You are on page 1of 14

CU HNH NAT STATIC

I.

Gii thiu :
Nat (Network Address Translation) l mt giao thc dng cung cp s chuyn i IP
trong 1 min a ra mt mi trng khc thng qua mt IP c ng k chuyn i
thng tin gia 2 mi trng (either Local or Global) .
u im ca NAT( Network Nat Translation ) l chuyn i cc IP adress ring trong mng
n IP adress inside c Cung cp khi ng k .
Cc loi a ch :
Inside Local : l cc a ch bn trong mng ni b ( gateway)
Inside Global :l cc a ch ngoi cng GATEWAY , l a ch Nat c
ng k. Trong bi nay l :172.17.0.1/24
Outside Global : l cc h thng mng bn ngoi cc mi trng
Cch thc chuyn i mt IP public v mt IP private s khng c hiu qu khi chng ta
trin khai rng cho tt c cc host trong mng, bi v khi lm nh vy ta s khng c a ch
cung cp. Nat tnh thng c p dng khi ta s dng a ch public lm WebServer hay
FTP Server,v.v.

II.

M t bi lab v hnh :

- Cc PC ni vi router bng cp cho, hai router ni vi nhau bng cp serial. a ch IP ca cc


interface v PC c cho trn hnh v
- Trong bi lab ny, router TTG2 c cu hnh nh mt ISP, router TTG1 c cu hnh nh
mt Gateway, mc tiu bi lab l cu hnh Static NAT cho PC1 sao cho khi chy ra khi TTG1
s c chuyn thnh 172.17.0.1
- Sauk hi Static NAT PC2 mun kt ni n PC1 phi thng qua a ch 172.17.0.1

232

III. Cu hnh :
- Chng ta cu hnh cho cc router nh sau :
Router TTG2 :
Router#conf igure terminal
TTG2(config)#enable password cisco
TTG2 (config)#hostname TTG2
TTG2config)#interface s0/1/0
TTG2 (config-if)#ip address 192.168.0.2 255.255.255.0
TTG2 (config-if)# no shutdown
TTG2 (config-if)#clock rate 64000
TTG2 (config)#interface fa0/1
TTG2 (config-if)#ip address 11.1.0.1 255.255.255.0
TTG2 (config-if)#no shutdown
Router TTG1 :
TTG1(config)#interface serial 0/1/0
TTG1(config-if)#ip address 192.168.0.1 255.255.255.0
TTG1(configure-if)#clockrate 64000
TTG1(config)#ip nat outside cu hnh interface S0/1/0l interface outside
TTG1(config)#interface fa0/1
TTG1(config-if)#ip address 10.1.0.1 255.255.255.0
TTG1(config-if)#ip nat intside Cu hnh interface Fa0/0 l interface inside
TTG1(config-if)#no shutdown
- Chng ta tin hnh cu hnh Static NAT cho TTG1 bng cu lnh :

233

TTG1(config)#ip nat inside source static 10.1.0.2 172.17.0.1


Cu lnh trn c ngha l : cc gi tin xut pht t PC1 khi qua router ( vo t interface
Fa0/1) TTG1 ra ngoi( ra khi interface S0/1/0) s c i a ch IP source t 10.1.0.2 thnh
a ch 172.17.0.1 (y l a ch c ng k vi ISP)
- Chng ta tin hnh t Static Route cho 2 Router TTG2 v TTG1.
TTG1(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.2
TTG2(config)#ip route 172.17.0.0 255.255.0.0 192.168.0.1
- a ch 172.17.0.1 l Address c ng k. Trn thc t ISP ch route xung user bng a
ch ng k ny.
- kim tra vic NAT ca router TTG1 nh th no chng ta s dng cu lnh sau:
TTG1#show ip nat translation
Pro Inside global
--- 172.17.0.1

Inside local
10.1.0.2

Outside local
---

Outside global

---

- kim tra router TTG1 chuyn i a ch nh th no chng ta s dng cu lnh debug ip


nat trn router TTG1 v v ping t PC1 n a ch 11.1.0.1

234

- T ngoi ISP ( TTG2 ) mun ping vo PC1 hay cc server bn trong mng LAN ca khch
hng bng cch ping vo a ch publish ang c NAT trn TTG1 v bn ngoi internet ch kt
ni c n IP ny

- Nh vy bn ngoi mun tng tc c vi Server bn trong phi truy cp vo a ch IP


l 172.17.0.1.

235

CU HNH NAT OVERLOAD


I.

