Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Influence of 6murv P N:NAT on IPSEC

2025-02-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

1. Experimental topology:

Using the topology of Lab 5

2. Experimental requirements:

III. Order deployment:

1. ACL grabs 1.1.1.1 traffic to any:

R1 (config) # ip access-list extended pat

R1 (config-ext-nacl) # permit ip 1.1.1.0 255.255.255.0 any

2. Deploy PAT technology:

R1 (config) # ip nat inside source list pat interface f0bin0 overload

R1 (config) # int f0bin0

R1 (config-if) # ip nat outside

R1 (config) # int lo0

R1 (config-if) # ip nat inside

Test:

R1#ping 3.3.3.3 source 1.1.1.1 / / normal should not work

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1!

R1#show ip nat tran

R1#show ip nat translations / / empty

View ACL and NAT configurations:

R1#show access-lists

Extended IP access list pat

10 permit ip 0.0.0.0 255.255.255.0 any

R1#show run | s nat

Ip nat inside

Ip nat outside

Ip nat inside source list pat interface FastEthernet0/0 overload

3. Modify ACL and make a mistake before:

R1 (config) # ip access-list extended pat

R1 (config-ext-nacl) # permit ip 1.1.1.0 0.0.255 any / / Router reverse mask

Test:

R1#ping 3.3.3.3 source loopback 0 / / achieves the experimental effect.

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1

UUUUU

Success rate is 0 percent (0Unip 5)

View the conversion:

R1#show ip nat translations / / View the translation list of the router

Grab the bag and look at the traffic:

R1#ping 3.3.3.3 source loopback 0

As you can see: they are all marked in black, and the normal outbound package should be 1.1.1.1-> 3.3.3.3, but because of the NAT conversion, it is 12.1.1.1-> 3.3.3.3; the return packet should be 3.3.3.3-> 1.1.1.1, and the actual NAT conversion is: 3.3.3.3-> 12.1.1.1.

Solution 1:

Insert a deny ACL with sequence number 5 forward in ACL so that it matches the ACL with sequence number 5 first:

R1#show access-lists

Extended IP access list pat

10 permit ip 1.1.1.0 0.0.0.255 any

R1 (config) # ip access-list extended pat

R1 (config-ext-nacl) # 5 deny ip 1.1.1.0 0.0.255 3.3.3.0 0.0.0.255

Test 1:

R1#ping 3.3.3.3 source 1.1.1.1 / / matches ACL 5 and does not do NAT conversion, so it is the traffic of ESP.

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 20-30-40 ms

Grab the bag:

Test 2:

R1#ping 23.1.1.3 source 1.1.1.1 / / this can also be connected, but the address is translated by NAT, which is 12.1.1.1 mi-> 3.3.3.3. Because the outbound traffic does not match ACL 5 and ACL 10, it will be translated.

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1!

Success rate is 100 percent (5Compact 5), round-trip min/avg/max = 96Compare 102 ms

Grab the bag:

Solution 2:

Do not let traffic in or out of the inside, or do not let traffic in from the inside, but out of the outside: for example, write inside at other entrances, not under the 1.1.1.1 loop.

In order to implement nat, three conditions must be met:

Stream of interest (satisfied), inside interface in (not satisfied), outside interface out.

At this time, I have to add another router, so I added R4, because what I did before is to use loopback 1.1.1.1, self-initiated traffic, this own traffic route-map is uncontrollable. This strategy will only work if this traffic is allowed to enter through a certain physical interface.

How to use route-map in this piece?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 211

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report