{"id":516,"date":"2018-05-11T20:34:00","date_gmt":"2018-05-11T11:34:00","guid":{"rendered":"https:\/\/wp.zassoul.com\/?p=516"},"modified":"2018-05-11T20:34:00","modified_gmt":"2018-05-11T11:34:00","slug":"nat-on-a-stick","status":"publish","type":"post","link":"https:\/\/wp.zassoul.com\/?p=516","title":{"rendered":"NAT on a stick"},"content":{"rendered":"<p>\u4f8b\u3048\u3070NAT\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u6a5f\u5668(L3SW\u7b49)\u304c\u3042\u3063\u305f\u3068\u3057\u3066, \u305d\u308c\u3067\u3082NAT\u3057\u306a\u304f\u3066\u306f\u306a\u3089\u306a\u3044\u5834\u5408\u3002<br \/>\u56f3\u306e\u3088\u3046\u306b\u30ef\u30f3\u30a2\u30fc\u30e0\u3067\u30eb\u30fc\u30bf\u3092\u3064\u306a\u3044\u3067NAT\u30dc\u30c3\u30af\u30b9\u3068\u3059\u308b\u69cb\u6210\u304c\u53d6\u308c\u308b\u3002<\/p>\n<table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" style=\"margin-left: auto; margin-right: auto; text-align: center;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/4.bp.blogspot.com\/-1oIGARqOP6k\/WvVIwlwLu3I\/AAAAAAAAATQ\/Dgt-EPa001szwWiujC4CxWHj9VazBjGiwCLcBGAs\/s1600\/NATonaStick.PNG\" style=\"margin-left: auto; margin-right: auto;\"><img loading=\"lazy\" decoding=\"async\" border=\"0\" data-original-height=\"671\" data-original-width=\"597\" height=\"320\" src=\"https:\/\/4.bp.blogspot.com\/-1oIGARqOP6k\/WvVIwlwLu3I\/AAAAAAAAATQ\/Dgt-EPa001szwWiujC4CxWHj9VazBjGiwCLcBGAs\/s320\/NATonaStick.PNG\" width=\"283\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">\u56f3\u3067\u306f\u30eb\u30fc\u30bf\u306e\u30a2\u30a4\u30b3\u30f3\u306b\u306a\u3063\u3066\u3044\u308b\u3051\u308c\u3069, R1\u304cNAT\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u3068\u304d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u30d8\u30a2\u30d4\u30f3NAT\u3084NAT on a Stick \u3068\u547c\u3076\u3089\u3057\u3044\u3002<br \/>Cisco\u30b5\u30a4\u30c8\u3092\u53c2\u7167\u3057\u3066\u691c\u8a3c\u3059\u308b\u3002<br \/>\u53c2\u7167URL\uff1a<a href=\"https:\/\/www.cisco.com\/c\/ja_jp\/support\/docs\/ip\/network-address-translation-nat\/6505-nat-on-stick.html\" target=\"_blank\" rel=\"noopener noreferrer\">\u30b9\u30c6\u30a3\u30c3\u30af\u4e0a\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30a2\u30c9\u30ec\u30b9\u5909\u63db<\/a><\/p>\n<div>\n<h3>\u69cb\u6210\u6982\u8981<\/h3>\n<ul>\n<ul><\/ul>\n<li>172.16.10.0\/24 \u3092172.20.10.0\/24 \u3078\u30cd\u30c3\u30c8\u30ef\u30fc\u30afNAT\u3059\u308b\u3002<\/li>\n<li>NAT\u30dd\u30a4\u30f3\u30c8\u306fR2\u3002<\/li>\n<li>VPC2\u306f172.20.10.0\/24\u306e\u30a2\u30c9\u30ec\u30b9\u3067\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3002<\/li>\n<\/ul>\n<ul><\/ul>\n<p>\u305d\u306e\u305f\u3081, R1\u3067\u306f\u5fc5\u7136\u7684\u306bPBR\u3092\u5229\u7528\u3057\u3066VPC1\u306e\u901a\u4fe1\u3092R2\u3078\u8ee2\u9001\u3059\u308b\u3002<\/p>\n<h3>Config<\/h3>\n<p>\u203b \u629c\u7c8b<br \/>R1 Config<\/p>\n<pre>!