Lerouteur remplie sa table NAT de façon dynamique à l'inverse du NAT statique ou les translations sont saisies et enregistrés à l'avance. II. Configuration du réseau. Pour mettre en NATOverload (PAT) : transforme différents IP (local) par celui du Routeur (configuration la plus courante) CISCO Rh1(config) int fa0/1 interface externe Rh1(config-if) ip nat outside Rh1(config) int fa0/0 interface interne Rh1(config-if) ip nat inside Création d\'une ACL pour les IP qui pourront accéder aux NAT BothNAT44 (static, dynamic, and PAT) configuration and stateful NAT46 configurations are not supported on the same interface. High-speed Logging (HSL) is not supported. Several IPv4 stateful features (PBR, ZBFW, WAAS, WCCP, NBAR, and so on) do not work after converting to IPv6 packets, and are not supported. Vule nombre limité d'adresses Ipv4 routables, des techniques comme le NAT et le PAT sont. utilisées pour gérer au mieux cette ressource rare du monde du réseau. Ce document s'interesse. à la manière de configurer un routeur pour qu'il puisse faire du NAT et du PAT. Objectifs. Public concerné-savoir configurer le NAT et le PAT. sur un Toconfigure Dynamic NAT on a Cisco router, first you need to create an access list to identify the group of private inside IPv4 addresses, which are allowed for NAT translation. That can be done by creating a standard IP access list. Then you have to create a pool of public IP addresses (which your ISP (internet service provider) has allocated Problèmeconfiguration routeur cisco 887 VA, VDSL, NAT, DSLAM - Forum - CISCO; 7 réponses. Réponse 1 / 7. Meilleure réponse. Taz666 Messages postés 5 Date d'inscription mercredi 1 décembre 2004 Statut Membre Dernière intervention 11 décembre 2004 2 1 déc. 2004 à 16:12. oui ma freebox est juste la pour le modem et sinon le routeur est un 6104KP de chez yCTZ. In ASA software version Cisco completely restructured ASA NAT syntax. Quite a bit has already been written about these changes. However, since this is often a cause of confusion, I will try to provide an explanation of three of the most commonly used forms of NAT on an ASA dynamic PAT, static NAT, and “NONAT”. What is NAT? NAT stands for Network Address Translation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private not globally unique addresses in the internal network into legal addresses, before packets are forwarded to another network. As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments. How does NAT work? Basically, NAT allows a single device, such as a router, to act as an agent between the Internet or public network and a local network or private network, which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network. Real IP the actual IP address of the device generating the traffic Mapped IP the IP address the Router/Firewall translates the real IP address to NAT is most often used to translate private RFC 1918 IP addresses to publicly routable IP addresses. NAT types – There are 3 types of NAT Static NAT – In this, a single private IP address is mapped with single Public IP address, a private IP address is translated to a public IP address. It is used in Web hosting. Dynamic NAT – In this type of NAT, multiple private IP address are mapped to a pool of public IP address. It is used when we know the number of fixed users wants to access the Internet at a given point of time. Port Address Translation PAT – This is also known as NAT overload. In this, many local private IP addresses can be translated to single public IP address. Port numbers are used to distinguish the traffic, which traffic belongs to which IP address. This is most frequently used as it is cost effective as thousands of users can be connected to the Internet by using only one real global public IP address. NAT Uses in ASA 1. Static NAT – one to one Static NAT translates a single real IP to a single mapped IP. This is commonly used to NAT a device on the inside or DMZ of an ASA to a static IP on the subnet of the outside interface. Configuration asa01 config static inside,outside netmask Configuration object network inside-host host nat inside,outside static Both of the above say the following Traffic that is received on the inside interface from translate to on the outside interface, and vice versa. In and earlier, the syntax is static inside,outside [outside ip] [inside ip] netmask [netmask]. I find this syntax to be counter intuitive, because it reads inside,outside and then outside