Step 1
Defining NAT Inside and Outside Interfaces :The first step to deploy NAT is to define NAT inside and outside interfaces. You may find it easiest to define your internal network as inside, and the external network as outside. However, the terms internal and external are subject to arbitration as well. This figure shows an example of this.
Step 2
Allowing internal user to access internet :
You many want to allow internal users to access the internet, but you may not have enough valid addresses to accommodate everyone. If all communication with devices in the internet originate from the internal devices, you need a single valid address or a pool of valid addresses.This figure shows a simple network diagram with the router interfaces defined as inside and outside:
In this example, you want NAT to allow certain
devices (the first 31 from each subnet) on the inside to originate
communication with devices on the outside by translating their invalid
address to a valid address or pool of addresses. The pool has been
defined as the range of addresses 172.16.10.1 through 172.16.10.63.
Now you are ready to configure NAT. In order to accomplish what is
defined above, use dynamic NAT. With dynamic NAT, the translation table
in the router is initially empty and gets populated once traffic that
needs to be translated passes through the router. As opposed to static
NAT, where a translation is statically configured and is placed in the
translation table without the need for any traffic
In this example, you can configure NAT to translate each of the
inside devices to a unique valid address, or to translate each of the
inside devices to the same valid address. This second method is known as
overloading. An example of how to configure each method is given here.
Command :
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
!
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.
ip nat inside source list 7 pool no-overload
!
!
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has
!--- the source address translated to an address out of the
!--- NAT pool "no-overload".
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.
-- Complete --ip address 10.10.10.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
!
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.
ip nat inside source list 7 pool no-overload
!
!
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has
!--- the source address translated to an address out of the
!--- NAT pool "no-overload".
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0 through 10.10.20.31.
Source :
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic3
0 komentar:
Post a Comment