■Cisco 1812JにPATを設定する(IPマスカレード) 普通のルータのように振る舞う最低限の設定 Client 172.31.31.0/24 --> (Fa1)172.31.31.254/32(Fa0)10.10.10.10/24 --> WAN 10.10.10.254/24 ■debian1側をClientとして172.31.31.10/24のIPを割り当て $ sudo /sbin/ifconfig eth2 172.31.31.10/24 up ■1812J側のFa1を172.31.31.254(inside)に。 R1>enable Password: R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1#show running-config | section interface FastEthernet1 interface FastEthernet1 no ip address shutdown duplex auto speed auto R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fastEthernet 1 R1(config-if)#ip nat inside R1(config-if)#ip address 172.31.31.254 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#end R1#show running-config | section interface FastEthernet1 interface FastEthernet1 ip address 172.31.31.254 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ■ClientとFa1との疎通を確認 $ ping -c 2 172.31.31.254 PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data. 64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=0.515 ms 64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.482 ms --- 172.31.31.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.482/0.498/0.515/0.027 ms R1#ping 172.31.31.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.31.31.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ■Fa0を10.10.10.10/32(outside)に。 R1#show running-config | section interface FastEthernet0 interface FastEthernet0 no ip address shutdown duplex auto speed auto R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fastEthernet 0 R1(config-if)#ip nat outside R1(config-if)#ip address 10.10.10.10 255.255.255.0 R1(config-if)#no cdp enable R1(config-if)#end R1#show running-config | section interface FastEthernet0 interface FastEthernet0 ip address 10.10.10.10 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable R1#ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms ■debian2を10.10.10.254/24(WAN)に。 $ sudo /sbin/ifconfig eth2 10.10.10.254/24 up $ ping -c 2 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=0.597 ms 64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.521 ms --- 10.10.10.10 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.521/0.559/0.597/0.038 ms ■この状態だとルーティングを設定しても到達しない。 $ sudo route add -net 10.10.10.0/24 gw 172.31.31.254 $ ping -c 2 10.10.10.254 PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data. --- 10.10.10.254 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1008ms $ sudo route add -net 172.31.31.0/24 gw 10.10.10.10 $ ping -c 2 172.31.31.10 PING 172.31.31.10 (172.31.31.10) 56(84) bytes of data. --- 172.31.31.10 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1999ms ■WANという名前でoverloadを定義する。 R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip nat pool WAN 172.31.31.253 172.31.31.253 prefix 24 R1(config)#ip nat inside source list 7 pool WAN overload R1(config)#access-list 7 permit 172.31.31.0 0.0.0.255 R1(config)#end ■debian2のWAN側でのパケットキャプチャ WAN側にはCDPパケットが流れない。 22:30:23.725723 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 1, length 64 22:30:23.725762 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 1, length 64 22:30:24.725051 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 2, length 64 22:30:24.725071 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 2, length 64 ■debian1のClient側でのパケットキャプチャ Client側にもCisco製品が無ければCDPパケットは不要。頻度は1回/分 22:35:05.619283 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 1, length 64 22:35:05.619906 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 1, length 64 22:35:06.620345 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 2, length 64 22:35:06.621007 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 2, length 64 22:35:07.248698 22:35:17.248985 22:35:27.249263 22:35:29.585362 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342 22:35:37.249541 22:35:47.249820 22:35:57.250100 22:36:07.250403 22:36:17.250658 22:36:27.250938 22:36:29.587027 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342 ■Fa1側を一度停止 R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config-if)#shutdown R1(config-if)#end R1# May 9 23:35:20.303: %LINK-5-CHANGED: Interface FastEthernet1, changed state to administratively down May 9 23:35:21.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down ■クライアント側は24bitマスクなので、IP設定を変えてみる。 $ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}' addr:172.31.31.10 Mask:255.255.255.0 $ sudo /sbin/ifconfig eth2 172.31.31.11/24 up $ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}' addr:172.31.31.11 Mask:255.255.255.0 $ sudo route add -net 10.10.10.0/24 gw 172.31.31.254 ■Fa1側を再開 R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface fastEthernet 1 R1(config-if)#end May 9 23:35:39.795: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up May 9 23:35:57.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to up ■debian1側からの確認 $ ping -c 2 10.10.10.254 PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data. 64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=2.02 ms 64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.712 ms --- 10.10.10.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.712/1.368/2.025/0.657 ms ■debian2側からの確認 $ ping -c 2 172.31.31.11 PING 172.31.31.11 (172.31.31.11) 56(84) bytes of data. 64 bytes from 172.31.31.254: icmp_req=1 ttl=63 time=0.788 ms 64 bytes from 172.31.31.254: icmp_req=2 ttl=63 time=0.672 ms --- 172.31.31.11 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.672/0.730/0.788/0.058 ms ■debian1側にeth3を設定 $ sudo /sbin/ifconfig eth3 172.31.31.12/24 up $ ping -c 2 172.31.31.254 PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data. 64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=1.61 ms 64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.510 ms --- 172.31.31.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.510/1.063/1.616/0.553 ms $ ping -c 2 10.10.10.254 PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data. 64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=0.920 ms 64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.702 ms --- 10.10.10.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.702/0.811/0.920/0.109 ms ■VLAN側には172.31.30.254/24(inside)に設定 Fa2~9のインターフェイスに直接「ip nat」コマンドは使えないが、 VLANであれば使える。 R1#show running-config | section interface Vlan1 interface Vlan1 no ip address R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#interface vlan 1 R1(config-if)#ip nat inside R1(config-if)#ip address 172.31.30.254 255.255.255.0 R1(config)#access-list 7 permit 172.31.30.1 0.0.0.254 R1(config)#end ■debian1のeth3のIP設定を変更 $ sudo /sbin/ifconfig eth3 172.31.30.30/24 up $ sudo route add -net 10.10.10.0/24 gw 172.31.30.254 $ ping -c 2 172.31.30.254 PING 172.31.30.254 (172.31.30.254) 56(84) bytes of data. 64 bytes from 172.31.30.254: icmp_req=1 ttl=255 time=2.51 ms 64 bytes from 172.31.30.254: icmp_req=2 ttl=255 time=0.727 ms --- 172.31.30.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.727/1.619/2.512/0.893 ms $ ping -c 2 10.10.10.10 PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data. 64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=1.39 ms 64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.748 ms --- 10.10.10.10 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.748/1.069/1.390/0.321 ms ■debian2側にルーティング設定 $ sudo route add -net 172.31.30.0/24 gw 10.10.10.10 ■debian1側からWAN側へ。 $ ping -c 2 10.10.10.254 PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data. 64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=1.59 ms 64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=1.73 ms --- 10.10.10.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.596/1.665/1.734/0.069 ms ■ここまで分かればFa1は外せる。