inside. I am not aware of any logical reason for this. I find syntax to be easier to read, however it does dramatically increase the number of lines per NAT statement. As with the PAT example above, if you look at the show run output you will see the object listed twice – once to define the host and once to define the static NAT. Therefore, what took a single line in now takes four lines in and above. Both configuration examples so far have used network object NAT. Object NAT is easy to use, but somewhat limited and only takes into account the source address. If we need more control over our NAT statements, we can use twice NAT, which I will cover in greater detail in a future post. 2. Dynamic PAT – many-to-one PAT stands for port address translation. It is many to one NAT translation. This is what some vendors simply refer to as NAT. It is more accurately called PAT because in order to translate many IPs to one IP, randomly selected ephermal ports must be used on the mapped IP address. When return traffic is received, the ASA must check the xlate table NAT translation table in order to determine where to send the return traffic. Here is the xlate table from the example ping above asa01 sh xlate 1 in use, 1 most used Flags D – DNS, i – dynamic, r – portmap, s – static, I – identity, T – twice ICMP PAT from inside to outside flags ri idle 00009 timeout 00030 asa01 Configuration asa01config nat inside 1 asa01config global outside 1 interface INFO outside interface address added to PAT pool asa01config This configuration says Translate any traffic received on the inside interface from NAT ID 1 to the corresponding global PAT pool. In this case, nat inside 1 corresponds to global outside 1, so anything from is translated to the outside interface IP. Return traffic will be translated back to the real IP address by checking the xlate table for the appropriate translation. You could also use an IP address or range of IP addresses in place of the word “interface” in the global statement. If you were to use a range of IP addresses in the global statement, you would have a many-to-many dynamic NAT instead of many-to-one dynamic PAT. Configuration asa01config object network inside-network asa01config-network-object subnet asa01config-network-object nat inside,outside dynamic interface asa01config-network-object This configuration says Define a network object for subnet Any traffic received on the inside interface that matches this network object, translate to the outside interface IP address. Return traffic will be translated back to the real IP address by checking the xlate table for the appropriate translation. Show run output asa01 sh run object object network inside-network subnet asa01 sh run nat ! object network inside-network nat inside,outside dynamic interface Notice when we configure object NAT in we configure both the subnet and the NAT under the same network object. However, they appear separately in the show run output. As with config, we can also specify a specific IP or range of IPs for the translation. 3. No-nat NAT exemption & identity NAT There are certain circumstances when traffic is being translated on an ASA, but we do not want this traffic to be translated when destined to specific subnets. The most common example is VPN traffic. We want the source address of the VPN traffic to have the real IP, not the mapped IP, for obvious reasons. Configuration access-list nonat extended permit ip nat inside 0 access-list nonat In ASA and earlier, this is called NAT exemption. This says define an extended access list in this case nonat and specify the appropriate source and destination traffic. Any traffic received on the inside interface that matches this access list, use NAT ID 0. NAT ID 0 exempts the traffic from being translated. Configuration asa01config object network inside-network asa01config-network-object subnet asa01config object network remote-network asa01config-network-object subnet asa01config nat inside,outside source static inside-network inside-network destination static remote-network remote-network In ASA and above, NAT exemption no longer exists. This can now only be accomplished by using identity NAT. Identity NAT is a form of twice NAT, which allows us to specify both source and destination in our NAT statements. In the above configuration example, we define two network objects inside-network and remote-network. We then configure an identity NAT statement that tells