Le Dynamic NAT permet à un réseau privé entier (ou à quelques IP) d’être translater avec une IP ou un pool d’IP publique
- Inside Local = IP privé d’un host du résau local
- Inside Global = IP Publique utilisé pour le Nat
- Outside Local = IP privé de destination
- Outside Global = IP Publique de destination
Configuration Simple
Les IP définis par l’acces list sont translatées avec l’IP de l’interface de sortie
R6(config)#int fa0/0 R6(config-if)#ip nat inside R6(config)#int fa0/1 R6(config-if)#ip nat outside R6(config)#access-list 1 permit host 10.10.0.101 R6(config)#access-list 1 permit host 10.10.0.102 R6(config)#ip nat inside source list 1 interface f0/1
Dans ce cas , l’argument « overload » est ajouté automatiquement. Il permet l’activation du PAT (Port Address Translation)
R6#show run | inc nat inside source
ip nat inside source list 1 interface FastEthernet0/1 overload
Vérifications :
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 150.100.30.2:11000 10.10.0.101:11000 80.80.80.21:22 80.80.80.21:22
tcp 150.100.30.2:1024 10.10.0.102:11000 80.80.80.21:22 80.80.80.21:22
Utilisation d’un pool
R6(config)#int fa0/0 R6(config-if)#ip nat inside R6(config)#int fa0/1 R6(config-if)#ip nat outside R6(config)#access-list 1 permit host 10.10.0.101 R6(config)#access-list 1 permit host 10.10.0.102 R6(config)#ip nat pool TEST 150.100.30.90 150.100.30.110 prefix-length 24 R6(config)#ip nat inside source list 1 pool TEST
ATTENTION : lors de l’utilisation d’un pool , l’argument « overload » n’est pas ajouté automatiquement , le PAT n’est pas activé :
R6#show run | inc nat
ip nat pool TEST 150.100.30.10 150.100.30.20 prefix-length 24
ip nat inside source list 1 pool TEST
Vérifications:
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 150.100.30.90:6550 10.10.0.101:6550 80.80.80.21:6550 80.80.80.21:6550
icmp 150.100.30.90:6551 10.10.0.101:6551 80.80.80.21:6551 80.80.80.21:6551
icmp 150.100.30.90:6552 10.10.0.101:6552 80.80.80.21:6552 80.80.80.21:6552
icmp 150.100.30.90:6553 10.10.0.101:6553 80.80.80.21:6553 80.80.80.21:6553
icmp 150.100.30.90:6554 10.10.0.101:6554 80.80.80.21:6554 80.80.80.21:6554
icmp 150.100.30.91:7923 10.10.0.102:7923 80.80.80.21:7923 80.80.80.21:7923
icmp 150.100.30.91:7924 10.10.0.102:7924 80.80.80.21:7924 80.80.80.21:7924
icmp 150.100.30.91:7925 10.10.0.102:7925 80.80.80.21:7925 80.80.80.21:7925
icmp 150.100.30.91:7926 10.10.0.102:7926 80.80.80.21:7926 80.80.80.21:7926
icmp 150.100.30.91:7927 10.10.0.102:7927 80.80.80.21:7927 80.80.80.21:7927
Configuration « match-host »
Un pool de type « match-host » permet de faire correspondre une IP privée avec une IP publique
R6(config)#ip nat pool TEST 150.100.30.90 150.100.30.110 prefix-length 24 type match-host
R6(config)#ip nat inside source list 1 pool TEST
Vérifications:
R6#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 150.100.30.101:470 10.10.0.101:470 80.80.80.21:470 80.80.80.21:470
