NAT

NAT

클래스 별로 사설 IP가 있음

(주소변환이 필요)

 

IP:port - 공인 IP(여러개의 IP가 하나의 공인IP로)

공인IP:port - 공인 IP

(→ 공인 IP를 사용해도됨)

 

internic - krnic - kisa

 

Static NAT: 사설ip와 공인 ip 1대1

> 표준ACL로 먼저 정의를 해주어야함

Dynamic NAT: 다수의 사설 IP와 다수의 공인 IP 1대1

Dynamic NAT-Pat : 다수의 사설 IP 와 1개의 공인 IP(제일 많이씀)

 

Static NAT

Router(config)#ip nat inside source static <inside-local> <inside-global>

 

Dynamic NAT

Router(config)#ip nat inside source(출발지) list <list-number> pool <name>

 

Dynamic NAT-Pat

Router(config)#ip nat inside source(출발지) list <list-number> pool <name> overload

 

공유기 > NAT, DHCP 기능을 가지고 있음

 

서버1 서버2

   

PC1 PC2

 

 

라우터 1)

en

conf t

int f0/0

ip add 10.0.0.254 255.255.255.0

no sh

do wr

int f0/1

ip add 100.100.100.1 255.255.255.248

no sh

do wr

exit

rou os 10

net 10.0.0.0 0.0.0.255 area 10

net 100.100.100.0 0.0.0.7 area 10

pass f0/0

do wr

 

라우터2)

en

conf t

int f0/0

ip add 10.0.1.254

no sh

do wr

int f0/1

ip add 100.100.100.2 255.255.255.248

no sh

do wr

exit

rou os 10

net 10.0.1.0 0.0.0.255 area 10

net 100.100.100.0 0.0.0.7 area 10

pass f0/0

do wr

 

exit

clear ip ospf process

yes

int f0/1

ip os he 40

do wr

int f0/0

ip os he 40

do wr

sh ip os neighbor

 

debug ip ospf events

라우터1)

en

conf t

lin con 0

logg syn

exit

int f0/0

ip nat inside

int f0/1

ip nat outside

exit

ip nat inside source static 10.0.0.1 100.100.100.3

do wr

 

포트포워딩> 고급NAT > DMZ

 

라우터1)

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool babo 100.100.100.3 100.100.100.6 netmask 255.255.255.248

ip nat inside source list 1 pool babo

 

라우터2)

en

sh ip nat translations

 

라우터1)

access-list 1

ip nat inside source 1 pool babo

no ip nat pool babo

ip nat pool babo 100.100.100.1 100.100.100.1 netmask 255.255.255.248

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat inside source list 1 pool babo overload

no ip nat inside source list 1 pool babo overload 

int f0/0

no ip nat inside

inf f0/1

no ip nat outside

exit

no ip nat pool babo

no ip int inside source list 1 pool babo overload

no access-list 1

no ip nat pool babo

 

int f0/0

ip nat inside 

exit

int f0/1

ip nat outside

exit

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool babo 100.100.100.3 100.100.100.6 netmask 255.255.255.248

ip nat inside source list 1 pool babo

do sh ip nat tr

 

공유기를 사용하면 다이렉트로는 공격불가

 

 

 

 

라우터1

en

conf t

host Seoul_R1

ena se babo

ser p

line con 0

exec 0 0

logg syn

pass babo1

login

line vty 0 4

exec 0 0

logg syn

pass babo2

login

int f0/0

ip add 10.0.0.254 255.255.255.0

no sh

inf f0/1

ip add 200.200.200.1 255.255.255.248

no sh 

do wr

 

rout ei 100

net 10.0.0.0 0.0.0.255

net 200.200.200.0 0.0.0.7

pass f0/0

do wr

 

라우터2

en

conf t

host Busan_R1

ena se babo

ser p

line con 0

exec 0 0

logg syn

pass babo1

login

line vty 0 4

exec 0 0

logg syn

pass babo2

login

int f0/0

ip add 172.16.0.254 255.255.255.0

no sh

int f0/1  

ip add 200.200.200.2 255.255.255.248

no sh

do wr

 

roter ei 100

net 172.16.0.0 0.0.0.255

net 200.200.200.0 0.0.0.7

pass f0/0

do wr

 

 

라우터1

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool babo 200.200.200.1 200.200.200.1 netmask 255.255.255.248

int f0/0

ip nat inside

int f0/1

ip nat outside

exit

ip nat inside source list 1 pool babo overload