<br \/>interface Ethernet0\/0<br \/> description to R3<br \/> ip address 192.168.2.1 255.255.255.0<br \/>!<br \/>interface Ethernet0\/1<br \/> description to R2<br \/> ip address 10.10.10.1 255.255.255.0<br \/>!<br \/>interface Ethernet0\/2<br \/> description to R4<br \/> ip address 192.168.1.1 255.255.255.0<br \/> ip policy route-map PBR<br \/>!<br \/>ip route 172.16.10.0 255.255.255.0 192.168.1.2<br \/>ip route 172.16.20.0 255.255.255.0 192.168.2.2<br \/>ip route 172.20.10.0 255.255.255.0 10.10.10.2<br \/>!<br \/>ip access-list extended PBR<br \/> permit ip 172.16.10.0 0.0.0.255 any<br \/>!<br \/>!<br \/>route-map PBR permit 10<br \/> match ip address PBR<br \/> set ip next-hop 10.10.10.2<br \/>!<br \/>!<\/pre>\n<p>R2 Config<\/p>\n<pre>!<br \/>interface Loopback0<br \/> ip address 1.1.1.1 255.255.255.255<br \/> ip nat outside<br \/> ip virtual-reassembly in<br \/>!<br \/>interface Ethernet0\/0<br \/> description to R1<br \/> ip address 10.10.10.2 255.255.255.0<br \/> ip nat inside<br \/> ip virtual-reassembly in<br \/> ip policy route-map NAT<br \/>!<br \/>!<br \/>ip nat inside source static network 172.16.10.0 172.20.10.0 \/24 no-alias<br \/>ip route 0.0.0.0 0.0.0.0 10.10.10.1<br \/>ip route 172.20.10.0 255.255.255.0 Ethernet0\/0<br \/>!<br \/>ip access-list extended PBR<br \/> permit ip 172.16.10.0 0.0.0.255 any<br \/> permit ip any 172.20.10.0 0.0.0.255<br \/>!<br \/>!<br \/>route-map NAT permit 10<br \/> match ip address PBR<br \/> set interface Loopback0<br \/>!<\/pre>\n<p>\u30d1\u30b1\u30c3\u30c8\u30d5\u30ed\u30fc<br \/>Cisco\u30eb\u30fc\u30bf\u306b\u304a\u3051\u308bNAT\u306e\u51e6\u7406\u306f\u516c\u5f0f\u30da\u30fc\u30b8\u306b\u3042\u308b\u3068\u304a\u308a\u3002<br \/>\u53c2\u8003\uff1a<a href=\"https:\/\/www.cisco.com\/c\/ja_jp\/support\/docs\/ip\/network-address-translation-nat\/6209-5.html\" target=\"_blank\" rel=\"noopener noreferrer\">NAT\u306e\u51e6\u7406\u9806\u5e8f<\/a><br \/>\u4eca\u56de\u95a2\u4fc2\u3059\u308b\u7b87\u6240\u3092\u592a\u6587\u5b57\u3067\u3002<\/p>\n<table border=\"1\" cellpadding=\"2\" cellspacing=\"0\" style=\"width: 100%px;\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"50%\">\n<ol>\n<li><span style=\"font-size: x-small;\">IPSec ACL \u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5fa9\u53f7\u5316 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529bACL\u30c1\u30a7\u30c3\u30af<\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529b\u30ec\u30fc\u30c8\u5236\u9650\u3092\u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529b\u30a2\u30ab\u30a6\u30f3\u30c6\u30a3\u30f3\u30b0 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">Web \u30ad\u30e3\u30c3\u30b7\u30e5\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8 <\/span><\/li>\n<li><span style=\"font-size: x-small;\"><b>\u30dd\u30ea\u30b7\u30fc \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0 <\/b><\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0 <\/span><\/li>\n<li><span style=\"color: