In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
1. Experimental topology:
Using the topology of Lab 5
2. Experimental requirements:
III. Order deployment:
1. ACL grabs 1.1.1.1 traffic to any:
R1 (config) # ip access-list extended pat
R1 (config-ext-nacl) # permit ip 1.1.1.0 255.255.255.0 any
2. Deploy PAT technology:
R1 (config) # ip nat inside source list pat interface f0bin0 overload
R1 (config) # int f0bin0
R1 (config-if) # ip nat outside
R1 (config) # int lo0
R1 (config-if) # ip nat inside
Test:
R1#ping 3.3.3.3 source 1.1.1.1 / / normal should not work
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1!
R1#show ip nat tran
R1#show ip nat translations / / empty
View ACL and NAT configurations:
R1#show access-lists
Extended IP access list pat
10 permit ip 0.0.0.0 255.255.255.0 any
R1#show run | s nat
Ip nat inside
Ip nat outside
Ip nat inside source list pat interface FastEthernet0/0 overload
3. Modify ACL and make a mistake before:
R1 (config) # ip access-list extended pat
R1 (config-ext-nacl) # permit ip 1.1.1.0 0.0.255 any / / Router reverse mask
Test:
R1#ping 3.3.3.3 source loopback 0 / / achieves the experimental effect.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
UUUUU
Success rate is 0 percent (0Unip 5)
View the conversion:
R1#show ip nat translations / / View the translation list of the router
Grab the bag and look at the traffic:
R1#ping 3.3.3.3 source loopback 0
As you can see: they are all marked in black, and the normal outbound package should be 1.1.1.1-> 3.3.3.3, but because of the NAT conversion, it is 12.1.1.1-> 3.3.3.3; the return packet should be 3.3.3.3-> 1.1.1.1, and the actual NAT conversion is: 3.3.3.3-> 12.1.1.1.
Solution 1:
Insert a deny ACL with sequence number 5 forward in ACL so that it matches the ACL with sequence number 5 first:
R1#show access-lists
Extended IP access list pat
10 permit ip 1.1.1.0 0.0.0.255 any
R1 (config) # ip access-list extended pat
R1 (config-ext-nacl) # 5 deny ip 1.1.1.0 0.0.255 3.3.3.0 0.0.0.255
Test 1:
R1#ping 3.3.3.3 source 1.1.1.1 / / matches ACL 5 and does not do NAT conversion, so it is the traffic of ESP.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1!
Success rate is 100 percent (5amp 5), round-trip min/avg/max = 20-30-40 ms
Grab the bag:
Test 2:
R1#ping 23.1.1.3 source 1.1.1.1 / / this can also be connected, but the address is translated by NAT, which is 12.1.1.1 mi-> 3.3.3.3. Because the outbound traffic does not match ACL 5 and ACL 10, it will be translated.
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1!
Success rate is 100 percent (5Compact 5), round-trip min/avg/max = 96Compare 102 ms
Grab the bag:
Solution 2:
Do not let traffic in or out of the inside, or do not let traffic in from the inside, but out of the outside: for example, write inside at other entrances, not under the 1.1.1.1 loop.
In order to implement nat, three conditions must be met:
Stream of interest (satisfied), inside interface in (not satisfied), outside interface out.
At this time, I have to add another router, so I added R4, because what I did before is to use loopback 1.1.1.1, self-initiated traffic, this own traffic route-map is uncontrollable. This strategy will only work if this traffic is allowed to enter through a certain physical interface.
How to use route-map in this piece?
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 211
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.