Network Setup for NATs and ACLs
NAT configuration on RT1 for PC1 to remote access PC2 192.168.1.2 via NAT IP 172.16.1.3:
RT1(config)#ip nat inside source static 192.168.1.2 172.16.1.3
NAT configuration on RT2 for PC2 to remote access PC1 172.16.1.2 via NAT IP 192.168.1.3:
RT2(config)#ip nat inside source static tcp 172.16.1.2 23 192.168.1.3 23
Extended IP Access Lists configuration on RT1 and RT2 for PC1 to remote access (Telnet) PC2:
PC1 to PC2: RT1(config)#access-list 101 permit tcp host 172.16.1.2 host 172.16.1.3 eq 23 RT2(config)#access-list 103 permit tcp host 172.16.1.2 host 192.168.1.2 eq 23 PC2 back to PC1: RT2(config)#access-list 104 permit tcp host 192.168.1.2 eq 23 host 192.168.1.3 RT1(config)#access-list 102 permit tcp host 192.168.1.2 eq 23 host 172.16.1.2
Extended IP Access Lists configuration on RT1 and RT2 for PC2 to remote access (Telnet) PC1:
PC2 to PC1: RT2(config)#access-list 104 permit tcp host 192.168.1.2 host 192.168.1.3 eq 23 RT1(config)#access-list 102 permit tcp host 192.168.1.2 host 172.16.1.2 eq 23 PC1 back to PC2: RT1(config)#access-list 101 permit tcp host 172.16.1.2 eq 23 host 172.16.1.3 RT2(config)#access-list 103 permit tcp host 172.16.1.2 eq 23 host 192.168.1.2
Below shows the NAT operations on RT1 and RT2 and ACL hit counts when PC1 accesses PC2:
RT1#debug ip nat IP NAT debugging is on RT1# 00:02:30: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748] 00:02:32: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748] 00:02:36: NAT: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14748] 00:02:38: NAT*: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [19343] 00:02:38: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14749] 00:02:38: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [14750] --- output omitted --- RT1# RT1#sh access-list Extended IP access list 101 10 permit tcp host 172.16.1.2 host 172.16.1.3 eq telnet (28 matches) 20 permit tcp host 172.16.1.2 eq telnet host 172.16.1.3 Extended IP access list 102 10 permit tcp host 192.168.1.2 eq telnet host 172.16.1.2 (14 matches) 20 permit tcp host 192.168.1.2 host 172.16.1.2 eq telnet RT1# RT1#sh ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet1/0 Hits: 36 Misses: 0 Expired translations: 0 Dynamic mappings: RT1# ---------------------------------------------------------------------- RT2# 00:02:31: NAT: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [14748] 00:02:37: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [19343] 00:02:37: NAT*: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [14749] --- output omitted --- RT2#sh access-list Extended IP access list 103 10 permit tcp host 172.16.1.2 host 192.168.1.2 eq telnet (25 matches) 20 permit tcp host 172.16.1.2 eq telnet host 192.168.1.2 Extended IP access list 104 10 permit tcp host 192.168.1.2 eq telnet host 192.168.1.3 (14 matches) 20 permit tcp host 192.168.1.2 host 192.168.1.3 eq telnet RT2# ---------------------------------------------------------------------- PC1#telnet 172.16.1.3 Trying 172.16.1.3 ... Open User Access Verification Password: PC2>who Line User Host(s) Idle Location 0 con 0 idle 00:00:56 * 66 vty 0 idle 00:00:00 192.168.1.3 Interface User Mode Idle Peer Address PC2>
Below shows the NAT operations on RT2 and RT1 and ACL hit counts when PC2 accesses PC1:
RT2#debug ip nat IP NAT debugging is on RT2# 00:04:42: NAT: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50878] 00:04:42: NAT*: s=172.16.1.2->192.168.1.3, d=192.168.1.2 [2634] 00:04:42: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50879] 00:04:42: NAT*: s=192.168.1.2, d=192.168.1.3->172.16.1.2 [50880] --- output omitted --- RT2# RT2#sh access-list Extended IP access list 103 10 permit tcp host 172.16.1.2 host 192.168.1.2 eq telnet 20 permit tcp host 172.16.1.2 eq telnet host 192.168.1.2 (17 matches) Extended IP access list 104 10 permit tcp host 192.168.1.2 eq telnet host 192.168.1.3 20 permit tcp host 192.168.1.2 host 192.168.1.3 eq telnet (25 matches) RT2# RT2#sh ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet1/0 Hits: 40 Misses: 0 Expired translations: 0 Dynamic mappings: RT2# ---------------------------------------------------------------------- RT1# 00:04:43: NAT: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [50878] 00:04:43: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [2634] 00:04:43: NAT*: s=192.168.1.2->172.16.1.3, d=172.16.1.2 [50879] 00:04:43: NAT*: s=172.16.1.2, d=172.16.1.3->192.168.1.2 [2635] --- output omitted --- RT1#sh access-list Extended IP access list 101 10 permit tcp host 172.16.1.2 host 172.16.1.3 eq telnet 20 permit tcp host 172.16.1.2 eq telnet host 172.16.1.3 (17 matches) Extended IP access list 102 10 permit tcp host 192.168.1.2 eq telnet host 172.16.1.2 20 permit tcp host 192.168.1.2 host 172.16.1.2 eq telnet (25 matches) RT1# ---------------------------------------------------------------------- PC2#telnet 192.168.1.3 Trying 192.168.1.3 ... Open User Access Verification Password: PC1> PC1>who Line User Host(s) Idle Location 0 con 0 idle 00:00:35 * 66 vty 0 idle 00:00:00 172.16.1.3 Interface User Mode Idle Peer Address PC1>
No comments:
Post a Comment