A few days ago, I saw some configurations about stand-alone nat on the Internet and found that this configuration was all done by one person, and the comments were very unclear. I didn’t explain it very clearly on the official website of Cisco. I will explain its principle in detail to you now!
The following explanation may not be convenient, sorry!
First of all, what is stand-alone nat? Everyone, I don’t know if you have encountered this situation. There is an adsl line, but each machine only has one network card. If you want to share all machines with the Internet, what do you think of? ^_^, you can spend 5 yuan to buy a network card. This is of course simple, but we should think of other methods when doing technology, haha. Challenge yourself. To put it bluntly, stand-alone nat has only one port on the route, and you must also do nat in order to access the external network. This is like the traditional two-way nat, one inside and one
The outside method is different. One port and one link must carry information from two networks, one is the intranet and the other is the public network. Therefore, it is required that this port have two addresses, one interacts with the intranet and the other interacts with the isp. The actual topology is as follows: the line from the isp is directly connected to the switch, not the router, and the router also connects to a port of the switch. Its function is only to do nat, re-encapsulate the original address of the packet and the destination address of the return packet, as shown in the figure (see the original post). If the intranet host wants to send packets to the external network host, these packets will reach the route's Ethernet port, and after a series of conversions, they will eventually come out of the Ethernet port and reach the ISP end.
The following is a detailed analysis of the process of a package, so that everyone will understand.
One host intranet(172.16.1.1)To send a packet to a public network address,Of course he forwarded it to the gateway first,So the gateway received the package,In order,The router checks the policy routing item first,Then go to the normal route,Routing discovery now,This package matchesaccess-list 101 permit ip 172.16.1.0 0.0.0.255 anyThis sentence,So he routed the package toloopbackmouth.Let's explain it:loopback之所以叫回环接mouth,It's because,到了thismouth的包会从thismouth出去,Come back immediately,Hahaha,Maybe it's hard to understand,because这是个虚拟mouth,It's OK to use the router,So there is this function,Here,包从thismouth出去的时候,because包的来源是以太mouth(nat inside),出mouth是loopbackmouth(nat ouside),所以在this回环mouth包做了一次nat,The source address is turned into the address in the pool(ip nat pool pool1 192.168.0.2 192.168.0.3)One of,good,thisnat后的包从环mouth出去,Turned around(I really don't know where he has gone),Be prepared to go fromloopbackmouth再回到路由内部,But this time,The routing does not change the packet,becausenat outside,ip nat inside "source"......Only for packages that go out from within the routenat.good了,The source address of the package is,for example192.168.0.2,The destination address is the address you want to access on the public network,this包下一步还要接受路由的检查,becauseloopbackmouth没有配置ip policy route-map, so this time it only matches the regular route. OK, look at the original post......... In addition to direct connection routes, it is the default route (ip route 0.0.0.0.0 0.0.0.0 192.168.0.6), so he finally successfully routed this package to isp. (It's so tired).
Let’s talk about the packets back. The external network responded to the local external address (192.168.0.2). The Ethernet port of the local route received the packet sent by the ISP through the switch. Since this packet is from the inside to the outside for the router (the route does not know that the Ethernet connection is the ISP), you must first route first, then nat. OK, the router also matches the policy route first, look at the original post................., he matched this sentence: access-list 101 permit ip any 192.168.0.0 0.0.0.7. Because the original address is the public network address, that is, "any", he routed to the loopback port. At the ring port, this packet will be nat once again. However, please note that this packet does not meet the requirements of nat. Please see: ip nat inside source list 10 pool pool1 overload , access-list 10 permit 172.16.1.0 0.0.0.255. Since the original address of this package is not within the range specified in access-list 10, the package is not natted. This is also the most clever part of this technology. This way the package retains the authenticity of the original address! OK, this package has strolled back from the ring gate. Note::!!! Since the router has already done the nat action, it has saved a nat table itself, and the package has been loopback from the loopback.
Incoming, so for the router, it flows from outside to inside, so the router needs to nat first and then route, so it needs to match the nat table. OK, he checked that the destination address 192.168.0.2 actually corresponds to the internal host 172.16.1.1, so he nats the destination address of the packet to 172.16.1.1. OK, now accept route matching (so troublesome! Haha), look............. Since entering from the loopback port does not require matching policy routes, check the regular route and finds that the destination address 172.16.1.1 exists in the direct connection route, so he finally sent to the Ethernet port and finally reached the destination host: 172.16.1.1.
