Tutorial Archiver v2.0

Tutorial Archiver v2.0 -> Cisco

	Cisco NAT рутер с PPPoE конекция Как се прави Cisco NAT рутер с PPPoE конекция
*Cisco NAT рутер с PPPoE конекция* И така, имаме Интернет който получаваме чрез PPPoE. Самата PPPoE сесия ще я дигнем на Cisco рутера ни. Същия ще прави и NAT на нашата вътрешна мрежа която е 192.168.0.0/24 Internet <->(ADSL-Bridg-192.168.1.1)<->(192.168.1.2-Cisco 1700NAT-Routre-10.25.0.1)<->Local Net(10.25.0.0/24) 1. ADSLа ни ще е в Bridge режим. Cisco рутера ще ни дига PPPoE сисията, както и ще ни NATва вътрешната мрежа. Използваме PAP удостоверение. ! VPDN (virtual private dial-up network) позволява на частната Ви мрежа да ! направи връзка с публичната изпълнявайки dail in сървис ! vpdn enable ! Дефиниране на частния интерфейс (интерфейса свърван с локалнат Ви мрежа) ! interface Vlan1 description Connected to Local Net ip address 10.25.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! Дефиниране на интерфейса свърван с ADSLa ! interface FastEthernet0 description Connected to ADSL ip address 192.168.1.2 255.255.255.0 pppoe enable pppoe-client dial-pool-number 1 ! Cisco предпочита да стартира PPPoE клиента на виртуален „dialer” интерфейс ! Изпълняваме „ip nat” на външния ни интерфейс ! Използваме PAP за удосторверение с име и парола ! Евентуално може да сеним и MTU на 1492 ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp pap sent-username USER password 7 PASS ! Казваме на рутера да NATва целия травик минаващ през: ! 1) Отвънка навътре ! 2) Позволяваме на пакетите да премитаат чрез access list nat ! да преминат до мрежа 10.25.0.0.0/24 ! 3) Позволяваме на външния „public” адрес да се присъедини към ! виртуалния интерфес Dialer1 чрез PPPoE ! ip nat inside source list nat interface Dialer1 overload ip access-list extended nat permit ip 10.25.0.0 0.0.0.255 any dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 Dialer1 ! Пренасочваме 80 порт (за WEB сървъра) в DMZ зона (към вътрешен адрес) ! ip nat inside source static tcp 10.25.0.100 80 interface Dialer1 80 1. Вариант – Доставчика ни дава динамично IP (DHCP) ! vpdn enable no vpdn logging !--- Конфигуриране на PPPoE клиента за доставчика ни ! vpdn-group pppoe request-dialin protocol pppoe !--- Конфигуриране на вътрешния мрежови интерфейс !--- IP address !--- Дефениране на "ip nat" на интерфейса !--- 1) Използване на NAT !--- 2) Това е частерн "private" интерфейс ! interface FastEthernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside !--- Конфигуриране на DSL интерфейса !--- Your ISP may provide you with a different pvc !--- value not necesarily "1/1" ! interface ATM0 no ip address no atm ilmi-keepalive bundle-enable dsl operating-mode auto hold-queue 224 in ! interface ATM0.1 point-to-point pvc 1/1 pppoe-client dial-pool-number 1 !--- Cisco предпочита да стартира PPPoE клиента на виртуален !--- "dialer" интерфейс !--- This is tied to the real ATM DSL interface with the !--- "dialer pool" command. The default ethernet MTU !--- size has been reduced from 1500 to accommodate !--- the PPPoE header overhead. ! !--- The "ip nat" statement tells your router that !--- this interface: !--- 1) uses NAT !--- 2) is the outside "public" interface ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 !--- Here are the commands to configure authentication !--- with with your ISP. This example uses the "CHAP" !--- method. !--- Commands for using the "PAP" method are included at !--- the end of this box ! ppp authentication chap callin ppp chap hostname <username> ppp chap password <password>! ! Казваме на рутера да NATва целия травик минаващ през: !--- 1) Отвътре навън, ! 2) Позволяваме на пакетите да премитаат чрез access list nat до мрежа 10.25.0.0.0/24 ! 3) Позволяваме на външния „public” адрес да се присъедини към ! виртуалния интерфес Dialer1 чрез PPPoE ! ip nat inside source list 1 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 dialer1 no ip http server ! access-list 1 permit 192.168.1 0.0.0.255 Ако доставчика на интернет използва PAP а не CHAP удостоверение то трябва да подмените следните редове: `ppp authentication chap callin ppp chap hostname <username>ppp chap password <password>` се заменят с: `ppp authentication pap callin ppp pap sent-username <username> password <password>` 2. Вариант – Доставчика ни дава статично IP ! service timestamps debug uptime service timestamps log uptime ! hostname ciscorouter ! ip subnet-zero no ip domain-lookup ! bridge irb !--- Configure the home / SOHO network interface's IP address !--- The "ip nat" statement tells your router that this !--- interface: !--- 1) uses NAT !--- 2) is the inside "private" interface ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface ATM0 no ip address no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! bundle-enable dsl operating-mode auto bridge-group 1 ! !--- Cisco prefers to run the PPPoE client on a virtual !--- "BVI" interface !--- This is tied to the real ATM DSL interface with the !--- "bridge-group" command above. !--- (The BVI number always matches the bridge-group number) !--- The "ip nat" statement tells your router that !--- this interface: !--- 1) uses NAT !