the ASA not to NAT the traffic. The structure of the identity NAT statement is as follows nat real_interface,mapped_interface source static real_object mapped_object destination static mapped_object real_object So the example above says Any traffic received on the inside interface from inside-network destined to remote-network translate to the source to inside-network and the destination to remote-network ie. don’t NAT it. This is clearly less intuitive than the syntax, but it’s not that bad once you get used to it. Useful Links pour Multipoint; tous les liaisons est dans un seul sous-réseau. Règle Routerconfiginterface type numéroRouterconfig-ifno shutdownRouterconfig-ifip address masque Routerconfig-ifencapsulation frame-relayRouterconfig-ifframe-relay map ip ip dlci broadcast vérification Routershow frame-relay map sur cloud-création dlci sur les interfaces-sur le bouton frame relay liée les dlci Exemple sur HubHubconfiginterface serial 0/0Hubconfig-ifno shutdownHubconfig-ifip address frame-relayHubconfig-ifframe-relay map ip 102 broadcastHubconfig-ifframe-relay map ip 103 broadcastHubconfig-ifexitsur Spoke1Spoke1configinterface serial 0/0Spoke1config-ifno shutdownSpoke1config-ifip address frame-relaySpoke1config-ifframe-relay map ip 201 broadcastSpoke1config-ifexitsur Spoke2Spoke2configinterface serial 0/0Spoke2config-ifno shutdownSpoke2config-ifip address frame-relaySpoke2config-ifframe-relay map ip 301 broadcastSpoke2config-ifexit You are here Home / Cisco Routers / Configuring NAT on Cisco Routers Step-by-Step PAT, Static NAT, Port Redirection The depletion of the public IPv4 address space has forced the internet community to think about alternative ways of addressing networked hosts. Network Address Translation NAT therefore was introduced to overcome these addressing problems that occurred with the rapid expansion of the Internet. Even if NAT was suggested as a temporary solution, it has been adopted by all network hardware manufacturers, and it is considered a very useful technology, not only for IP address conservation, but also for many other purposes including security. Basically NAT allows a single network device a router, firewall etc to act as an agent between a private local area network and a public network such as the Internet. The purpose of this NAT device is to translate the source IP addresses of the internal network hosts into public routable IP addresses in order to communicate with the Internet. Some of the advantages of using NAT in IP networks are the following NAT helps to mitigate the depletion of the global public IP address space Networks can now use the RFC 1918 private address space internally and still have a way to access the Internet using NAT. NAT increases security by hiding the internal network topology and addressing scheme. Cisco IOS routers support different types of NAT as will be explained below. NAT has many forms and can work in several ways, but in this post I will explain the most important types of NAT. For the next 2 scenarios we will be using the following simple network 1. Overloading or Port Address Translation PAT This is the most frequently used form of NAT in IP networks. It uses the concept of “many-to-one” translation where multiple connections from different internal hosts are “multiplexed” into a single registered public IP address using different source port numbers. This type of NAT allows a maximum of 65,536 internal connections to be translated into a single public IP. This type of NAT is very useful in situations where our ISP has assigned us only a single public IP address, as shown on the diagram below. All IP addresses of the LAN network will be translated using the public IP of the router interface FastEthernet0/0 ip address ip nat outside ! interface FastEthernet0/1 ip address ip nat inside ! access-list 1 permit ip nat inside source list 1 interface FastEthernet0/0 overload 2. Static Port Address Translation Port Redirection Assume now that we have only one public IP address which is the one configured on the outside interface of our border router. We want traffic hitting our router’s public IP on port 80 to be redirected to our internal Web Server at IP interface FastEthernet0/0 ip address ip nat outside ! interface FastEthernet0/1 ip address ip nat inside ! ip nat inside source static tcp 80 80 3. Configuring Static NAT NAT can be performed both statically and dynamically. Static NAT simply maps one private IP address