icmp 150.100.30.101:471 10.10.0.101:471 80.80.80.21:471 80.80.80.21:471
icmp 150.100.30.101:472 10.10.0.101:472 80.80.80.21:472 80.80.80.21:472
icmp 150.100.30.101:473 10.10.0.101:473 80.80.80.21:473 80.80.80.21:473
icmp 150.100.30.101:474 10.10.0.101:474 80.80.80.21:474 80.80.80.21:474
--- 150.100.30.101 10.10.0.101 --- ---
icmp 150.100.30.102:5406 10.10.0.102:5406 80.80.80.21:5406 80.80.80.21:5406
icmp 150.100.30.102:5407 10.10.0.102:5407 80.80.80.21:5407 80.80.80.21:5407
icmp 150.100.30.102:5408 10.10.0.102:5408 80.80.80.21:5408 80.80.80.21:5408
icmp 150.100.30.102:5409 10.10.0.102:5409 80.80.80.21:5409 80.80.80.21:5409
icmp 150.100.30.102:5410 10.10.0.102:5410 80.80.80.21:5410 80.80.80.21:5410
--- 150.100.30.102 10.10.0.102 --- ---
Configuration Dynamic NAT avancée
Utilisation de 2 ISP (2 Pool)
- Acces-list
- route map
R6(config)#int fa0/0 R6(config-if)#ip nat inside R6(config)#int fa0/1 R6(config-if)#ip nat outside R6(config)#int s0/0.601 R6(config-subif)#ip nat outside
Configuration du Pool
R6(config)#ip nat pool ISP-1 150.100.30.10 150.100.30.20 prefix-length 24 R6(config)#ip nat pool ISP-2 213.40.21.10 213.40.21.20 prefix-length 24
Les acces-list
R6(config)#ip access-list extended HOST-1 R6(config-ext-nacl)#permit ip host 10.10.0.101 any R6(config)#ip access-list extended HOST-2 R6(config-ext-nacl)#permit ip host 10.10.0.102 any
les routes map (utilisant les acces-list)
R6(config)#route-map ISP1 permit 10 R6(config-route-map)#match ip address HOST-1 R6(config)#route-map ISP2 permit 10 R6(config-route-map)#match ip address HOST-2
Le NAT (utilisant les route-map et les Pool)
R6(config)#ip nat source route-map ISP1 pool ISP-2 R6(config)#ip nat source route-map ISP2 pool ISP-2
Vérifications:
R6#show ip nat translations Pro Inside global Inside local Outside local Outside global icmp 150.100.30.10:2486 10.10.0.101:2486 80.80.80.21:2486 80.80.80.21:2486 icmp 150.100.30.10:2487 10.10.0.101:2487 80.80.80.21:2487 80.80.80.21:2487 icmp 150.100.30.10:2488 10.10.0.101:2488 80.80.80.21:2488 80.80.80.21:2488 icmp 150.100.30.10:2489 10.10.0.101:2489 80.80.80.21:2489 80.80.80.21:2489 icmp 150.100.30.10:2490 10.10.0.101:2490 80.80.80.21:2490 80.80.80.21:2490 icmp 213.40.21.10:9324 10.10.0.102:9324 80.80.80.21:9324 80.80.80.21:9324 icmp 213.40.21.10:9325 10.10.0.102:9325 80.80.80.21:9325 80.80.80.21:9325 icmp 213.40.21.10:9326 10.10.0.102:9326 80.80.80.21:9326 80.80.80.21:9326 icmp 213.40.21.10:9327 10.10.0.102:9327 80.80.80.21:9327 80.80.80.21:9327 icmp 213.40.21.10:9328 10.10.0.102:9328 80.80.80.21:9328 80.80.80.21:9328 R6#debug ip nat IP NAT debugging is on *Mar 3 19:22:13.887: NAT*: s=10.10.0.101->150.100.30.10, d=80.80.80.21 [50] *Mar 3 19:22:13.891: NAT*: s=80.80.80.21, d=150.100.30.10->10.10.0.101 [22181] *Mar 3 19:22:30.339: NAT*: s=10.10.0.102->213.40.21.10, d=80.80.80.21 [75] *Mar 3 19:22:30.371: NAT*: s=80.80.80.21, d=213.40.21.10->10.10.0.102 [33775]