red; font-size: x-small;\"><b>Inside \u304b\u3089 Outside \u3078\u306e NAT<\/b><\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30af\u30ea\u30d7\u30c8\uff08\u6697\u53f7\u5316\u7528\u306e\u30de\u30c3\u30d7\u306e\u30c1\u30a7\u30c3\u30af\u3068\u30de\u30fc\u30af\uff09 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u51fa\u529b\u30a2\u30af\u30bb\u30b9 \u30ea\u30b9\u30c8\u3092\u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">CBAC\u691c\u67fb <\/span><\/li>\n<li><span style=\"font-size: x-small;\">TCP \u30a4\u30f3\u30bf\u30fc\u30bb\u30d7\u30c8 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u6697\u53f7\u5316 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30ad\u30e5\u30fc\u30a4\u30f3\u30b0<\/span><\/li>\n<\/ol>\n<\/td>\n<td valign=\"top\" width=\"298\">\n<ol>\n<li><span style=\"font-size: x-small;\">IPSec ACL \u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5fa9\u53f7\u5316 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529bACL\u30c1\u30a7\u30c3\u30af<\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529b\u30ec\u30fc\u30c8\u5236\u9650\u3092\u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u5165\u529b\u30a2\u30ab\u30a6\u30f3\u30c6\u30a3\u30f3\u30b0 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">Web \u30ad\u30e3\u30c3\u30b7\u30e5\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8 <\/span><\/li>\n<li><span style=\"color: red; font-size: x-small;\"><b>Outside\u304b\u3089Inside\u3078\u306e NAT<\/b><\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30dd\u30ea\u30b7\u30fc \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0 <\/span><\/li>\n<li><span style=\"font-size: x-small;\"><b>\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0 <\/b><\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30af\u30ea\u30d7\u30c8\uff08\u6697\u53f7\u5316\u7528\u306e\u30de\u30c3\u30d7\u306e\u30c1\u30a7\u30c3\u30af\u3068\u30de\u30fc\u30af\uff09 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u51fa\u529b\u30a2\u30af\u30bb\u30b9 \u30ea\u30b9\u30c8\u3092\u30c1\u30a7\u30c3\u30af <\/span><\/li>\n<li><span style=\"font-size: x-small;\">CBAC \u691c\u67fb <\/span><\/li>\n<li><span style=\"font-size: x-small;\">TCP \u30a4\u30f3\u30bf\u30fc\u30bb\u30d7\u30c8 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u6697\u53f7\u5316 <\/span><\/li>\n<li><span style=\"font-size: x-small;\">\u30ad\u30e5\u30fc\u30a4\u30f3\u30b0<\/span><\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"0\" cellpadding=\"2\" cellspacing=\"0\" style=\"width: 100%px;\">\n<tbody>\n<tr><\/tr>\n<\/tbody>\n<\/table>\n<p><\/p>\n<h3>\u30d7\u30c1\u89e3\u8aac  <\/h3>\n<p><b>@R1<\/b><br \/>NAT\u5909\u63db\u5f8c\u306e\u30a2\u30c9\u30ec\u30b9\u3092R2\u3078\u5411\u3051\u307e\u3059\u3002 <\/p>\n<pre>ip route 172.16.20.0 255.255.255.0 192.168.2.2<br \/><\/pre>\n<p>VPC1\u304b\u3089\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092R2(NAT\u30dc\u30c3\u30af\u30b9)\u3078\u637b\u3058\u66f2\u3052\u307e\u3059\u3002<\/p>\n<pre>interface Ethernet0\/2<br \/> description to R4<br \/> ip address 192.168.1.1 255.255.255.0<br \/> ip policy route-map PBR<br \/>!