1. NAT
강사 김성훈

2. Scaling the Network with NAT and PAT
Cisco 라우터에서의 NAT의 특징 및 작동법을 안다.
NAT를 구성할 수 있다.
NAT와 PAT의 구성을 검증할 수 있다.

3. Inside Outside Internet Network Address Translation NAT table 10.1.1.2
* Introducing NAT and PAT
Network Address Translation
Inside
Outside SA SA
Internet
NAT table
Inside Local IP
Inside Global
Address
IP Address
NAT의 사용
Global Unique IP address를 쓰지 않고 호스트들을 Internet 에 연결하는 경우에 사용될 수 있다.
새로운 ISP에 연결시 기존의 IP Address를 바꾸지 않기 위해서 사용될 수 있다.
중복되는 Address를 갖는 두 intranet을 연결 시에 사용될 수 있다.

4. Port Address Translation
My Network
Internet SA
:2031
PAT SA
Internet/Intranet SA
:1506 SA
NAT table
Inside Local IP
Inside Global
Address
IP Address
:2031
:2031
:1506
:1506
PAT의 사용
Private Network상의 호스트들이 Public Network상에서 통신할 수 있게 한다.
공인 IP address를 절약한다.
네트워크의 Local Node들이 외부 네트워크에 Access하는 경우, Source Address는 라우터에서 으로 Translation 된다.

5. Translating Inside Source Addresses
Outside 5 3 4 DA SA DA
Internet SA
Host B 1
Inside Interface
Outside Interface 2
NAT table
Inside Local IP
Inside Global
Address
IP Address

6. Configuring Static Translation
Router(config)#ip nat inside source static local-ip global-ip
inside local address를 inside global address로 Mapping한다.
Router(config-if)#ip nat inside
inside network에 연결된 Interface이다.
Router(config-if)#ip nat outside
outside에 network에 연결된 Interface이다.

7. Enabling Static NAT Address Mapping Example
Internet SA 5 s0 e0
Interface s0
Ip address
Ip nat outside !
Interface e0
Ip add
Ip nat inside
Ip nat inside source static

8. Configuring Dynamic Translation
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
할당할 global address의 pool을 지정한다.
Router(config)#access-list access-list-number permit
source [source-wildcard}
변환할 inside local address들의 standard IP access-list를 정의 한다.
Router(config)#ip nat inside source list
aceess-list-number pool name
전단계에서 정의한 access-list를 이용하여 Dynamic Source Translation을 설정한다.

9. Dynamic Address Translation Example
Ip nat pool Test_lab netmask
Ip nat inside source list 1 pool Test_lab !
Interface serial 0
ip address
ip nat outside
Interface ethernet 0
ip address
ip nat inside
Access-list 1 permit
Host C
Host A e0 s0
Host B
Host D

10. Overloading an Inside Global Address
Host B 5 3 4 DA SA DA
Internet
Internet SA 4 1 DA
Host B 2
NAT table
Inside Local IP
Inside Global IP
Outside Global
Protocol
Address: Port
Address: Port
IP Address: Port
TCP
:1723
:1723
:23
TCP
:1024
:1024
:23

11. Configuring Overloading
Router(config)#access-list access-list-number permit
source source-wildcard
변환할 inside local address들의 standard IP access-list를 정의 한다.
Router(config)#ip nat inside source list
access-list-number interface interface overload
전단계에서 정의한 access-list를 이용하여 Dynamic Source Translation을 설정한다.

12. Overloading an Inside Global Address Example e0 s0 5 e1
hostname NAT_Router !
interface ethernet 0
ip address
ip nat inside
interface ethernet 1
ip address
interface serial 0
description To ISP
ip address
ip nat outside
ip nat inside source list 1 interface serial 0 overload
ip route serial 0
access-list 1 permit
access-list 1 permit

13. Clearing the NAT Translation Table
* Verifying the NAT and PAT Configuration
Clearing the NAT Translation Table
Router#clear ip nat translation *
Clear all dynamic address translation entries
Router#clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip]
Clears a simple dynamic translation entry containing an inside translation, or both inside and outside translation
Router#clear ip nat translation outside local-ip global-ip
clears a simple dynamic translation entry containing an outside translation
Router#clear ip nat translation protocol inside global-ip
global-port local-ip local-port [outside local-ip
local-port global-ip global-port]
Clears an extended dynamic translation entry

