To correctly understand single physical interface NAT, you need to correctly understand NAT conditions and processing order. The following configuration quotes the content in the jar and expresses thanks to the original author of the cited content.
1: NAT from inside to outside
1. There are inside and outside interfaces
The interface receives NAT "packet of interest" (defined by ACL)
3. Check whether there are routes to the external network through the outside interface (policy route first and regular route later).
4. Execute NAT, and the source address is converted by NAT.
5. The converted packet is forwarded through the outside interface.
Two: NAT from outside to inside
Is there any corresponding NAT record in the table
2. Execute NAT, the destination address is converted
3. Execute routing (political routing first and regular routing)
4. The converted packet is forwarded through the inside interface.
Three: Configuration Example 1 Analysis:
Features are: loopback0 is used as an outside interface
interface Loopback0
ip address 172.16.2.254 255.255.255.252
ip nat outside
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.248 sec
ip address 172.16.1.254 255.255.255.0
ip nat inside
ip policy route-map nat
!
ip nat pool pool1 192.168.0.2 192.168.0.3 prefix-length 29
ip nat inside source list 10 pool pool1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip route 172.16.1.0 255.255.255.0 Ethernet0
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.0.0 0.0.0.7
!
route-map nat permit 10
match ip address 101
set interface loopback0
(I): When the packet with source address = 172.16.1.0/24 reaches the E0 interface:
1.E0 interface is inside interface
2. Packages are packages of interest to NAT (ACL 10 definition)
3. Check the route, first execute the policy routing nat, there is set interface loopback0, that is, there is a route to the external network through the outside interface loopback0, so the NAT execution conditions are met.
4. Execute NAT, source =172.16.1.0/24 is converted to =192.168.0.2~3 (address pool pool1 definition).
5. Forward it from outside interface loopback0.
6.loopback0 is a logical loop interface, so the application ip route 0.0.0.0 0.0.0.0 192.168.0.6, and 192.168.0.6 is the ISP address.
7. The converted packet is forwarded to the ISP router via the E0 interface.
(2): When the return packet (destination address = 192.168.0.2~3) arrives at the E0 interface
1. The return package is not a package that is of interest to NAT, so it is processed according to the regular package.
2. Execute policy routing nat, set interface loopback0, that is, route to outside interface.
There are corresponding NAT records,
4. Execute NAT, the destination address 192.168.0.2~3 is converted to 172.16.1.0/24
5. Execute routing. There is no policy routing on the loopback0 interface, so regular routing is performed.
6. The converted packet is forwarded through the E0 interface.
Four: Configure 2 instances
Features are: loopback0 is used as an inside interface.
interface Loopback0
ip address 172.16.1.1 255.255.255.248
ip nat inside
ip policy route-map rm_nat
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.252
ip nat outside
ip policy route-map no_route
!
ip nat pool st_pool 61.233.13.193 61.233.13.198 netmask 255.255.255.248
ip nat inside source list 10 pool st_pool
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback0
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
route-map no_route permit 10
match ip address 102
set interface Loopback0
!
route-map rm_nat permit 10
match ip address 101
set ip next-hop 192.168.0.2
The main difference of this instance is that it uses two policy routing, and its purpose is to enable the packet to reach the inside interface or outside interface and meet the routing conditions of NAT conversion.
It should be noted that the address of the NAT address pool does not have to be the same network segment as the router address of the ISP side, it can be a public IP or a private network address. As long as the ISP can distinguish it. And the ISP must have a route to the NAT address pool (both static or dynamic).
For NAT routers, you only need to have the command "ip route 0.0.0.0.0 0.0.0.0 ISP IP address".Article entry: csh Editor in charge: csh
1: NAT from inside to outside
1. There are inside and outside interfaces
The interface receives NAT "packet of interest" (defined by ACL)
3. Check whether there are routes to the external network through the outside interface (policy route first and regular route later).
4. Execute NAT, and the source address is converted by NAT.
5. The converted packet is forwarded through the outside interface.
Two: NAT from outside to inside
Is there any corresponding NAT record in the table
2. Execute NAT, the destination address is converted
3. Execute routing (political routing first and regular routing)
4. The converted packet is forwarded through the inside interface.
Three: Configuration Example 1 Analysis:
Features are: loopback0 is used as an outside interface
interface Loopback0
ip address 172.16.2.254 255.255.255.252
ip nat outside
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.248 sec
ip address 172.16.1.254 255.255.255.0
ip nat inside
ip policy route-map nat
!
ip nat pool pool1 192.168.0.2 192.168.0.3 prefix-length 29
ip nat inside source list 10 pool pool1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip route 172.16.1.0 255.255.255.0 Ethernet0
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.0.0 0.0.0.7
!
route-map nat permit 10
match ip address 101
set interface loopback0
(I): When the packet with source address = 172.16.1.0/24 reaches the E0 interface:
1.E0 interface is inside interface
2. Packages are packages of interest to NAT (ACL 10 definition)
3. Check the route, first execute the policy routing nat, there is set interface loopback0, that is, there is a route to the external network through the outside interface loopback0, so the NAT execution conditions are met.
4. Execute NAT, source =172.16.1.0/24 is converted to =192.168.0.2~3 (address pool pool1 definition).
5. Forward it from outside interface loopback0.
6.loopback0 is a logical loop interface, so the application ip route 0.0.0.0 0.0.0.0 192.168.0.6, and 192.168.0.6 is the ISP address.
7. The converted packet is forwarded to the ISP router via the E0 interface.
(2): When the return packet (destination address = 192.168.0.2~3) arrives at the E0 interface
1. The return package is not a package that is of interest to NAT, so it is processed according to the regular package.
2. Execute policy routing nat, set interface loopback0, that is, route to outside interface.
There are corresponding NAT records,
4. Execute NAT, the destination address 192.168.0.2~3 is converted to 172.16.1.0/24
5. Execute routing. There is no policy routing on the loopback0 interface, so regular routing is performed.
6. The converted packet is forwarded through the E0 interface.
Four: Configure 2 instances
Features are: loopback0 is used as an inside interface.
interface Loopback0
ip address 172.16.1.1 255.255.255.248
ip nat inside
ip policy route-map rm_nat
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.252
ip nat outside
ip policy route-map no_route
!
ip nat pool st_pool 61.233.13.193 61.233.13.198 netmask 255.255.255.248
ip nat inside source list 10 pool st_pool
ip classless
ip route 0.0.0.0 0.0.0.0 Loopback0
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 172.16.0.0 0.0.0.255 any
route-map no_route permit 10
match ip address 102
set interface Loopback0
!
route-map rm_nat permit 10
match ip address 101
set ip next-hop 192.168.0.2
The main difference of this instance is that it uses two policy routing, and its purpose is to enable the packet to reach the inside interface or outside interface and meet the routing conditions of NAT conversion.
It should be noted that the address of the NAT address pool does not have to be the same network segment as the router address of the ISP side, it can be a public IP or a private network address. As long as the ISP can distinguish it. And the ISP must have a route to the NAT address pool (both static or dynamic).
For NAT routers, you only need to have the command "ip route 0.0.0.0.0 0.0.0.0 ISP IP address".Article entry: csh Editor in charge: csh