| 21.4. Examples of NAT configuration | ||
|---|---|---|
 | Chapter 21. NAT - Network Address Translation |  |
| 21.4. Examples of NAT configuration | ||
|---|---|---|
| | Chapter 21. NAT - Network Address Translation | |
In this section will be shown any examples of NAT configuration.
Suppose to have the following situation.
Type the following command to allow the “inside” network 192.168.1.0/24 to reach the “outside” network 10.0.0.0/24 by using the CPX IP address (10.0.0.1) as “alias” and allowing the Port Address Translation.
[08:57:37] ABILIS_CPX:_d natUPNP maps not present Configured maps ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- 0 IN SRC Ip-1 * OUT-IP OUT * * AUTO YES ------------------------------------------------------------------------------- [08:57:46] ABILIS_CPX:_a nat pr:1 inat:in onat:out add:src snet:192.168.1.0/24 anet:10.0.0.1/32 pat:yesCOMMAND EXECUTED [08:58:38] ABILIS_CPX:_d natUPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- 1 IN SRC 192.168.001.000/24 * 010.000.000.001/32 OUT * * AUTO YES ------------------------------------------------------------------------------- [08:58:44] ABILIS_CPX:_init natCOMMAND EXECUTED
After applying this rule, a host “inside” network 192.168.1.0/24 can reach the “outside” network 10.0.0.0/24:
ubuntu@ubuntu:~$ifconfigeth0 Link encap:Ethernet HWaddr 20:cf:30:42:36:9c inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::22cf:30ff:fe42:369c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5511 errors:0 dropped:0 overruns:0 frame:0 TX packets:3044 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5509729 (5.5 MB) TX bytes:255424 (255.4 KB) Interrupt:47 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:83 errors:0 dropped:0 overruns:0 frame:0 TX packets:83 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8610 (8.6 KB) TX bytes:8610 (8.6 KB) wlan0 Link encap:Ethernet HWaddr 74:f0:6d:7d:08:25 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ubuntu@ubuntu:~$ping 10.0.0.2PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_req=1 ttl=127 time=1.19 ms 64 bytes from 10.0.0.2: icmp_req=2 ttl=127 time=1.06 ms 64 bytes from 10.0.0.2: icmp_req=3 ttl=127 time=1.10 ms 64 bytes from 10.0.0.2: icmp_req=4 ttl=127 time=1.12 ms ^C --- 10.0.0.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 1.067/1.123/1.199/0.053 ms
Example of IP packet translation:
Table 21.1. Example of IP packet translation
| Source IP address | Destination IP address | |
|---|---|---|
| Before translation: | 192.169.1.2:XXX | 10.0.0.3:ZZZ |
| After translation: | 10.0.0.1:YYY | 10.0.0.3:ZZZ |
Goal description. We have just one public IP address. Inside LAN there are three servers with several IP addresses running the same service with different contents, e.g. a commercial web, a technical web, a restricted access web. Abilis must be configured so that each server can be reached using the public IP address.
Three of our servers are described in outside network (for example Internet) as :
192.168.1.100:81 - main HTTP server of our company
192.168.1.100:82 - HTTP server for technical support
192.168.1.100:83 - HTTP server for developers
The following records have been added to NAT static table:
[12:08:06] ABILIS_CPX:_a nat pr:1 inat:out onat:in add:dst dnet:192.168.1.100/32 anet:192.168.30.11/32 pat:yes prot:tcp dpo:81 apo:80COMMAND EXECUTED [12:08:16] ABILIS_CPX:_a nat pr:2 inat:out onat:in add:dst dnet:192.168.1.100/32 anet:192.168.30.12/32 pat:yes prot:tcp dpo:82 apo:80COMMAND EXECUTED [12:08:20] ABILIS_CPX:_a nat pr:3 inat:out onat:in add:dst dnet:192.168.1.100/32 anet:192.168.30.13/32 pat:yes prot:tcp dpo:83 apo:80COMMAND EXECUTED [12:11:16] ABILIS_CPX:_d natUPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- 0 IN SRC Ip-1 * OUT-IP OUT * * AUTO YES ------------------------------------------------------------------------------- 1 OUT DST * 192.168.001.100/32 192.168.030.011/32 IN * 81 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- 2 OUT DST * 192.168.001.100/32 192.168.030.012/32 IN * 82 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- 3 OUT DST * 192.168.001.100/32 192.168.030.013/32 IN * 83 http(80) YES * * TCP SYS ------------------------------------------------------------------------------- [12:11:19] ABILIS_CPX:_init natCOMMAND EXECUTED
Table 21.2. Example of IP packet translation
| Source IP address | Destination IP address | |
| Destination translation | ||
| Before translation: | XXX.XXX.XXX.XXX:YYY | 192.168.1.100:81 |
| After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.11:80 |
| Destination translation | ||
| Before translation: | XXX.XXX.XXX.XXX:YYY | 192.168.1.100:82 |
| After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.12:80 |
| Destination translation | ||
| Before translation: | XXX.XXX.XXX.XXX:YYY | 192.168.1.100:83 |
