interface FastEthernet1/0
ip address 19.2.2.1 255.255.255.0
ip nat outside
ip nat pool mypool 119.1.1.1 119.1.1.10 prefix-length 24
ip nat inside source list 1 pool mypool mapping-id 100 overload
ip nat Stateful id 2
redundancy SNAT
mapping-id 100
ip route 0.0.0.0 0.0.0.0 19.2.2.2
Nat Virtual Interface
We dont have any source and destination concept.
R3;
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat enable
interface FastEthernet0/1
ip address 80.1.1.1 255.255.255.0
ip nat enable
ip nat source static 192.168.1.100 80.1.1.100
Router decides which interface in or out .
Nat Example
ip nat outside source static 80.1.1.2 192.168.1.10
Pc0 'dan 192.168.1.100 ping attığımızda paket pc1 gider , Pc1 den cıkan paket gi0/1 geldiginde
inside interface'inde su adımları izleyecek .
1 - InBOUND ACL
2- Policy ROUTING
3- ROUTING
4- NAT
5- IPSEC Encryption
6- OUTBOUND ACL
Routing Nat'tan önce bu kötü , Cunku paketin source ipsi 192.168.1.100 destination ip si 192.168.1.10 yani paketi tekrar aynı interface'den yollamak isteyecek bu yüzden.
ip route 192.168.1.10 255.255.255.255 80.1.1.2
Route eklersek sorun cozulecektir.
ASA FIREWALL NAT
source ip si 192.168.1.2 ise bunu 10.51.100.40 yapacaktır.
object network GMT
host 192.168.1.2
nat (GMT,YSHA) static 10.51.100.40
object network AMT
host 192.168.1.3
nat (GMT,YSHA) static 10.51.100.41
- Create a network object.
- Within this object define the Real IP/Network to be translated.
- Also within this object you can use the the nat commands to specifiy whether the translation will be dynamic or static.
İnterface 'e pat örneği
firewall(config)# object network ALI
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic interface
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic interface
eğer dış ipimizi gizlemek istiyorsak 1.1.1.1 dış ip ile dişarı cıkarız ama dış ipimiz farklı olabilir.
firewall(config)# object network ALI
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
NAPT / Dynamic NAT to Hide NAT inside network traffic behind a range of outside addresses 1.1.1.1-1.1.1.5
firewall(config)# object network ALI-RANGE
firewall(config-network-object)# range 1.1.1.1-1.1.1.5
firewall(config-network-object)# range 1.1.1.1-1.1.1.5
firewall(config)# object network inside-network
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic ALI-RANGE
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic ALI-RANGE
Source adresi 192.168.1.1 icin dısarı cıkarken source adresı 1.1.1.2 olucak
firewall(config)# object network inside-host
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2
Static NAT with port translation for host 192.168.1.1 on the inside at TCP port 80 to the outside interface at port 8080.
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2
Static NAT with port translation for host 192.168.1.1 on the inside at TCP port 80 to the outside interface at port 8080.
firewall(config)# object network ALI-WEB
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 8080
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 8080
Hiç yorum yok:
Yorum Gönder