Cisco configuration instance _ Cisco dual-Egress NAT configuration

Cisco configuration instance _ Cisco dual-Egress NAT configuration objective: to simulate the routing function based on the original address policy when a dual-Egress link is available, and access to the external network from different original addresses is realized, in most cases, the vro uses NAT to translate the Intranet address on the external port, so this experiment also uses dual NAT to translate the internal address to enable Internet access through multiple ISPs. Environment Description: using the Cisco2621XM + NE-1E module, the configuration has two FastEthernet and one Ethernet port. Now we use Ethernet port 1/0 to connect to the internal LAN, simulating a policy route based on the original address when there are 100.100.23.0 255.255.255.0.0 and 100.24.0 255.255.255.0.0 clients internally. Fastethernet 0/0 simulates the first ISP access port, and Fastethernet 0/1 simulates the second ISP access port, 192.168.1.2 255.255.0 peer isp ip address 192.168.1.1 255.255.255.0Fastethernet 0/0 IP address 192.168.2.2 255.255.255.0 peer isp ip address 192.168.2.1 255.255.255.255.0 data traffic of different original addresses is diverted through policy routing, enable hosts with different original addresses to access the Internet through different ISP interfaces and convert the hosts with different original addresses to different NAT addresses. Specific configuration: version 12.2 service timestamps debug uptimeservice timestamps log uptimeno service password-encryption! Hostname Router! Ip subnet-zerocall rsvp-sync! Interface FastEthernet0/0 ------------------ assume that the port is ISP 1 access port ip address 192.168.1.2 255.255.0 -------- assign ip address nat outside -------- specify as NAT Outside Port duplex autospeed auto! Interface FastEthernet0/1 ------------------ assume that the port is ISP 2 Access Port ip address 192.168.2.2 255.255.255.0 -------- assign ip address nat outside -------- specify as NAT Outside Port duplex autospeed auto! Interface Ethernet1/0 ------------------ assume that the port is an internal network port ip address 100.100.255.254 255.255.0.0 -------- assign an ip address nat inside -------- specify it as the NAT Inside port ip policy route-map t0 -------- used on this port route-map t0 implements policy control half-duplex! Ip nat inside source list 1 interface FastEthernet0/0 overload ------ Nat translation, the host whose original address is 100.100.23.0 uses the address of Fastethernet 0/0 to convert the ip address nat inside source list 2 interface FastEthernet0/1 overload ------ Nat translation, the host whose original address is 100.100.24.0 uses the address of Fastethernet 0/1 for conversion.
Ip classlessip route 0.0.0.0 0.0.0.0 192.168.2.1 ------ Static Routing, access to the Internet through the 192.168.2.1 (ISP2) link ip route 0.0.0.0 0.0.0.0 192.168.1.1 ------ Static Routing, access to the Internet through 192.168.1.1 (ISP1) the link ip address http server Static Routing does not play a major role, because there is a policy routing, mainly because the set int requires a display route to the destination! Access-list 1 permit 100.100.23.0 0.0.255 ---- access Control list 1, used to filter the original address, allow the traffic of the 100.100.23.0 network segment host through access-list 2 permit 100.100.24.0 0.0.0.255 ---- access Control list 2, used to filter out the original address and allow the traffic of the 100.100.23.0 network segment hosts to pass through the set int backup, acl1 and acl2 should allow all and perform nat
Route-map t0 permit 10 ---- define route-map t0, the permit sequence is 10 match ip address 1 ---- check the original address, allow 100.100.23.0 CIDR block address set interface FastEthernet0/0 ---- specify the egress as Fastethetnet 0/0 (set interface FastEthernet0/1). I think backup can be performed! Route-map t0 permit 20 ---- define route-map t0 and the permit sequence is 20 match ip address 2 ---- check the original address, allow 100.100.24.0 network segment address set interface FastEthernet0/1 ---- specify the egress as Fastethetnet 0/1! (Set interface FastEthernet0/1) I think it can be backed up! Dial-peer cor customline con 0 line aux 0 line vty 0 4! End Effect Test: view the route table Router # show ip routeCodes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP D-VPN, EX-OSPF external, O-OSPF, IA-OSPF inter area N1-ospf nssa external type 1, N2-ospf nssa external type 2 E1-OSPF external type 1, e2-OSPF external type 2, E-EGP I-IS, su-IS summary, L1-IS level-1, l2-IS level-2 ia-IS inter area, *-candidat E default, U-per-user static route o-ODR, P-periodic downloaded static route 100.0.0.0/16 is subnetted, 1 subnetsC 100.100.0.0 is directly connected, ethernet1/0C 192.168.1.0/24 is directly connected, FastEthernet0/0C 192.168.2.0/24 is directly connected, fastEthernet0/1 S * 0.0.0.0/0 [1/0] via 192.168.1.1 [1/0] via 192.168.2.1 found two static routes exist! View ip Nat translationsRouter # sho ip nat translations Pro Inside global Inside local Outside globalicmp 192.168.1.2: 1024 100.100.23.23: 1024 1.1.1.1: 1024 1.1.1.1: 1024 icmp 192.168.2.2: 1280 100.100.24.23: 1280 1.1.1.1: 1280 1.1.1.1: 1280
Because the vro1.1.has an external address 1.1.1.1, it is used to simulate the Internet public network address. It is found that the traffic of hosts in different network segments has indeed accessed external resources from different egress, and different Nat addresses are used for address translation! Note: The NAT address translation function is required for most ISP scenarios. However, in some special cases, the NAT Function is not required. If the NAT Function is not used, remove the NAT configuration in the configuration, in this configuration, remove the ip nat inside source list 1 interface FastEthernet0/0 overload and ip nat inside source list 2 interface FastEthernet0/1 overload, and remove the ip Nat outside and ip nat inside configuration, you can achieve a route without NAT. The above test can implement the policy routing function based on the original address. You can access the Internet through different ISP interfaces for different traffic based on the original Intranet address, but the two-link mutual backup function is not yet implemented, that is, when any link fails, the other link cannot be automatically used for backup, resulting in some of the corresponding intranet hosts being unable to access the Internet.