Gii thiu :
NAT (Network Address Translation) dng chuyn i cc private address thnh a ch
public address. Cc gi tin t mng ni b ca user gi ra ngoi, khi n router bin a ch IP
source s c chuyn i thnh a ch public m user ng k vi ISP. iu ny cho php
cc gi tin t mng ni b c th c gi ra mng ngoi (Internet).
NAT c cc loi : NAT static, NAT pool, NAT overload.
NAT static cho php chuyn i mt a ch ni b thnh mt a ch public.
NAT pool cho php chuyn i cc a ch ni b thnh mt trong dy a ch public.
NAT overload cho php chuyn i cc a ch ni b thnh mt a ch public
Trong k thut NAT overload, router s s dng thm cc port cho cc a ch khi chuyn
i.

II.

Cc cu lnh s dng trong bi lab :


ip nat {inside | outside}
Cu hnh interface l inside hay outside

ip nat inside source {list {accesslistnumber | name} pool name [overload] | static
localip globalip}
Cho php chuyn a ch ni b thnh a ch public

ip nat pool name startip endip {netmask | prefixlength prefixlength} [type rotary]
To NAT pool

show ip nat translations


Xem cc thng tin v NAT

debug ip nat
Xem hot ng ca NAT

236

III.

M t bi lab v hnh :

- hnh bi lab nh hnh trn. Router TTG1 c cu hnh inteface loopback 0, loopback 1,
loopback 2. Router TTG2 c cu hnh interface loopback 0. Hai router c ni vi nhau bng
cp Serial. Ta gi lp 3 lp mng lo0, lo1, lo2 l nhng mng bn trong, khi cc traffic bn
trong mng ny i ra ngoi ( ra khi S0/1/0) tt c s c chuyn i a ch thnh 192.168.1.1
IV.

Cu hnh router :
Hai router c cu hnh cc interface nh sau :
Router TTG1 :
Router>enable
Router#configure terminal
Router(configure)# hostname TTG1
TTG1(configure)# interface Loopback0
TTG1(configure-if)# ip address 10.1.0.1 255.255.0.0
TTG1(configure-if)#exit
TTG1(configure)# interface Loopback1
TTG1(configure-if)# ip address 11.1.0.1 255.255.0.0
TTG1(configure-if)#exit
TTG1(configure)# interface Loopback2

237

TTG1(configure-if)# ip address 12.1.0.1 255.255.0.0


TTG1(configure-if)#exit
TTG1(configure)#interface Serial0/1/0
TTG1(configure-if)# ip address 192.168.1.1 255.255.255.0
TTG1(configure-if)#clockrate 64000
TTG1(configure-if)#exit
Router TTG2 :
Router>enable
Router#configure terminal
Router(configure)# hostname TTG1
TTG1(configure)# interface Loopback0
TTG1(configure-if)# ip address 13.1.0.1 255.255.0.0
TTG1(configure-if)#exit
TTG1(configure)#interface Serial0/1/0
TTG1(configure-if)# ip address 192.168.1.2 255.255.255.0
TTG1(configure-if)#clockrate 64000
TTG1(configure-if)#exit
- Chng ta cu hnh NAT trn router TTG1 theo cc bc sau :

Bc 1 : Cu hnh cc interface inside v outside


Trong bi lab ny, chng ta cu hnh cho cc interface loopback ca TTG1 l inside cn
interface serial 0 l out side.
TTG1(config)#interface loopback 0
TTG1(config-if)#ip nat inside
TTG1(config)#in loopback 1

238

TTG1(config-if)#ip nat inside


TTG1(config-if)#interface loopback 2
TTG1(config-if)#ip nat inside
TTG1(config-if)#interface s0/0/0
TTG1(config-if)#ip nat outside
TTG1(config-if)#exit

Bc 2 : To access list cho php mng no c NAT.


Chng ta cu hnh cho php mng 10.1.0.0/16 v mng 11.1.0.0/16 c cho php, cm
mng 12.1.0.0/16
TTG1(config)# access-list 1 deny 12.1.0.0 0.0.255.255
TTG1(config)#access-list 1 permit any

Bc 3 : To NAT pool cho router TTG1


Cu hnh NAT pool tn TTG1 c a ch t 172.1.1.1/24 n 172.1.1.5/24
TTG1(config)#ip nat pool TTG1 172.1.1.1 172.1.1.5 netmask 255.255.255.0

Bc 4 : Cu hnh NAT cho router


TTG1(config)#ip nat inside source list 1 pool TTG1 overload
Cu lnh trn cu hnh overload cho NAT pool

Bc 5 : nh tuyn cho router


TTG1(config)#ip route 13.1.0.0 255.255.0.0 192.168.1.2
TTG2(config)#ip route 172.1.1.0 255.255.255.0 192.168.1.1
Lu : i vi router TTG2, nu ta nh tuyn theo dng :
TTG2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

th chng ta c th ping thy c cc mng trong router TTG1 (10.1.0.0/16, 11.1.0.0/16).


