■Cisco 1812JにPATを設定する(IPマスカレード)
普通のルータのように振る舞う最低限の設定
Client 172.31.31.0/24 --> (Fa1)172.31.31.254/32(Fa0)10.10.10.10/24 --> WAN 10.10.10.254/24
■debian1側をClientとして172.31.31.10/24のIPを割り当て
$ sudo /sbin/ifconfig eth2 172.31.31.10/24 up
■1812J側のFa1を172.31.31.254(inside)に。
R1>enable
Password:
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1#show running-config | section interface FastEthernet1
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 1
R1(config-if)#ip nat inside
R1(config-if)#ip address 172.31.31.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#end
R1#show running-config | section interface FastEthernet1
interface FastEthernet1
ip address 172.31.31.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
■ClientとFa1との疎通を確認
$ ping -c 2 172.31.31.254
PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=0.515 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.482 ms
--- 172.31.31.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.482/0.498/0.515/0.027 ms
R1#ping 172.31.31.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.31.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
■Fa0を10.10.10.10/32(outside)に。
R1#show running-config | section interface FastEthernet0
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0
R1(config-if)#ip nat outside
R1(config-if)#ip address 10.10.10.10 255.255.255.0
R1(config-if)#no cdp enable
R1(config-if)#end
R1#show running-config | section interface FastEthernet0
interface FastEthernet0
ip address 10.10.10.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
R1#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
■debian2を10.10.10.254/24(WAN)に。
$ sudo /sbin/ifconfig eth2 10.10.10.254/24 up
$ ping -c 2 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=0.597 ms
64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.521 ms
--- 10.10.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.521/0.559/0.597/0.038 ms
■この状態だとルーティングを設定しても到達しない。
$ sudo route add -net 10.10.10.0/24 gw 172.31.31.254
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
--- 10.10.10.254 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms
$ sudo route add -net 172.31.31.0/24 gw 10.10.10.10
$ ping -c 2 172.31.31.10
PING 172.31.31.10 (172.31.31.10) 56(84) bytes of data.
--- 172.31.31.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1999ms
■WANという名前でoverloadを定義する。
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip nat pool WAN 172.31.31.253 172.31.31.253 prefix 24
R1(config)#ip nat inside source list 7 pool WAN overload
R1(config)#access-list 7 permit 172.31.31.0 0.0.0.255
R1(config)#end
■debian2のWAN側でのパケットキャプチャ
WAN側にはCDPパケットが流れない。
22:30:23.725723 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 1, length 64
22:30:23.725762 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 1, length 64
22:30:24.725051 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7659, seq 2, length 64
22:30:24.725071 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7659, seq 2, length 64
■debian1のClient側でのパケットキャプチャ
Client側にもCisco製品が無ければCDPパケットは不要。頻度は1回/分
22:35:05.619283 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 1, length 64
22:35:05.619906 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 1, length 64
22:35:06.620345 IP 172.31.31.10 > 10.10.10.254: ICMP echo request, id 7733, seq 2, length 64
22:35:06.621007 IP 10.10.10.254 > 172.31.31.10: ICMP echo reply, id 7733, seq 2, length 64
22:35:07.248698
22:35:17.248985
22:35:27.249263
22:35:29.585362 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342
22:35:37.249541
22:35:47.249820
22:35:57.250100
22:36:07.250403
22:36:17.250658
22:36:27.250938
22:36:29.587027 CDPv2, ttl: 180s, Device-ID 'R1.localdomain', length 342
■Fa1側を一度停止
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config-if)#shutdown
R1(config-if)#end
R1#
May 9 23:35:20.303: %LINK-5-CHANGED: Interface FastEthernet1, changed state to administratively down
May 9 23:35:21.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
■クライアント側は24bitマスクなので、IP設定を変えてみる。
$ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}'
addr:172.31.31.10 Mask:255.255.255.0
$ sudo /sbin/ifconfig eth2 172.31.31.11/24 up
$ env LANG=C /sbin/ifconfig eth2 | grep inet | awk '{print $2,$4}'
addr:172.31.31.11 Mask:255.255.255.0
$ sudo route add -net 10.10.10.0/24 gw 172.31.31.254
■Fa1側を再開
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 1
R1(config-if)#end
May 9 23:35:39.795: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up
May 9 23:35:57.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to up
■debian1側からの確認
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=2.02 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.712 ms
--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.712/1.368/2.025/0.657 ms
■debian2側からの確認
$ ping -c 2 172.31.31.11
PING 172.31.31.11 (172.31.31.11) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=63 time=0.788 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=63 time=0.672 ms
--- 172.31.31.11 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.672/0.730/0.788/0.058 ms
■debian1側にeth3を設定
$ sudo /sbin/ifconfig eth3 172.31.31.12/24 up
$ ping -c 2 172.31.31.254
PING 172.31.31.254 (172.31.31.254) 56(84) bytes of data.
64 bytes from 172.31.31.254: icmp_req=1 ttl=255 time=1.61 ms
64 bytes from 172.31.31.254: icmp_req=2 ttl=255 time=0.510 ms
--- 172.31.31.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.510/1.063/1.616/0.553 ms
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=0.920 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=0.702 ms
--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.702/0.811/0.920/0.109 ms
■VLAN側には172.31.30.254/24(inside)に設定
Fa2~9のインターフェイスに直接「ip nat」コマンドは使えないが、
VLANであれば使える。
R1#show running-config | section interface Vlan1
interface Vlan1
no ip address
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface vlan 1
R1(config-if)#ip nat inside
R1(config-if)#ip address 172.31.30.254 255.255.255.0
R1(config)#access-list 7 permit 172.31.30.1 0.0.0.254
R1(config)#end
■debian1のeth3のIP設定を変更
$ sudo /sbin/ifconfig eth3 172.31.30.30/24 up
$ sudo route add -net 10.10.10.0/24 gw 172.31.30.254
$ ping -c 2 172.31.30.254
PING 172.31.30.254 (172.31.30.254) 56(84) bytes of data.
64 bytes from 172.31.30.254: icmp_req=1 ttl=255 time=2.51 ms
64 bytes from 172.31.30.254: icmp_req=2 ttl=255 time=0.727 ms
--- 172.31.30.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.727/1.619/2.512/0.893 ms
$ ping -c 2 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_req=1 ttl=255 time=1.39 ms
64 bytes from 10.10.10.10: icmp_req=2 ttl=255 time=0.748 ms
--- 10.10.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.748/1.069/1.390/0.321 ms
■debian2側にルーティング設定
$ sudo route add -net 172.31.30.0/24 gw 10.10.10.10
■debian1側からWAN側へ。
$ ping -c 2 10.10.10.254
PING 10.10.10.254 (10.10.10.254) 56(84) bytes of data.
64 bytes from 10.10.10.254: icmp_req=1 ttl=63 time=1.59 ms
64 bytes from 10.10.10.254: icmp_req=2 ttl=63 time=1.73 ms
--- 10.10.10.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.596/1.665/1.734/0.069 ms
■ここまで分かればFa1は外せる。
