読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

Cisco 1812JにPATを設定する(IPマスカレード)

■Cisco 1812JにPATを設定する(IPマスカレード)
 普通のルータのように振る舞う最低限の設定

Client 172.31.31.0/24 --> (Fa1)172.31.31.254/32(Fa0)10.10.10.10/24 --> WAN 10.10.10.254/24

■debian1側をClientとして172.31.31.10/24のIPを割り当て

$ sudo /sbin/ifconfig eth2 172.31.31.10/24 up

■1812J側のFa1を172.31.31.254(inside)に。

R1>enable 
Password: 
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1#show running-config | section interface FastEthernet1
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fastEthernet 1
R1(config-if)#ip nat inside 
R1(config-if)#ip address 172.31.31.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#end
R1#show running-config | section interface FastEthernet1
interface FastEthernet1
 ip address 172.31.31.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

■ClientとFa1との疎通を確認

$ ping -c 2 172.31.31.254
PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=0.515 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.482 ms

--- 172.31.31.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.482/0.498/0.515/0.027 ms

R1#ping 172.31.31.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.31.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

■Fa0を10.10.10.10/32(outside)に。

R1#show running-config | section interface FastEthernet0
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fastEthernet 0
R1(config-if)#ip nat outside 
R1(config-if)#ip address 10.10.10.10 255.255.255.0
R1(config-if)#no cdp enable
R1(config-if)#end
R1#show running-config | section interface FastEthernet0
interface FastEthernet0
 ip address 10.10.10.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
R1#ping 10.10.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

■debian2を10.10.10.254/24(WAN)に。

$ sudo /sbin/ifconfig eth2 10.10.10.254/24 up
$ ping -c 2 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=0.597 ms
64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.521 ms

--- 10.10.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.521/0.559/0.597/0.038 ms

■この状態だとルーティングを設定しても到達しない。

$ sudo route add -net 10.10.10.0/24 gw 172.31.31.254
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.

--- 10.10.10.254 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

$ sudo route add -net 172.31.31.0/24 gw 10.10.10.10
$ ping -c 2 172.31.31.10
PING 172.31.31.10 (172.31.31.10) 56(84) bytes of data.

--- 172.31.31.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1999ms

■WANという名前でoverloadを定義する。

R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip nat pool WAN 172.31.31.253 172.31.31.253 prefix 24
R1(config)#ip nat inside source list 7 pool WAN overload
R1(config)#access-list 7 permit 172.31.31.0 0.0.0.255
R1(config)#end

■debian2のWAN側でのパケットキャプチャ
 WAN側にはCDPパケットが流れない。

22:30:23.725723 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 1, length 64
22:30:23.725762 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 1, length 64
22:30:24.725051 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 2, length 64
22:30:24.725071 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 2, length 64

■debian1のClient側でのパケットキャプチャ
 Client側にもCisco製品が無ければCDPパケットは不要。頻度は1回/分

22:35:05.619283 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 1, length 64
22:35:05.619906 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 1, length 64
22:35:06.620345 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 2, length 64
22:35:06.621007 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 2, length 64
22:35:07.248698 
22:35:17.248985 
22:35:27.249263 
22:35:29.585362 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342
22:35:37.249541 
22:35:47.249820 
22:35:57.250100 
22:36:07.250403 
22:36:17.250658 
22:36:27.250938 
22:36:29.587027 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342

■Fa1側を一度停止

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config-if)#shutdown
R1(config-if)#end
R1#
May  9 23:35:20.303: %LINK-5-CHANGED: Interface FastEthernet1, changed state to administratively down
May  9 23:35:21.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down

■クライアント側は24bitマスクなので、IP設定を変えてみる。

$ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}'
addr:172.31.31.10 Mask:255.255.255.0
$ sudo /sbin/ifconfig eth2 172.31.31.11/24 up
$ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}'
addr:172.31.31.11 Mask:255.255.255.0
$ sudo route add -net 10.10.10.0/24 gw 172.31.31.254

■Fa1側を再開

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface fastEthernet 1
R1(config-if)#end
May  9 23:35:39.795: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
May  9 23:35:57.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to up

■debian1側からの確認

$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=2.02 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.712 ms

--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.712/1.368/2.025/0.657 ms

■debian2側からの確認

$ ping -c 2 172.31.31.11
PING 172.31.31.11 (172.31.31.11) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=63 time=0.788 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=63 time=0.672 ms

--- 172.31.31.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.672/0.730/0.788/0.058 ms

■debian1側にeth3を設定

$ sudo /sbin/ifconfig eth3 172.31.31.12/24 up
$ ping -c 2 172.31.31.254
PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=1.61 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.510 ms

--- 172.31.31.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.510/1.063/1.616/0.553 ms
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=0.920 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.702 ms

--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.702/0.811/0.920/0.109 ms

■VLAN側には172.31.30.254/24(inside)に設定
 Fa2~9のインターフェイスに直接「ip nat」コマンドは使えないが、
 VLANであれば使える。

R1#show running-config | section interface Vlan1
interface Vlan1
 no ip address
R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface vlan 1
R1(config-if)#ip nat inside
R1(config-if)#ip address 172.31.30.254 255.255.255.0
R1(config)#access-list 7 permit 172.31.30.1 0.0.0.254
R1(config)#end

■debian1のeth3のIP設定を変更

$ sudo /sbin/ifconfig eth3 172.31.30.30/24 up
$ sudo route add -net 10.10.10.0/24 gw 172.31.30.254

$ ping -c 2 172.31.30.254
PING 172.31.30.254 (172.31.30.254) 56(84) bytes of data.
64 bytes from 172.31.30.254: icmp_req=1 ttl=255 time=2.51 ms
64 bytes from 172.31.30.254: icmp_req=2 ttl=255 time=0.727 ms

--- 172.31.30.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.727/1.619/2.512/0.893 ms
$ ping -c 2 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=1.39 ms
64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.748 ms

--- 10.10.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.748/1.069/1.390/0.321 ms

■debian2側にルーティング設定

$ sudo route add -net 172.31.30.0/24 gw 10.10.10.10

■debian1側からWAN側へ。

$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=1.59 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=1.73 ms

--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.596/1.665/1.734/0.069 ms

■ここまで分かればFa1は外せる。