Nhng thc t, ISP ch nh tuyn xung cho user bng a ch m user ng k (Inside
global address).

Bc 6 : Kim tra hot ng ca NAT

239

Chng ta s kim tra NAT bng cu lnh debug ip nat


TTG1#debug ip nat
IP NAT debugging is on
- Sau khi bt debug NAT, chng ta s ping n loopback0 ca TTG2 t loopback0 ca TTG1. Ta
gi lp traffic t host 10.1.0.1 n mng 13.1.0.1. Lc ny khi traffic ca 10.1.0.1 qua S0 s
chuyn i a ch.
TTG1#ping
Protocol [ip]:
Target IP address: 13.1.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms

240

TTG1#
00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [190]
00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [190]
00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [191]
00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [191]
00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [192]
00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [192]
00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [193]
00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [193]
00:31:12: NAT: s=10.1.0.1->172.1.1.1, d=13.1.0.1 [194]
00:31:12: NAT*: s=13.1.0.1, d=172.1.1.1->10.1.0.1 [194]
- T kt qu trn ta thy c, cc gi tin t mng 10.1.0.1 c i source IP thnh
171.1.1.1.
- S dng cu lnh show ip nat translations xem cc thng v NAT
TTG1#show ip nat translations
Pro Inside global

Inside local

Outside local

Outside global

icmp 172.1.1.1:2459

10.1.0.1:2459

13.1.0.1:2459

13.1.0.1:2459

icmp 172.1.1.1:2460

10.1.0.1:2460

13.1.0.1:2460

13.1.0.1:2460

icmp 172.1.1.1:2461

10.1.0.1:2461

13.1.0.1:2461

13.1.0.1:2461

icmp 172.1.1.1:2462

10.1.0.1:2462

13.1.0.1:2462

13.1.0.1:2462

icmp 172.1.1.1:2463

10.1.0.1:2463

13.1.0.1:2463

13.1.0.1:2463

- Cc s c in m l port NAT s dng cho a ch 10.1.0.1.


- Lp li cc bc trn kim tra NAT cho loopback 1, loopback 2 ca router TTG1

241

TTG1#ping
Protocol [ip]:
Target IP address: 13.1.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 11.1.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms
TTG1#
00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [210]
00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [210]
00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [211]
00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [211]

242

00:33:16: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [212]


00:33:16: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [212]
00:33:17: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [213]
00:33:17: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [213]
00:33:17: NAT: s=11.1.0.1->172.1.1.1, d=13.1.0.1 [214]
00:33:17: NAT*: s=13.1.0.1, d=172.1.1.1->11.1.0.1 [214]
- TTG1#show ip nat translations
Pro Inside global

Inside local

Outside local

Outside global

icmp 172.1.1.1:6407

11.1.0.1:6407

13.1.0.1:6407

13.1.0.1:6407

icmp 172.1.1.1:6408

11.1.0.1:6408

13.1.0.1:6408

13.1.0.1:6408

icmp 172.1.1.1:6409

11.1.0.1:6409

13.1.0.1:6409

13.1.0.1:6409

icmp 172.1.1.1:6410

11.1.0.1:6410

13.1.0.1:6410

13.1.0.1:6410

icmp 172.1.1.1:6411

11.1.0.1:6411

13.1.0.1:6411

13.1.0.1:6411

TTG1#ping
Protocol [ip]:
Target IP address: 13.1.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 12.1.0.1
Type of service [0]:
Set DF bit in IP header? [no]:

243

Validate reply data? [no]:


Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.1.0.1, timeout is 2 seconds:
..
Success rate is 0 percent (0/5)
- i vi 12.1.0.1, chng ta khng ping ra ngoi c v mng 12.1.0.0/16 b cm trong
access list 1.
- ng router TTG2, chng ta ping xung cc loopback ca router TTG1
TTG2#ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
TTG2#ping 11.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.1.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
TTG2#ping 12.1.0.1
Type escape sequence to abort.

244

Sending 5, 100-byte ICMP Echos to 12.1.0.1, timeout is 2 seconds:


.....
Success rate is 0 percent (0/5)
- Nhn xt : tt c u khng thnh cng Nguyn nhn l router TTG2 khng c route no n
cc loopback ca router TTG1. Trong thc t, ta cng c kt qu tng t do ISP ch nh tuyn
xung a ch m user ng k, cn cc a ch mng bn trong ca user th khng c ISP nh
tuyn.

245