Cisco IOS IPサービス – static NATの設定 | ネットワークチェンジニアとして

Cisco IOSでstatic NATの使い方についてまとめます。static NATはstateless NAT, 1:1 NATなど呼び方をする事もあります。static NATの主なユースケースは、WEBサーバを外部公開するシナリオです。

コマンド一覧
構成図
仕様説明
1. static NAT
基本設定
1. 設定投入
2. 動作確認
サーバの公開
1. 設定投入
2. 動作確認
Honey Pot
1. 設定投入
2. 動作確認

コマンド一覧

Router(config)# ip nat inside source static tcp <inside_local> <port> <inside_global> <port>

構成図

以下の構成で動作確認を行います。R3がglobal addressとprivate addressの境界となります。

         e0/0    e0/1      e0/0    e0/1      e0/0    e0/1
 +--------+.1    .2+--------+.2    .3+--------+.3    .4+--------+
 |   R1   +--------+   R2   +--------+   R3   +--------+  ISP4  |
 +--------+        +--------+        +--------+        +--------+
        192.168.12.0/24   192.168.23.0/24    155.1.34.0/24

 R1 Loopback0      R2 Loopback0      R3 Loopback0      ISP4 Loopback0
 10.1.1.1/32       10.2.2.2/32       10.3.3.3/32       150.1.4.4/32

 [R1]
router ospf 1
 network 10.1.1.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 0

 [R2]
router ospf 1
 network 10.2.2.2 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0

 [R3]
router ospf 1
 network 10.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
!
router bgp 34
 no synchronization
 neighbor 155.1.34.4 remote-as 34
 no auto-summary

 [ISP4]
router bgp 34
 no synchronization
 network 150.1.4.4 mask 255.255.255.255
 neighbor 155.1.34.3 remote-as 34
 no auto-summary

設定全文は下記ファイルです。詳細設定は下記を参照ください。

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.12.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 10.1.1.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 0
!
ip http server
ip http path flash:
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.23.2 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.12.2 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 10.2.2.2 0.0.0.0 area 0
 network 192.168.12.2 0.0.0.0 area 0
 network 192.168.23.2 0.0.0.0 area 0
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.3.3.3 255.255.255.255
!
interface Ethernet0/0
 ip address 155.1.34.3 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.23.3 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 1
 log-adjacency-changes
 network 10.3.3.3 0.0.0.0 area 0
 network 192.168.23.3 0.0.0.0 area 0
!
router bgp 34
 no synchronization
 bgp log-neighbor-changes
 neighbor 155.1.34.4 remote-as 34
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

ISP4

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISP4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.4.4 255.255.255.255
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.34.4 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router bgp 34
 no synchronization
 bgp log-neighbor-changes
 network 150.1.4.4 mask 255.255.255.255
 neighbor 155.1.34.3 remote-as 34
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

仕様説明

static NAT

以下のコマンドでstatic NATを定義する事ができます。

Router(config)# ip nat inside source static tcp <inside_local> <port> <inside_global> <port>

基本設定

設定投入

R1, R2, R3からISP4へ到達可能になるようNATの設定を行います。

 [R2]
interface Ethernet0/1
 ip nat inside
interface Ethernet0/0
 ip nat outside
!
ip access-list standard ACL_NAT
 10 permit 192.168.0.0 0.0.255.255
 20 permit 10.0.0.0 0.3.255.255
!
ip nat inside source list ACL_NAT interface Ethernet0/0 overload
!
router ospf 1
 default-information originate always

動作確認

R1からISP4 Lo0(150.1.4.4)へ到達可能な事を確認します。

 [R1]
R1#ping 150.1.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/96/144 ms
R1#

 [R3]
R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 155.1.34.3:2      192.168.12.1:2     150.1.4.4:2        150.1.4.4:2
R3#

サーバの公開

設定投入

R1をHTTP serverとしてエミュレートするために以下の設定を投入します。

 [R1]
enable password cisco
!
ip http server
ip http path flash:
ip http authentication enable
!
show running-config | redirect flash:running-config

R1をHTTP serverとして公開します。R1を外部ネットワークから見た時のグローバルアドレス(Inside global)は150.1.1.1とします。

 [R3]
ip route 150.1.1.1 255.255.255.255 Null 0
!
router bgp 34
 network 150.1.1.1 mask 255.255.255.255
!
ip nat inside source static tcp 10.1.1.1 80 150.1.1.1 80

動作確認

ISP4からR1にHTTP通信が可能である事を確認します。

 [ISP4]
ISP4#copy http://cisco:cisco@150.1.1.1/running-config null:
Loading http://***********@150.1.1.1/running-config !
968 bytes copied in 0.416 secs (2327 bytes/sec)
ISP4#

 [R3]
R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 150.1.1.1:80       10.1.1.1:80        155.1.34.4:55101   155.1.34.4:55101
tcp 150.1.1.1:80       10.1.1.1:80        155.1.34.4:55492   155.1.34.4:55492
tcp 150.1.1.1:80       10.1.1.1:80        ---                ---
R3#

Honey Pot

設定投入

R2をHoney Potをして実装します。まず、R2にログイン可能になるようline vtyの設定を行います。

 [R2]
line vty 0 4
 password cisco
 login

R3へ試みた侵入を全てR2に転送するようにstatic NATを設定します。

 [R3]
ip nat inside source static tcp 10.2.2.2 22 155.1.34.3 22
ip nat inside source static tcp 10.2.2.2 23 155.1.34.3 23

動作確認

ISP4からR3への侵入を試みます。侵入の結果、telnetセッションがR2に転送されている事を確認します。

 [ISP4]
ISP4#telnet 155.1.34.3
Trying 155.1.34.3 ... Open


User Access Verification

Password:
R2>

 [R3]
R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 150.1.1.1:80       10.1.1.1:80        ---                ---
tcp 155.1.34.3:22      10.2.2.2:22        ---                ---
tcp 155.1.34.3:23      10.2.2.2:23        155.1.34.4:63710   155.1.34.4:63710
tcp 155.1.34.3:23      10.2.2.2:23        ---                ---
R3#