The same is true for adsl single network card proxy, except that the router has become a host and is equipped with some proxy software, such as ccproxy. The function of these software is to implement stand-alone nat like the above-mentioned routers.Single-interface NAT configuration example, classic, repost, please test it
Single-interface NAT configuration example
condition:
1. IOS is in 12.1(5)T9 and above. The lower version has not been verified.
2. Have at least two or more global addresses provided by ISPs.
Implementation ideas:
1. Configure the address provided by the ISP as a secondary address on the Ethernet interface. This Ethernet interface also serves as an inside interface. As the gateway to the internal host.
2. Create a loopback interface as nat outside.
3. Use route-map to force route the data packets exited by the internal network and the corresponding data packets returned from the outside to the loopback interface.
Example:
Topology is shown in the figure below:
The configuration is as follows:
interface Loopback0
ip address 172.16.2.254 255.255.255.252
ip nat outside
!
//Create a loopback interface and act as a NAT outside interface.
interface Ethernet0
ip address 192.168.0.1 255.255.255.248 secondary
ip address 172.16.1.254 255.255.255.0
ip Nat inside
ip policy route-map rm-nat
!
//Configure 172.16.1.254 as IP on the E0 interface, and use the address provided by the ISP as the Secondary address. e0 serves as the inside interface.
Apply rm-nat route-map on this interface
ip nat pool pool1 192.168.0.2 192.168.0.3 prefix-length 29
ip nat inside source list 10 pool pool1 overload
//General NAT configuration
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip route 172.16.1.0 255.255.255.0 Ethernet0
access-list 10 permit 172.16.1.0 0.0.0.255
//Configure access-list for routing and NAT
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.0.0 0.0.0.7
//Configure the acl required for route-map. The first sentence matches the package that is returned, and the second sentence matches the package that is returned.
route-map rm-nat permit 10
match ip address 101
set ip next-hop 172.16.2.254
//Configuration of route-map required, all packets that meet the access-list 101 condition are forwarded to 172.16.2.254 (loopback0 interface). Article entry: csh Editor in charge: csh
The following explanation may not be convenient, sorry!
First of all, what is stand-alone nat? Everyone, I don’t know if you have encountered this situation. There is an adsl line, but each machine only has one network card. If you want to share all machines with the Internet, what do you think of? ^_^, you can spend 5 yuan to buy a network card. This is of course simple, but we should think of other methods when doing technology, haha. Challenge yourself. To put it bluntly, stand-alone nat has only one port on the route, and you must also do nat in order to access the external network. This is like the traditional two-way nat, one inside and one
The outside method is different. One port and one link must carry information from two networks, one is the intranet and the other is the public network. Therefore, it is required that this port have two addresses, one interacts with the intranet and the other interacts with the isp. The actual topology is as follows: the line from the isp is directly connected to the switch, not the router, and the router also connects to a port of the switch. Its function is only to do nat, re-encapsulate the original address of the packet and the destination address of the return packet, as shown in the figure (see the original post). If the intranet host wants to send packets to the external network host, these packets will reach the route's Ethernet port, and after a series of conversions, they will eventually come out of the Ethernet port and reach the ISP end.
The following is a detailed analysis of the process of a package, so that everyone will understand.
One host intranet(172.16.1.1)To send a packet to a public network address,Of course he forwarded it to the gateway first,So the gateway received the package,In order,The router checks the policy routing item first,Then go to the normal route,Routing discovery now,This package matchesaccess-list 101 permit ip 172.16.1.0 0.0.0.255 anyThis sentence,So he routed the package toloopbackmouth.Let's explain it:loopback之所以叫回环接mouth,It's because,到了thismouth的包会从thismouth出去,Come back immediately,Hahaha,Maybe it's hard to understand,because这是个虚拟mouth,It's OK to use the router,So there is this function,Here,包从thismouth出去的时候,because包的来源是以太mouth(nat inside),出mouth是loopbackmouth(nat ouside),所以在this回环mouth包做了一次nat,The source address is turned into the address in the pool(ip nat pool pool1 192.168.0.2 192.168.0.3)One of,good,thisnat后的包从环mouth出去,Turned around(I really don't know where he has gone),Be prepared to go fromloopbackmouth再回到路由内部,But this time,The routing does not change the packet,becausenat outside,ip nat inside "source"......Only for packages that go out from within the routenat.good了,The source address of the package is,for example192.168.0.2,The destination address is the address you want to access on the public network,this包下一步还要接受路由的检查,becauseloopbackmouth没有配置ip policy route-map, so this time it only matches the regular route. OK, look at the original post......... In addition to direct connection routes, it is the default route (ip route 0.0.0.0.0 0.0.0.0 192.168.0.6), so he finally successfully routed this package to isp. (It's so tired).