14. Displaying Information with show Commands
Router#show ip nat translations
Displays active translations
Router# show ip nat translations
Pro Inside global Inside local outside local outside global
Router#show ip nat statistics
Displays translation statistics
Router# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic, 0 extendes)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0 -

15. Sample Problem: Cannot Ping Remote Host
int e 0
ip address !
int s 0
ip address
router rip
network
network
Host A
Host B
/24 s0 e0 s0 e0
/24
/24
/24
ip nat pool test
ip nat inside source list 1 pool test !
int s0
ip address
ip nat inside
int e0
ip address
ip nat outside
router rip
network
network
access-list 1 permit

16. Solution: New Configuration
int e 0
ip address !
int s 0
ip address
router rip
network
network
Host A
Host B
/24 s0 e0 s0 e0
/24
/24
/24
ip nat pool test
ip nat inside source list 1 pool test !
int s0
ip address
ip nat outside
int e0
ip address
ip nat inside
int loopback 0
ip address
router rip
network
network
access-list 1 permit

17. Using the debug ip nat Command
* Troubleshooting the NAT and PAT Configuration
Using the debug ip nat Command
Router# debug ip nat
NAT: s= > , d= [0]
NAT: s= , d= > [0]
NAT: s= > , d= [1]
NAT: s= > , d= [2]
NAT: s= > , d= [3]
NAT*: s= , d= > [1]
NAT: s= , d= > [1]
NAT: s= > , d= [4]
NAT: s= > , d= [5]
NAT: s= > , d= [6]
NAT*: s= , d= > [2]
inside-to-outside address translation
reply packet의 NAT

18. Translation Not Installed in the Translation Table?
Configuration이 제대로 되었는가?
NAT 명령을 참조하는 엑세스 리스트가 모든 필요한 네트워크들을 허가(permit) 하였는가?
NAT pool에 충분한 주소들이 있는가?
라우터 인터페이스에 정확한 NAT inside 또는 NAT outside를 지정 하였는가?

19. LAB Test (1) Standard IP Access List LAB
E0:
E0:
S0:
S0:
Router_A
Router_B
Router_A(config)# access-list 1 deny
Router_A(config)# access-list 1 permit any
Router_A(config)# interface ethernet 0
Router_A(config-if)#ip access-group 1 out
Router_A(config-if)# exit
Router_A# sh running-configuration
Router_A# sh access-lists 1
Router_A# ping
Router_A# ping
Router_B(config)#access-list 10 deny
Router_B(config)#access-list 10 permit any
Router_B(config)#interface ethernet 0
Router_B(config-if)#ip access-group 10 out
Router_B(config-if)#exit
Router_B#sh running-configuration
Router_B#sh access-lists 10
Router_B#ping
Router_B#ping

20. LAB Test (2) Extended IP Access List LAB (1)
E0:
E0:
S0:
S0:
Router_A
Router_B
Router_A(config)# access-list 101 deny tcp
eq : FTP
eq : FTP data
Router_A(config)# access-list 101 permit ip any any
Router_A(config)# interface ethernet 0
Router_A(config-if)# ip access-group 101 out
Router_A(config-if)# exit
Router_A# sh running-configuration
Router_A# sh access-lists 101
Router_A#

21. LAB Test (2) Extended IP Access List LAB (2)
E0:
E0:
S0:
S0:
Router_A
Router_B
Router_B(config)# access-list 101 deny tcp
eq : FTP
eq : FTP data
Router_B(config)# access-list 101 permit ip any any
Router_B(config)# interface ethernet 0
Router_B(config-if)# ip access-group 101 out
Router_B(config-if)# exit
Router_B# sh running-configuration
Router_B# sh access-lists 101
Router_B#

22. LAB Test (3) Vty Access LAB
E0:
E0:
S0:
S0:
Router_A
Router_B
Router(config)# access-list 12 deny
Router(config)# access-list 12 permit
any
Router(config)# line vty 0 4
Router(config-line)# access-class 12 in
Router(config-line)# exit
Router# sh running-configuration
Router# sh access-lists 12
Router# telnet PC에서 telnet 실행
Router# ping
Router(config)# access-list 22 deny
Router(config)# access-list 22 permit any
Router(config)# line vty 0 4
Router(config-line)# access-class 22 in
Router(config-line)# exit
Router# sh running-configuration
Router# sh access-lists 22
Router# telnet PC에서 telnet 실행
Router# ping