--- 2) is the outside "public" interface ! interface BVI1 ip address 97.158.253.25 255.255.255.248 ip nat outside !--- Tells the router to NAT all traffic that passes !--- through it: !--- 1) From the inside to the outside, !--- 2) And whose IP address is in the 192.168.1.0 network !--- as given in access list 1 !--- 3) Must get an outside "public" address that is the !--- same as interface BVI1 ! ip nat inside source list 1 interface BVI1 overload !--- This statement performs the static address !--- translation for the Web server. With this statement, !--- users trying to reach 97.158.253.26 port 80 (www) will be !--- automatically redirected to 192.168.1.100 port 80 !--- (www), which in this case is the Web server. !--- ! ip nat inside source static tcp 192.168.1.100 80 97.158.253.26 80 extendable !--- Set your default gateway as provided by your ISP ! ip classless ip route 0.0.0.0 0.0.0.0 97.158.253.30 ! access-list 1 permit 192.168.1.0 0.0.0.255 bridge 1 protocol ieee bridge 1 route ip ! Как да проверим дали NATa работи коректно: `ciscorouter> enable Password: ****** ciscorouter#show ip nat translation` След което трябва да видите нещо подобно `Pro Inside global Inside local Outside local Outside global tcp 97.158.253.26:80 192.168.1.100:80 --- --- tcp 97.158.253.26:80 192.168.1.100:80 67.34.217.6:5698 67.34.217.6:5698` ciscorouter# Cisco uses the following terms for the various IP addresses you'll find in any NAT translation process. o The Inside local address is the actual IP address of the local server on your home network. o The Inside global address is the IP address of the server presented to the Internet after NAT. o The Outside local the actual IP address of the remote computer on its local network. o The Outside global the IP address of the remote computer as presented on the Internet. As you can see, in this case, NAT seems to be functioning properly for the web server 192.168.1.100 on the home network How To Troubleshoot NAT To troubleshoot NAT after you have logged into the router via Telnet requires you to first activate logging to the telnet terminal with the terminal monitor command and then using the debug ip nat detailed command to visualize the translation process. The example below shows that translation occurs for port 80 traffic (HTTP / www) from address 97.158.253.26 to 192.168.1.100, and more specifically that remote host 67.34.217.6 was communicating with the inside global address of 97.158.253.26. ciscorouter> enable Password: ****** ciscorouter#term mon ciscorouter#debug ip nat detailed IP NAT detailed debugging is on ciscorouter# 03:29:49: NAT: creating portlist proto 6 globaladdr 97.158.253.26 03:29:49: NAT: Allocated Port for 192.168.1.100 -> 97.158.253.26: wanted 80 got 80 03:29:49: NAT: o: tcp (198.133.219.1, 5698) -> (97.158.253.26, 80) [0] ... ... ... Basic Troubleshooting Topics The "show interfaces" Command The show interfaces command will show you the basic status of the router's interfaces. I've included some sample output below: ciscorouter>show interface Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0008.e3a0.7e80 (bia 0008.e3a0.7e80) Internet address is 172.16.1.1/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 303 packets input, 19256 bytes, 0 no buffer Received 13 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 1 CRC, 1 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 60718 packets output, 5770201 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out ... ... ... ciscorouter>Your basic physical connectivity should be OK if the interfaces are seen as being in an "up" state with line protocol being "up". If line protocol is down, you probably have your router incorrectly cabled to the Internet or your home network. If the interfaces are seen as "administratively down", then the router configuration will most likely have the interfaces configured as being "shutdown" like this: ... ... ... interface ethernet0 �shutdown ... ... This can be easily corrected. First use the "show running" command to confirm the shutdown state. Then you should enter "config" mode and enter the "no shutdown" command. Here is an example for interface ethernet0. ciscorouter(config)# interface ethernet0 ciscorouter(config-if)# no shutdown ciscorouter(config-if)#end ciscorouter# write memory The "show interfaces" is also important as it shows you whether you have the correct IP addresses assigned to your interfaces and also the amount of traffic and errors associated with each. Using syslog A really good method for troubleshooting access control lists (ACLs) and also to view the types of methods people are using to access your site is to use syslog. The Appendix has sample configurations for Cisco routers. Other Things To Check Always make sure your router has a: o correct default route. The default is the one with the lots of zeros. ciscorouter>sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 97.158.253.30 to network 0.0.0.0 192.168.0.0/24 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Ethernet1 S* 0.0.0.0/0 [1/0] via 97.158.253.30 ciscorouter>o default gateway that you can "ping". In the case above the gateway is 97.158.253.30.
10.0 - 1 глас