to a single public IP address, and this is the flavor of NAT we are discussing in this section. A Cisco router performing NAT divides its universe into the inside and the outside. Typically the inside is a private enterprise, and the outside is the public Internet. In addition to the notion of inside and outside, a Cisco NAT router classifies addresses as either local or global. A local address is an address that is seen by devices on the inside, and a global address is an address that is seen by devices on the outside. Given these four terms, an address may be one of four types Inside local addresses are assigned to inside devices. These addresses are not advertised to the outside. Inside global are addresses by which inside devices are known to the outside. Outside local are addresses by which outside devices are known to the inside. Outside global addresses are assigned to outside devices. These addresses are not advertised to the inside. Let’s jump right into static NAT configuration on a Cisco router as shown in the Figure below R1 is the router performing Network Address Translation NAT and has two interfaces Fa0/0 on the inside and Fa0/1 on the outside. The specific IP addresses involved are NAT Address Type IP Address Inside local Inside global Outside local Outside global Table 1 NAT Addresses for Figure Above You probably know very well how to configure IP addresses on router interfaces, so we skip those configuration steps and move straight to the interesting stuff. First, we have to assign Fa0/0 as NAT inside interface and Fa0/1 as NAT outside interface on R1. This would tell the router that interesting traffic entering or exiting these two interfaces will be subject to address translation. R1conf term Enter configuration commands, one per line. End with CNTL/Z. R1configinterface Fa0/0 R1config-ifip nat inside R1config-ifinterface Fa0/1 R1config-ifip nat outside R1config-ifend Now we would tell the router how to perform address translation and mention which IP addresses source or destination to re-write in packets moving between the inside and outside interfaces. Here we go R1configip nat inside source static Here, we are telling the router to perform NAT on packets coming into the router on the inside interface Fa0/0. More specifically the router would identify which of these packets have a source IP address of and would change it to before forwarding the packet out the outside interface Fa0/1. Similarly, return packets coming in at outside interface Fa0/1 would undergo translation of destination IP address. Let’s now verify if NAT is actually working as it is supposed to work. There are a couple of very useful Cisco IOS commands that can be used to do just that. Command show ip nat statistics displays the number of static and dynamic NAT translations, inside and outside interfaces, and the number of hits and misses. R1show ip nat statistics Total active translations 1 1 static, 0 dynamic; 0 extended Outside interfaces FastEthernet0/1 Inside interfaces FastEthernet0/0 Hits 0 Misses 0 CEF Translated packets 0, CEF Punted packets 0 Expired translations 0 Dynamic mappings Appl doors 0 Normal doors 0 Queued Packets 0 Command show ip nat translations displays the IP addresses for NAT translations. R1show ip nat translations Pro Inside global Inside local Outside local Outside global — — — As you see in the above output, we have one NAT entry configured with Inside global address and Inside local address specified. Outside local and Outside global addresses are blank because our NAT configuration does not change those addresses. Let’s now go to the PC and ping the Server before running the command show ip nat translations again to see if it makes any difference. R1show ip nat statistics Total active translations 2 1 static, 1 dynamic; 1 extended Outside interfaces FastEthernet0/1 Inside interfaces FastEthernet0/0 Hits 10 Misses 0 CEF Translated packets 10, CEF Punted packets 0 Expired translations 0 Dynamic mappings Appl doors 0 Normal doors 0 Queued Packets 0 R1show ip nat translations Pro Inside global Inside local Outside local Outside global icmp — — — As you can see in the above output, NAT is active as manifested by the appearance of an additional dynamic entry for ICMP protocol and some additional hits, corresponding to our ping attempt from PC to Server. We just configured and verified a simple NAT scenario translating only the source or destination not both at the same