<br \/>!<br \/>ip access-list extended PBR<br \/> permit ip 172.16.10.0 0.0.0.255 any<br \/>!<br \/>!<br \/>route-map PBR permit 10<br \/> match ip address PBR<br \/> set ip next-hop 10.10.10.2<\/pre>\n<p><b>@R2<\/b><br \/>\u7269\u7406IF\u3092inside\u306b\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<pre>interface Ethernet0\/0<br \/> description to R1<br \/> ip address 10.10.10.2 255.255.255.0<br \/> ip nat inside<br \/> ip virtual-reassembly in<br \/><\/pre>\n<p>Loopback\u3092outside\u306b\u6307\u5b9a\u3057\u307e\u3059\u3002<\/div>\n<pre>interface Loopback0<br \/> ip address 1.1.1.1 255.255.255.255<br \/> ip nat outside<br \/> ip virtual-reassembly in<br \/><\/pre>\n<p>NAT\u8a2d\u5b9a\u3002IOS15\u4ee5\u964d\u306fno-alias\u304c\u5fc5\u8981\u3067\u3059\u3002<\/p>\n<pre>ip nat inside source static network 172.16.10.0 172.20.10.0 \/24 no-alias<\/pre>\n<p>global inside\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u81ea\u8eab\u306b\u6301\u305f\u305b\u308b\u305f\u3081Static Route\u3092\u7269\u7406IF\u3078\u6307\u5b9a\u3057\u307e\u3059\u3002 <br \/>\u304c, \u3053\u306e\u69cb\u6210\u3067\u306f\u306a\u304f\u3066\u3082\u3044\u3051\u307e\u3057\u305f\u3002(NAT\u306e\u51e6\u7406\u30d5\u30ed\u30fc\u898b\u308b\u3068\u4e0d\u8981\u306a\u6c17\u304c\u3059\u308b\u3093\u3067\u3059\u304c\u672a\u3060\u7406\u89e3\u3067\u304d\u305a\u3002)<\/p>\n<pre>ip route 172.20.10.0 255.255.255.0 Ethernet0\/0<br \/><\/pre>\n<p>NAT\u5bfe\u8c61\u3068\u306a\u308b\u901a\u4fe1\u3092PBR\u3067Loopback\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9(outside IF)\u3078\u9001\u308a\u8fbc\u307f\u307e\u3059\u3002\u3053\u308c\u3067inside-outside\u306b\u507d\u88c5\u3057\u307e\u3059\u3002 <\/p>\n<pre>interface Ethernet0\/0<br \/> description to R1<br \/> ip address 10.10.10.2 255.255.255.0<br \/> ip nat inside<br \/> no ip virtual-reassembly in<br \/> ip policy route-map NAT<br \/>!<br \/>!<br \/>ip access-list extended PBR<br \/> permit ip 172.16.10.0 0.0.0.255 any<br \/> permit ip any 172.20.10.0 0.0.0.255<br \/>!<br \/>!<br \/>route-map NAT permit 10<br \/> match ip address PBR<br \/> set interface Loopback0<br \/>!<br \/><\/pre>\n<p>\u901a\u4fe1\u78ba\u8a8d\u3002<\/p>\n<pre>VPCS&gt; ping 172.16.20.1<br \/><br \/>84 bytes from 172.16.20.1 icmp_seq=1 ttl=251 time=1.802 ms<br \/>84 bytes from 172.16.20.1 icmp_seq=2 ttl=251 time=3.606 ms<br \/>84 bytes from 172.16.20.1 icmp_seq=3 ttl=251 time=4.168 ms<br \/>84 bytes from 172.16.20.1 icmp_seq=4 ttl=251 time=3.517 ms<br \/>84 bytes from 172.16.20.1 icmp_seq=5 ttl=251 time=3.150 ms<br \/><br \/><br \/>R2#sh ip nat translations<br \/>Pro Inside global      Inside local       Outside local      Outside global<br \/>icmp 172.20.10.10:28052 172.16.10.10:28052 172.16.20.1:28052 