Le Nat statique est un NAT « 1 pour 1 » bi-directionnel
- Inside Local = IP privé d’un host du résau local
- Inside Global = IP Publique utilisé pour le Nat
- Outside Local = IP privé de destination
- Outside Global = IP Publique de destination
Configuration
L’ip privée 10.10.0.101 est naté en ip publique 150.100.30.3 par R6
R6(config)#int fa0/0
R6(config-if)#ip nat inside
R6(config-if)#int fa0/1
R6(config-if)#ip nat outside
R6(config)#ip nat inside source static 10.10.0.101 150.100.30.3
Vérifications :
BB1#ping 80.80.80.21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 80.80.80.21, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Sur le serveur linux :
root@LINUX:~# tcpdump -ni eth1 icmp
09:25:15.081447 IP 150.100.30.3 > 80.80.80.21: ICMP echo request, id 9772, seq 8801, length 80
09:25:15.081465 IP 80.80.80.21 > 150.100.30.3: ICMP echo reply, id 9772, seq 8801, length 80
Sur le routeur R6
R6#debug ip nat IP NAT debugging is on *Mar 3 14:06:33.461: NAT*: s=10.10.0.101->150.100.30.3, d=80.80.80.21 [1042] *Mar 3 14:06:33.465: NAT*: s=80.80.80.21, d=150.100.30.3->10.10.0.101 [6901] R6#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 150.100.30.3:2827 10.10.0.101:2827 80.80.80.21:2827 80.80.80.21:2827 --- 150.100.30.3 10.10.0.101 --- ---
Configuration du NAT statique avec l’IP de l’interface publique du routeur R6
R6(config)#ip nat inside source static 10.10.0.101 interface fa0/1
Vérifications :
R6#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 150.100.30.2:6697 10.10.0.101:6697 80.80.80.21:6697 80.80.80.21:6697 --- 150.100.30.2 10.10.0.101 --- --- R6#debug ip nat IP NAT debugging is on R6# *Mar 3 14:28:01.105: NAT*: s=10.10.0.101->150.100.30.2, d=80.80.80.21 [1053] *Mar 3 14:28:01.109: NAT*: s=80.80.80.21, d=150.100.30.2->10.10.0.101 [60880]
Configuration du PAR (Port Address Redirect)
Exemple: le port 123 de l’interface fa0/1 est redirigé vers le port 23 de l’IP 10.10.0.101
R6(config)#ip nat inside source static tcp 10.10.0.101 23 interface fastEthernet 0/1 123
Vérifications:
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 150.100.30.2:123 10.10.0.101:23 80.80.80.21:54547 80.80.80.21:54547
tcp 150.100.30.2:123 10.10.0.101:23 --- ---
Configuration du NAT statique de tout le réseau privé
Chaque IP en 10.10.0.0 /24 sera translatée avec son IP correspondante en 150.100.30.0 /24
R6(config)#ip nat inside source static network 10.10.0.0 150.100.30.0 /24
Vérifications :
R6#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 150.100.30.101:1538 10.10.0.101:1538 80.80.80.21:1538 80.80.80.21:1538 icmp 150.100.30.101:1539 10.10.0.101:1539 80.80.80.21:1539 80.80.80.21:1539 icmp 150.100.30.101:1540 10.10.0.101:1540 80.80.80.21:1540 80.80.80.21:1540 icmp 150.100.30.101:1541 10.10.0.101:1541 80.80.80.21:1541 80.80.80.21:1541 icmp 150.100.30.101:1542 10.10.0.101:1542 80.80.80.21:1542 80.80.80.21:1542 --- 150.100.30.101 10.10.0.101 --- --- icmp 150.100.30.102:931 10.10.0.102:931 80.80.80.21:931 80.80.80.21:931 icmp 150.100.30.102:932 10.10.0.102:932 80.80.80.21:932 80.80.80.21:932 icmp 150.100.30.102:933 10.10.0.102:933 80.80.80.21:933 80.80.80.21:933 icmp 150.100.30.102:934 10.10.0.102:934 80.80.80.21:934 80.80.80.21:934 icmp 150.100.30.102:935 10.10.0.102:935 80.80.80.21:935 80.80.80.21:935 --- 150.100.30.102 10.10.0.102 --- --- --- 150.100.30.0 10.10.0.0 --- --- R6#debug ip nat IP NAT debugging is on R6# *Mar 3 14:47:26.989: NAT*: s=10.10.0.101->150.100.30.101, d=80.80.80.21 [1932] *Mar 3 14:47:26.993: NAT*: s=80.80.80.21, d=150.100.30.101->10.10.0.101 [17005] *Mar 3 14:47:34.225: NAT*: s=10.10.0.102->150.100.30.102, d=80.80.80.21 [3198] *Mar 3 14:47:34.225: NAT*: s=80.80.80.21, d=150.100.30.102->10.10.0.102 [54988]
Configuration de 2 NAT pour une seule IP
R6(config)#no ip nat inside source static network 10.10.0.0 150.100.30.0 /24
L’IP privée 10.10.0.101 est naté par R6 en ip publique 150.100.30.10 ou 213.40.21.10 selon le fournisseur Internet utilisé
R6(config)#int fa0/0 R6(config-if)#ip nat inside R6(config)#in fa0/1 R6(config-if)#ip nat outside R6(config)#in s0/0.601 R6(config-subif)#ip nat outside R6(config)#ip nat inside source static 10.10.0.101 213.40.21.10 extendable R6(config)#ip nat inside source static 10.10.0.101 150.100.30.10 extendable
Vérifications :
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 213.40.21.10 10.10.0.101 --- ---
--- 150.100.30.10 10.10.0.101 --- ---
l’IP 10.10.0.101 peut être atteint par ces 2 adresses IP publiques :
root@LINUX:~# ping 213.40.21.10 PING 213.40.21.10 (213.40.21.10) 56(84) bytes of data. 64 bytes from 213.40.21.10: icmp_req=1 ttl=252 time=52.5 ms 64 bytes from 213.40.21.10: icmp_req=2 ttl=252 time=52.3 ms root@LINUX:~# ping 150.100.30.10 PING 150.100.30.10 (150.100.30.10) 56(84) bytes of data. 64 bytes from 150.100.30.10: icmp_req=1 ttl=252 time=28.8 ms 64 bytes from 150.100.30.10: icmp_req=2 ttl=252 time=28.8 ms root@LINUX:~# telnet 150.100.30.10 Trying 150.100.30.10... Connected to 150.100.30.10. Escape character is '^]'. User Access Verification Password: root@LINUX:~# telnet 213.40.21.10 Trying 213.40.21.10... Connected to 213.40.21.10. Escape character is '^]'. User Access Verification Password:
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 150.100.30.10:23 10.10.0.101:23 80.80.80.21:49257 80.80.80.21:49257
tcp 213.40.21.10:23 10.10.0.101:23 80.80.80.21:52115 80.80.80.21:52115
icmp 150.100.30.10:4694 10.10.0.101:4694 80.80.80.21:4694 80.80.80.21:4694
icmp 213.40.21.10:4695 10.10.0.101:4695 80.80.80.21:4695 80.80.80.21:4695
--- 213.40.21.10 10.10.0.101 --- ---
--- 150.100.30.10 10.10.0.101 --- ---