Let’s talk about the packets back. The external network responded to the local external address (192.168.0.2). The Ethernet port of the local route received the packet sent by the ISP through the switch. Since this packet is from the inside to the outside for the router (the route does not know that the Ethernet connection is the ISP), you must first route first, then nat. OK, the router also matches the policy route first, look at the original post................., he matched this sentence: access-list 101 permit ip any 192.168.0.0 0.0.0.7. Because the original address is the public network address, that is, "any", he routed to the loopback port. At the ring port, this packet will be nat once again. However, please note that this packet does not meet the requirements of nat. Please see: ip nat inside source list 10 pool pool1 overload , access-list 10 permit 172.16.1.0 0.0.0.255. Since the original address of this package is not within the range specified in access-list 10, the package is not natted. This is also the most clever part of this technology. This way the package retains the authenticity of the original address! OK, this package has strolled back from the ring gate. Note::!!! Since the router has already done the nat action, it has saved a nat table itself, and the package has been loopback from the loopback.
Incoming, so for the router, it flows from outside to inside, so the router needs to nat first and then route, so it needs to match the nat table. OK, he checked that the destination address 192.168.0.2 actually corresponds to the internal host 172.16.1.1, so he nats the destination address of the packet to 172.16.1.1. OK, now accept route matching (so troublesome! Haha), look............. Since entering from the loopback port does not require matching policy routes, check the regular route and finds that the destination address 172.16.1.1 exists in the direct connection route, so he finally sent to the Ethernet port and finally reached the destination host: 172.16.1.1.
The same is true for adsl single network card proxy, except that the router has become a host and is equipped with some proxy software, such as ccproxy. The function of these software is to implement stand-alone nat like the above-mentioned routers.Single-interface NAT configuration example, classic, repost, please test it
Single-interface NAT configuration example
condition:
1. IOS is in 12.1(5)T9 and above. The lower version has not been verified.
2. Have at least two or more global addresses provided by ISPs.
Implementation ideas:
1. Configure the address provided by the ISP as a secondary address on the Ethernet interface. This Ethernet interface also serves as an inside interface. As the gateway to the internal host.
2. Create a loopback interface as nat outside.
3. Use route-map to force route the data packets exited by the internal network and the corresponding data packets returned from the outside to the loopback interface.
Example:
Topology is shown in the figure below:
The configuration is as follows:
interface Loopback0
ip address 172.16.2.254 255.255.255.252
ip nat outside
!
//Create a loopback interface and act as a NAT outside interface.
interface Ethernet0
ip address 192.168.0.1 255.255.255.248 secondary
ip address 172.16.1.254 255.255.255.0
ip Nat inside
ip policy route-map rm-nat
!
//Configure 172.16.1.254 as IP on the E0 interface, and use the address provided by the ISP as the Secondary address. e0 serves as the inside interface.
Apply rm-nat route-map on this interface
ip nat pool pool1 192.168.0.2 192.168.0.3 prefix-length 29
ip nat inside source list 10 pool pool1 overload
//General NAT configuration
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.6
ip route 172.16.1.0 255.255.255.0 Ethernet0
access-list 10 permit 172.16.1.0 0.0.0.255
//Configure access-list for routing and NAT
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 permit ip any 192.168.0.0 0.0.0.7
//Configure the acl required for route-map. The first sentence matches the package that is returned, and the second sentence matches the package that is returned.
route-map rm-nat permit 10
match ip address 101
set ip next-hop 172.16.2.254
//Configuration of route-map required, all packets that meet the access-list 101 condition are forwarded to 172.16.2.254 (loopback0 interface). Article entry: csh Editor in charge: csh