time IP addresses of packets moving between inside and outside interfaces. This sort of NAT configuration is called static NAT as a single inside local IP address is statically mapped to a single outside local IP address. Another important feature of NAT is static Port Address Translation PAT. Static PAT is designed to allow one-to-one mapping between local and global addresses. A common use of static PAT is to allow Internet users from the public network to access a Web server located in the private network. Let’s assume we intend to host a Web server on the inside on the same PC, that has an IP address The following configuration line would allow us to do just that R1configip nat inside source static tcp 80 80 This configuration line performs the static address translation for the Web server. With this configuration line, users that try to reach port 80 www are automatically redirected to port 80 www. In our case, is the IP address of the PC which is also the Web server. This configuration can be verified using the same two NAT verification commands show ip nat translations and show ip nat statistics. Notice that the address with port number 80 HTTP translates to port 80, and vice versa. Therefore, Internet users can browse the Web server even though the Web server is on a private network with a private IP address. Related Posts Comparison of Static vs Dynamic Routing in TCP/IP Networks Cisco OSPF DR-BDR Election in Broadcast Networks – Configuration Example How to Configure Port Forwarding on Cisco Router With Examples Adjusting MSS and MTU on Cisco 800 routers for PPPoE over DSL The Most Important Cisco Show Commands You Must Know Cheat Sheet SommaireI. PrésentationII. Configuration du réseauIII. Configuration du routeurIV. Configuration du NATV. Test du NATVI. A vos claviers I. Présentation Le NAT ou "Network Address Translation" est une bonne réponse aux problématiques de routage que l'on peut rencontrer lorsque l'on souhaite lier un réseau dit "privé" c'est à dire sur lequel nous avons la main à un réseau dit "publique" sur lequel nous ne pouvons modifier la configuration. Le but du NAT quand il est mit sur un routeur séparant deux réseaux comme ceux-ci est de faire passer toutes les requêtes provenant du réseau privé que nous identifierons comme le LAN comme des requêtes provenant de ce routeur est nous d'un élément derrière lui possédant un autre adressage. Souvent, la problématique à laquelle peut répondre le NAT est la suivante Schéma de base où le NAT pourrait intervenir On voit ici que le réseau "privé" en vert se situe derrière le routeur R2 sur lequel nous avons la main. Pour joindre les réseaux derrière R1, il nous faut mettre une route disant qu'il faut sortir par l'interface WAN du R2. En revanche, le routeur R1 ne saura pas faire revenir les paquets car il ne possède pas de route vers notre réseau LAN Souvent, on arrive à pinguer avec l'interface externe du Routeur frontière mais pas l'interface qui lui est liée Le schéma ci-dessus illustre le cas de figure dans lequel on se retrouve souvent lorsque nous devons mettre en place du NAT. Le fait que le ping vers le routeur R1 ne fonctionne pas alors que celui sur l'interface externe du R2 fonctionne vient du fait que les paquets de réponse du routeur R1 n’empruntent pas le bon chemin car R1 ne connait pas le réseau privé et ne possède donc pas de route permettant de faire revenir les autre fonction du du NAT est de sécuriser une partie du réseau en la cachant à une autre partie. Cela est utile en terme de sécurité quand un réseau privé est adjacent à un réseau public et que l’on peut voir ce réseau local depuis le réseau public. Plus clairement, le routeur R2 va changer toutes les trames IP provenant du LAN en mettant comme IP source son IP sur le réseau WAN. Cela permettra de ne pas divulguer des IP du LAN à d'autres éléments du réseau et également de faire en sorte ces paquets reviennent car l'IP source sera sur un réseau connus des autres éléments du réseau. Le principe du NAT est simple, le routeur fait office de barrière entre le réseau outside celui auquel on cache et le réseau inside celui que l’on cache . Ainsi chaque requête provenant du réseau inside vers l’outside sera cachée par le NAT du routeur. On dit qu'une NAT est dynamique lorsque les adresses sources ici venant du LAN sont translaté de façon dynamique par des ports différents ou par des IP différentes si on en dispose vers l'interfaces de sorties ici WAN. Le