172.16.20.1:28052<br \/>icmp 172.20.10.10:28308 172.16.10.10:28308 172.16.20.1:28308 172.16.20.1:28308<br \/>icmp 172.20.10.10:28564 172.16.10.10:28564 172.16.20.1:28564 172.16.20.1:28564<br \/>icmp 172.20.10.10:28820 172.16.10.10:28820 172.16.20.1:28820 172.16.20.1:28820<br \/>icmp 172.20.10.10:29076 172.16.10.10:29076 172.16.20.1:29076 172.16.20.1:29076<br \/>--- 172.20.10.10       172.16.10.10       ---                ---<br \/>--- 172.20.10.0        172.16.10.0        ---                ---<br \/>R2#<br \/><br \/>VPCS&gt; ping 172.20.10.10<br \/><br \/>84 bytes from 172.20.10.10 icmp_seq=1 ttl=59 time=2.539 ms<br \/>84 bytes from 172.20.10.10 icmp_seq=2 ttl=59 time=4.796 ms<br \/>84 bytes from 172.20.10.10 icmp_seq=3 ttl=59 time=5.276 ms<br \/>84 bytes from 172.20.10.10 icmp_seq=4 ttl=59 time=4.397 ms<br \/>84 bytes from 172.20.10.10 icmp_seq=5 ttl=59 time=6.855 ms<br \/><br \/>VPCS&gt;<\/pre>\n<h3>\u6ce8\u610f\u70b9<\/h3>\n<div>Loopback IF\u3078\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u6295\u3052\u308b\u306e\u3067CPU\u51e6\u7406\u306b\u843d\u3061\u307e\u3059\u3002<\/div>\n<div>\u30b9\u30eb\u30fc\u30d7\u30c3\u30c8\u304c\u6c17\u306b\u306a\u308b\u5834\u5408\u306f\u7269\u7406\u7684\u306b(\u3082\u3057\u304f\u306f\u30c8\u30e9\u30f3\u30af\u7b49\u3057\u3066)2\u672c\u30a4\u30f3\u30bf\u30d5\u30a7\u30fc\u30b9\u3092\u7528\u610f\u3057\u305f\u307b\u3046\u304c\u30d9\u30bf\u30fc\u3002<\/div>\n<div>IOS12\u53f0\u306815\u53f0\u3067\u30b3\u30de\u30f3\u30c9\u304c\u82e5\u5e72\u9055\u3046\u306e\u3067\u53e4\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u4f7f\u3046\u3068\u304d\u306f\u78ba\u8a8d\u3057\u307e\u3057\u3087\u3046\u3002<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u4f8b\u3048\u3070NAT\u306b\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u6a5f\u5668(L3SW\u7b49)\u304c\u3042\u3063\u305f\u3068\u3057\u3066, \u305d\u308c\u3067\u3082NAT\u3057\u306a\u304f\u3066\u306f\u306a\u3089\u306a\u3044\u5834\u5408\u3002\u56f3\u306e\u3088\u3046\u306b\u30ef\u30f3\u30a2\u30fc\u30e0\u3067\u30eb\u30fc\u30bf\u3092\u3064\u306a\u3044\u3067NAT\u30dc\u30c3\u30af\u30b9\u3068\u3059\u308b\u69cb\u6210\u304c\u53d6\u308c\u308b\u3002 \u56f3\u3067\u306f\u30eb\u30fc\u30bf\u306e\u30a2\u30a4\u30b3\u30f3\u306b\u306a\u3063\u3066\u3044\u308b\u3051\u308c\u3069, \u2026 <span class=\"read-more\"><a href=\"https:\/\/wp.zassoul.com\/?p=516\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,6,42,15,8],"tags":[],"class_list":["post-516","post","type-post","status-publish","format-standard","hentry","category-cisco","category-it","category-nat","category-network","category-8"],"_links":{"self":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=516"}],"version-history":[{"count":0,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=\/wp\/v2\/posts\/516\/revisions"}],"wp:attachment":[{"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.zassoul.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}