| After translation: | XXX.XXX.XXX.XXX:YYY | 192.168.30.13:80 |
Connect the Ethernet cards following the scheme below
NAT resource must be configurated so that:
servers located in the DMZ can be reachable from the external interface
computers inside the LAN can reach internet and servers
servers located in the DMZ cannot reach computers inside LAN
Assuming to have the ip address already assigned to network interfaces, IP resources must be configured in the following way:
[19:00:30] ABILIS_CPX:s p ip-1 nat:outsideCOMMAND EXECUTED [19:00:42] ABILIS_CPX:s p ip-20 nat:insideCOMMAND EXECUTED [19:00:52] ABILIS_CPX:s p ip-21 nat:dmzCOMMAND EXECUTED [19:01:00] ABILIS_CPX:d p ip-1RES:Ip-1 - Not Saved (SAVE CONF), Not Refreshed (INIT) ------------------------ - IP over LAN (LAN) ---------------------------------------------------- Run DESCR:Lan_locale OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-1 IPADD:192.168.000.201 MASK:255.255.255.000 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:OUTSIDE UPNP:NO DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 BRD:NET OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-1 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF dma-rxbuf:250 dma-txbuf:25 max-vlans:0 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:12] ABILIS_CPX:d p ip-20RES:Ip-20 - Not Saved (SAVE CONF), Not Refreshed (INIT) ----------------------- - IP over LAN (LAN) ---------------------------------------------------- Run DESCR: OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-2 IPADD:192.168.030.001 MASK:255.255.255.000 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:INSIDE UPNP:NO DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 BRD:NET OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-2 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF dma-rxbuf:250 dma-txbuf:25 max-vlans:0 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:16] ABILIS_CPX:d p ip-21RES:Ip-21 - IP over LAN (LAN) ------------------------------------------------- Run DESCR: OPSTATE:UP LOG:NO STATE-DETECT:NORMAL LANRES:Eth-3 IPADD:192.168.031.001 MASK:255.255.255.000 REDIS:YES HIDE:NO RP:NONE IPSEC:NO VRRP:NO NAT:DMZ DIFFSERV:NO DDNS:NO OUTBUF:100 OUTQUEUE:FAIR MTU:1500 BRD:NET OUTSPL:NO INBUF:0 mru:1500 SRCV:NO - TRFA section --------------------------------------------------------- TRFA:YES TRFA-MODE:TOTALS - Lan ------------------------------------------------------------------ LLOG:NO arpcache:200 CACHETIMER:120 rxbuf:4 txbuf:14 VLAN-ID:UNTAG RES:Eth-3 --------------------------------------------------------------------- Run DESCR: LOG:DS MODE:AUTO DUPLEX:HALF dma-rxbuf:250 dma-txbuf:25 max-vlans:0 ip-rxbuf:25 arp-rxbuf:5 pppoed-rxbuf:5 pppoes-rxbuf:25 [19:01:21] ABILIS_CPX:init res:ip-1COMMAND EXECUTED [19:01:33] ABILIS_CPX:init res:ip-20COMMAND EXECUTED [19:01:36] ABILIS_CPX:init res:ip-21COMMAND EXECUTED [19:01:38] ABILIS_CPX:save confVALIDATION IN PROGRESS ... VALIDATION SUCCESSFULLY EXECUTED SAVE EXECUTED
Add the following rules to NAT Aliases table:
[08:33:30] ABILIS_CPX:a nat pr:1 inat:in onat:dmz add:src snet:192.168.30.0/24 dnet:192.168.31.0/24 anet:192.168.31.0/32 apo:auto pat:yesCOMMAND EXECUTED [08:34:23] ABILIS_CPX:a nat pr:2 inat:out onat:dmz add:dst snet:* dnet:192.168.0.201/32 danet:192.168.31.0/24 pat:yes prot:tcp dpo:80 apo:80COMMAND EXECUTED [08:35:13] ABILIS_CPX:a nat pr:3 inat:in onat:out add:src snet:192.168.30.0/24 anet:192.168.0.201/32 pat:yesCOMMAND EXECUTED [08:36:33] ABILIS_CPX:d natUPNP maps not present Configured maps - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------------- ------------------------------------------------------------------------------- PR: [DESCR:] INAT: ADD: SNET: DNET: ANET: ONAT: SPO: DPO: APO: PAT: SIP: DIP: PROT: TOUT: ------------------------------------------------------------------------------- ... ------------------------------------------------------------------------------- 1 IN SRC 192.168.030.000/24 192.168.031.000/24 192.168.031.001/32 DMZ * * AUTO YES ------------------------------------------------------------------------------- 2 IN SRC 192.168.030.000/24 * 192.168.000.201/32 OUT * * AUTO YES ------------------------------------------------------------------------------- 3 OUT DST * 192.168.000.201/32 192.168.031.100/32 DMZ * * AUTO YES ------------------------------------------------------------------------------- [08:36:40] ABILIS_CPX:init natCOMMAND EXECUTED [08:36:51] ABILIS_CPX:save confCOMMAND EXECUTED
The rule PR:1 is useful to allow LAN to reach servers located in the DMZ, the rule PR:2 allows to reach a server with ip address 192.168.31.100 located in the DMZ from Internet, while PR:3 allows LAN to reach Internet.
| |  | |
| 21.3. NAT diagnostics and statistics |  | Chapter 22. IPSH - IP Shaping |
