NAT (Static NAT) 설정

사설 IP ADDRESS를 공인 IP ADDRESS로 STATIC하게 바꿔보자


                                                작성자 : 심 완 보
                                                작성일 : 99년 11월 9일


이 글을 같이 근무하는 서울통신실 가족들과 실무에서 라우터를 활용하고자 하는
분들께 드립니다.

다음은 시스코(SAN_FRAN router)라우터에 NAT설정을 하고 한아(NEWYORK router)
라우터로 확인하는 일련의 시나리오를 보인 것입니다.
NAT설정을 DYNAMIC하게 보인 시나리오와 겹치는 내용은 설명을 생략하였습니다.


SAN_FRAN#
SAN_FRAN#
SAN_FRAN#sh conf
(아래의 CONFIG는 10.1.1.0 NETWORK를 202.30.66.0 NETWORK로 바꿔주며
특히 10.1.1.1 ADDRESS에대해서는 202.30.66.1 ADDRESS로 UNIQUE하게 바꿔주고 있다.)

Using 1104 out of 131066 bytes
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname SAN_FRAN
!
enable secret 5 $1$L.Ps$Gd77z0XorAmTdHqnGkkqt.
enable password router
!
ip subnet-zero

ip nat pool net-pool 202.30.66.2 202.30.66.254 netmask 255.255.255.0
ip nat inside source list 9 pool net-pool overload
ip nat inside source static 10.1.1.1 202.30.66.1
        (10.1.1.1 을 202.30.66.1 로  static 하게 맵핑한다.)
        :  내부네트워크에 외부와 통신이 필요한 서버등이 있을 경우 이를 적용한다.

ip nat pool net-pool2 20.1.1.1 20.1.1.254 netmask 255.255.255.0
ip nat outside source list 9 pool net-pool2
!
interface Loopback0
ip address 202.30.66.254 255.255.255.0

        (루프백 어드레스를 설정한다.)

!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
ip nat inside
media-type 10BaseT
!
interface Serial0
ip address 210.109.216.1 255.255.255.0
ip nat outside
!
interface Serial1
no ip address
shutdown
!
router rip
network 210.109.216.0
network 202.30.66.0
!
ip classless
access-list 9 permit 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end

[ 아래 과정은 위의 설정을 획인하여 보는 과정입니다]

SAN_FRAN#
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#sh ip route

: 10.1.1.0 NETWORK를 잡아오고 있다.
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
       U - per-user static route, o - ODR

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, Ethernet0
C    210.109.216.0/24 is directly connected, Serial0
R    202.30.68.0/24 [120/1] via 210.109.216.2, 00:00:26, Serial0
C    202.30.66.0/24 is directly connected, Loopback0
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#clear ip nat s
SAN_FRAN#
SAN_FRAN#sh ip nat s

: 1개의 static NAT를 수행하고 있으며 1개의 dynamic NAT를 수행하고 있다.

Total active translations: 2 (1 static, 1 dynamic; 1 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet0
Hits: 13  Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 9 pool net-pool refcount 1
pool net-pool: netmask 255.255.255.0
start 202.30.66.2 end 202.30.66.254
type generic, total addresses 252, allocated 1 (0%), misses 0
-- Outside Source
access-list 9 pool net-pool2 refcount 0
pool net-pool2: netmask 255.255.255.0
start 20.1.1.1 end 20.1.1.254
type generic, total addresses 254, allocated 0 (0%), misses 0
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#clear ip nat t *
SAN_FRAN#sh ip nat t

: 10.1.1.1 ADDRESS를 202.30.66.1 ADDRESS로 UNIQUE하게 바꿔주고 있다.


Pro Inside global      Inside local      

Outside local      Outside global
--- 202.30.66.1        10.1.1.1           ---                ---
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#ping 202.30.68.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.30.68.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
SAN_FRAN#
SAN_FRAN#
SAN_FRAN#telnet 202.30.68.254
Trying 202.30.68.254 ... Open


RUSTLE Login: router


Welcome to "Rustle Router-4501"


Login O.K.(Type ? for help, Type CTL-C for interrupt.)


NEWYORK> conf
Enter config password : ******


NEWYORK(config)>> sh route act

: 10.1.1.0 NETWORK를 라우팅 테이블로 잡아오지 않고 있다.


net              mask             gateway          mt if  prot  ttl ucnt mapid
127.0.0.1        255.255.255.255  127.0.0.1         0  0 Static  -     0
202.30.66.0      255.255.255.0    210.109.216.1     2  2    RIP 178 6229    0
202.30.68.0      255.255.255.0    202.30.68.254     0  1 Static  -  7049
210.109.216.0    255.255.255.0    210.109.216.2     0  2 Static  -   740    0
224.0.0.1        240.0.0.0        224.0.0.1         0  1 Static  -     2


NEWYORK(config)>>
NEWYORK(config)>>
NEWYORK(config)>> ping 202.30.66.1

(10.1.1.1 ADDRESS와 STATIC하게 연결된 202.30.66.1 ADDRESS 로 PING data가 돌아오고 있다.

-즉 이것으로 사설 네트워크에도 서버를 운영할 수 있다는 것을 알수 있다.)

PING to 202.30.66.1
64 octets from 202.30.66.1: icmp_seq 0, time=8ms
64 octets from 202.30.66.1: icmp_seq 1, time=8ms
64 octets from 202.30.66.1: icmp_seq 2, time=8ms
64 octets from 202.30.66.1: icmp_seq 3, time=8ms
64 octets from 202.30.66.1: icmp_seq 4, time=8ms
64 octets from 202.30.66.1: icmp_seq 5, time=8ms
64 octets from 202.30.66.1: icmp_seq 6, time=8ms
64 octets from 202.30.66.1: icmp_seq 7, time=8ms
64 octets from 202.30.66.1: icmp_seq 8, time=8ms
64 octets from 202.30.66.1: icmp_seq 9, time=8ms
received 10/10 packets (0 % loss)


NEWYORK(config)>>
NEWYORK(config)>>
NEWYORK(config)>>