routeur remplie sa table NAT de façon dynamique à l'inverse du NAT statique ou les translations sont saisies et enregistrés à l'avance II. Configuration du réseau Pour mettre en place notre infrastructure, nous allons travailler sur l'architecture présentée plus haut, détaillée au niveau réseau ici Schéma pour mettre en place notre NAT Nous allons donc ici mettre en place notre NAT dynamiques sur le routeur R2. Ici, les routeurs R1 et R2 peuvent communiquer ensemble, mais le routeur R1 ne connais pas la route vers le réseau donc il ne sait pas faire revenir les paquets s'ils ont été émis par les postes du LAN. En revanche, si R2 changent l'IP source des trames provenant du LAN en mettant sa propre IP, R1 saura y répondre, R2 fera alors la translation dans l'autre sens pour faire revenir les paquets à sa source. Ce processus est illustré dans le schéma suivant Schématisation du processus de Translation d'adresse NAT On va a présent configurer notre routeur R2 R2>enable R2configure terminal R2configinterface fa0/0 R2config-ifip address R2config-ifno shutdown R2config-ifexit R2configinterface fa0/1 R2config-ifip address R2config-ifno shutdown R2config-ifexit A ce stade, les deux réseaux sont reliés mais chacun peut voir la présence de l’autre. nous voulons que le réseau ne puisse pas joindre le réseau mais que l’inverse soit possible. IV. Configuration du NAT On doit ensuite indiquer quelle interface sera à l'intérieur du NAT "inside" et quelle interface sera à l'extérieur "outside". Cela permettra de dire au routeur dans quel sens il doit affecter les translations d'adresses. Ici, l'interface Fa0/0 sera l'interface Inside et l'interface Fa0/1 sera l'interface Outside. R2configinterface fa0/0 R2config-ifip nat inside R2config-ifexit R2configinterface fa0/1 R2config-ifip nat outside R2config-ifexit On va ensuite créer les règles d'accès qui permettra au LAN de sortir du NAT R2configaccess-list 1 permit R2configip nat inside source list 1 interface fa0/1 overload Le processus de translation d'adresse est maintenant opérationnel. V. Test du NAT Pour vérifier que notre routeur est bien en mode NAT, nous devrions pouvoir communiquer à présent avec le routeur R1 depuis le poste LAN. Avant cette communication, nous pouvons saisir la commande suivante dans notre routeur R2 R2debug ip nat On va ensuite communiquer avec notre routeur R1 et nous devrions voir les étapes de translation d'adresse s'afficher Debug de la translation d'adresse NAT sur le routeur Cisco Cette commande permet de voir les paquets qui transitent au travers du routeur en utilisant le NAT, ainsi nous voyons le processus d'action du NAT sur le paquet. VI. A vos claviers Je vous propose à présent de mettre en application ce tutoriel via un exercice packet tracer que je vous ai préparé. Il vous suffit pour cela de télécharger le fichier .pka suivant et de vous assurer que Packet Tracer version 6 est installé sur votre poste pour le lancer Catégorie Travaux pratique >> TP réseaux Dernière mise à jour 09/08/2010 1451 Ajouté par Mr Mohamed Oweiss HARIGA - Contacter Lectures 25828 Commentaires 0 [ Poster un commentaire ] Note Objectif Configurer une translation d'adresse sur un routeur Cisco.. Le NAT vous permet d’utiliser des adresses IP privées sur votre LAN et de translater ces adresses afin de les rendre accessible depuis un réseau public comme Internet. Le réseau privé est définit sur l’interface intérieure et l’adresse publique sur l'interface extérieure de votre routeur. le NAT statique est une adresse privée unique qui est redirigée, vers une adresse publique unique. La forme la plus utilisée de Nat est un groupe d'adresse privées translaté en une seule et unique adresse publique. Cette forme de Nat est appelée "overloading". Configuration du nat sur un routeur cisco Lectures recommandées sur ce thème Commentaires Aucun commentaire dans la base de données *Poster un commentaire Uniquement les membres peuvent poster des commentaires Haut de page © 2022 Technologue pro, cours électricité électronique informatique © 2007 - 2022 Technologue pro - Ressources pédagogiques pour l'enseignement technologique en Tunisie Usage dans un cadre strictement académiqueTravaux pratique, pour les amateurs et pro de l'informatique, offre de TP réseaux et cours en ligne gratuit Analyse de protocoles, Câblage en Fibre optique, configuration d'un switch, routeur, Agent SNMP, access lists ACLs réseau WiFi modem ADSL

configuration nat et pat cisco pdf