IP NAT Stateful permet de synchroniser les tables de NAT entre 2 routeurs
- Inside Local = IP privé d’un host du résau local
- Inside Global = IP Publique utilisé pour le Nat
- Outside Local = IP privé de destination
- Outside Global = IP Publique de destination
Les postes BB1 et BB2 ont leur route par défaut vers 10.10.0.254, Ils doivent utiliser le pool 213.36.21.10 à 213.36.21.13 pour atteindre Internet
les routeurs R4 et R5 partagent l’IP virtuel 10.10.0.254 en HSRP
Configuration HSRP
R4(config)#int fa0/0 R4(config-if)#standby 1 ip 10.10.0.254 R4(config-if)#standby 1 priority 120 R4(config-if)#standby 1 preempt R4(config-if)#standby 1 name HSRP-1 R4(config-if)#standby 1 track fastEthernet 0/1 50 R5(config)#int fa0/0 R5(config-if)#standby 1 ip 10.10.0.254 R5(config-if)#standby 1 priority 110 R5(config-if)#standby 1 preempt R5(config-if)#standby 1 name HSRP-1 R5(config-if)#standby 1 track fastEthernet 0/1 50
Vérifications:
R4#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 1 120 P Active local 10.10.0.5 10.10.0.254
Configuration de IP NAT Stateful
1- Activation du « stateful »
- le routeur R4 a l’ID 1 ( le routeur R5 aura l’id 2 )
- le process stateful se réfère a l’instance HSRP nommé « HSRP-1 »
- le process stateful a l’ID 100 (commun au 2 routeurs)
R4(config)#ip nat Stateful id 1
R4(config-ipnat-snat)#redundancy HSRP-1
R4(config-ipnat-snat-red)#mapping-id 100
R4(config-ipnat-snat-red)#exit
2- Configuration du pool d’adresses IP publiques utilisées
R4(config)#ip nat pool MY-POOL 213.36.21.10 213.36.21.13 prefix-length 24
3 – Création d’une access-list
R4(config)#access-list 1 permit 10.10.0.0 0.0.0.255
4 – Création d’une route-map
R4(config)#route-map MY-LAN permit 10 R4(config-route-map)#match ip address 1
5 – Activation du NAT
R4(config)#int fa0/0 R4(config-if)#ip nat inside R4(config)#int fa0/1 R4(config-if)#ip nat outside R4(config)#ip nat inside source route-map MY-LAN pool MY-POOL mapping-id 100
Même chose sur le routeur R5 (avec l’ID 2) :
R5(config)#ip nat Stateful id 2
R5(config-ipnat-snat)#redundancy HSRP-1
R5(config-ipnat-snat-red)#mapping-id 100
R5(config-ipnat-snat-red)#exit
R5(config)#ip nat pool MY-POOL 213.36.21.10 213.36.21.13 prefix-length 24
R5(config)#access-list 1 permit 10.10.0.0 0.0.0.255
R5(config)#route-map MY-LAN permit 10
R5(config-route-map)#match ip address 1
R5(config)#int fa0/0
R5(config-if)#ip nat inside
R5(config)#int fa0/1
R5(config-if)#ip nat outside
R5(config)#ip nat inside source route-map MY-LAN pool MY-POOL mapping-id 100
Vérifications :
BB1#ping 80.80.80.21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 80.80.80.21, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/28 ms R4#debug ip nat IP NAT debugging is on R4# *Mar 12 16:13:19.983: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [5] *Mar 12 16:13:19.987: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8405] *Mar 12 16:13:20.011: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [6] *Mar 12 16:13:20.015: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8406] *Mar 12 16:13:20.023: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [7] *Mar 12 16:13:20.027: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8407] *Mar 12 16:13:20.035: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [8] *Mar 12 16:13:20.035: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8408] *Mar 12 16:13:20.043: NAT: s=10.10.0.101->213.36.21.10, d=80.80.80.21 [9] *Mar 12 16:13:20.047: NAT*: s=80.80.80.21, d=213.36.21.10->10.10.0.101 [8409] R4#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 213.36.21.10:8906 10.10.0.101:8906 80.80.80.21:8906 80.80.80.21:8906 icmp 213.36.21.10:8907 10.10.0.101:8907 80.80.80.21:8907 80.80.80.21:8907 icmp 213.36.21.10:8908 10.10.0.101:8908 80.80.80.21:8908 80.80.80.21:8908 icmp 213.36.21.10:8909 10.10.0.101:8909 80.80.80.21:8909 80.80.80.21:8909 icmp 213.36.21.10:8910 10.10.0.101:8910 80.80.80.21:8910 80.80.80.21:8910 R5#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 213.36.21.10:8906 10.10.0.101:8906 80.80.80.21:8906 80.80.80.21:8906 icmp 213.36.21.10:8907 10.10.0.101:8907 80.80.80.21:8907 80.80.80.21:8907 icmp 213.36.21.10:8908 10.10.0.101:8908 80.80.80.21:8908 80.80.80.21:8908 icmp 213.36.21.10:8909 10.10.0.101:8909 80.80.80.21:8909 80.80.80.21:8909 icmp 213.36.21.10:8910 10.10.0.101:8910 80.80.80.21:8910 80.80.80.21:8910 R4#show ip snat distributed Stateful NAT Connected Peers SNAT: Mode IP-REDUNDANCY :: ACTIVE : State READY : Local Address 10.10.0.4 : Local NAT id 1 : Peer Address 10.10.0.5 : Peer NAT id 2 : Mapping List 100 R5#show ip snat distributed Stateful NAT Connected Peers SNAT: Mode IP-REDUNDANCY :: STANDBY : State READY : Local Address 10.10.0.5 : Local NAT id 2 : Peer Address 10.10.0.4 : Peer NAT id 1 : Mapping List 100