Cisco router Ppoe client+nat address reflow problem test

One. Test the topology:
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/CA/wKiom1WH46fhBjvJAADX2zoss3k937.jpg "title=" TP1. JPG "alt=" Wkiom1wh46fhbjvjaadx2zoss3k937.jpg "/>
Two. Test ideas:
A. Enable resolution by IP NAT without setting the direction

---this way can be accessed directly from the public IP address, or can be accessed by domain name method

---unfortunately Cisco is different iOS, some although have IP nat enable, but do not realize the same function

---in some versions of the interface simply cannot enter IP NAT enable

B. Address the actual address of the intranet by setting the DNS domain name

---This approach only works with domain access

---If the ASA firewall can add DNS parameters through NAT, let's modify the DNS back-up package for intranet address resolution

---If the client DNS is an internal server, you can modify the internal server DNS records directly

---If you do not have an internal DNS server, you can have the router act as a DNS proxy server at the same time, and configure records on it to point the domain name to the actual address of the internal server
Three. Basic configuration:
A.R1:
Interface ethernet0/0
IP address 202.100.1.1 255.255.255.0
No shutdown
IP Route 0.0.0.0 0.0.0.0 202.100.1.2

B.R2:
1. Interface configuration:
Interface ethernet0/0
IP address 202.100.1.2 255.255.255.0
No shutdown
Interface ETHERNET0/1
No IP address
No shutdown

2.DNS Server:

IP DNS Server

IP host R4.yuntian.cn 202.100.2.4

IP host R1.yuntian.cn 202.100.1.1

2.PPPOE Server configuration:
AAA New-model
AAA Authentication PPP Default Local
Username Cisco password 0 Cisco

IP dhcp excluded-address 202.100.2.2
IP dhcp pool ppoe
   network 202.100.2.0 255.255.255.0
& nbsp;  default-router 202.100.2.2

Bba-group PPPoE TEST
 virtual-template 1

Interface Virtual-template1
 ip address 202.100.2.2 255.255.255.0
 peer default IP address dhcp-pool ppoe
 PPP Authentication Chap Callin

PPP IPCP DNS 202.100.2.2
Interface ETHERNET0/1
PPPoE Enable Group TEST
C.R3:
1. Interface configuration:
Interface ethernet0/0
No IP address
No shutdown
Interface ETHERNET0/1
IP address 192.168.1.3 255.255.255.0
No shutdown
2.PPPOE Client Configuration:
Interface e0/0
PPPoE Enable group Global
Pppoe-client Dial-pool-number 1
Interface Dialer0
MTU 1492
IP address negotiated
Encapsulation PPP
Dialer Pool 1
PPP CHAP hostname Cisco
PPP CHAP password 0 Cisco

2.DHCP Server:

IP dhcp excluded-address 192.168.1.3
IP dhcp excluded-address 192.168.1.4

IP DHCP Pool client
Network 192.168.1.0 255.255.255.0
Dns-server 202.100.2.2

D.R4:

Interface ethernet0/0
IP address 192.168.1.4 255.255.255.0
No shutdown

IP Route 0.0.0.0 0.0.0.0 192.168.1.3

E.R5:

Interface ethernet0/0
IP address DHCP
No shutdown

---interface IP, default gateway, DNS is assigned by DHCP

Four. Resolve Address Reflow

---are all configured on R3.

A. method one: NVI
1. Dynamic PAT Configuration:
IP Access-list Extended PAT
Permit IP 192.168.1.0 0.0.0.255 any

IP NAT Source List PAT Interface Dialer0 overload

Interface ETHERNET0/1
IP NAT Enable

Interface Dialer0

IP NAT Enable

2. Static NAT configuration:

IP Nat source static 192.168.1.4 202.100.2.4 extendable

3. Test:

---R5 can be accessed via the R4 mapped public address R4

R5#telnet 202.100.2.4
Trying 202.100.2.4 ... Open


User Access Verification

Password:
R4>show Users
Line User Host (s) Idle location
0 Con 0 UNKNOWN 00:00:16
*130 vty 0 Idle 00:00:00 202.100.2.3

Interface User Mode Idle Peer Address

R4>

---R4 can also be accessed via the R4 mapped public address R4

R4#telnet 202.100.2.4
Trying 202.100.2.4 ... Open


User Access Verification

Password:
R4>show Users
Line User Host (s) Idle location
0 Con 0 202.100.2.4 00:00:00
*131 vty 1 Idle 00:00:00 202.100.2.4

Interface User Mode Idle Peer Address

R4>

---automatically modifies the DNS record back package (similar to the ASA's DNS rewrite) when accessed through a domain name

R2 (config) #ip DNS server
R2 (config) #ip host R4.yuntian.cn 202.100.2.4

R5 (config) #ip domain-lookup
R5 (config) #ip name-server 202.100.2.2

R5#ping R4.yuntian.cn

Translating "R4.yuntian.cn" ... domain server (202.100.2.2) [OK]

Translating "R4.yuntian.cn" ... domain server (202.100.2.2) [OK]

Translating "R4.yuntian.cn" ... domain server (202.100.2.2) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
!!!!!
Success rate is percent (5/5), round-trip Min/avg/max = 8/32/52 ms
r5#
*mar 1 02:13:40.991:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.5
*mar 1 02:13:41.047:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.5
*mar 1 02:13:41.087:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.5
*mar 1 02:13:41.095:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.5
*mar 1 02:13:41.139:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.5
r5#

Through the different location of the grab packet can be seen, router R3 modified the DNS return packet, the public address is modified to the intranet address:

--In the R2 connection R3 interface Grab packet, you can see the DNS reply is the public address

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6E/C7/wKioL1WH5X3S3UP2AAKaktHWSuc708.jpg "style=" float: none; "Title=" PA2. JPG "alt=" Wkiol1wh5x3s3up2aakakthwsuc708.jpg "/>

--but in the R3 intranet interface grab packet, you can see the public address has been modified to the intranet address

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/CA/wKiom1WH48WBiS17AAMGywhv2ao473.jpg "style=" float: none; "Title=" PA1. JPG "alt=" Wkiom1wh48wbis17aamgywhv2ao473.jpg "/>

B. method Two: Manually modifying DNS records

A. Configure R3 as the DNS proxy and specify client DNS for itself

R3 (config) #ip DNS server
R3 (config) #ip name-server 202.100.2.2
R3 (config) #ip host R4.yuntian.cn 192.168.1.4

R3 (config) #ip DHCP pool client
R3 (dhcp-config) #dns-server 192.168.1.3

B. Testing:

---R5 off the interface to retrieve the address again, and then ping R4.yuntian.cn

R5#ping R4.yuntian.cn

Translating "R4.yuntian.cn" ... domain server (192.168.1.3) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.!!!!
Success rate is percent (4/5), round-trip Min/avg/max = 8/30/44 ms
r5#
*mar 1 03:40:58.335:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.6
*mar 1 03:40:58.383:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.6
*mar 1 03:40:58.395:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.6
*mar 1 03:40:58.423:icmp:echo reply Rcvd, src 192.168.1.4, DST 192.168.1.6
r5#

At this time in the R3 intranet interface above the packet capture, you can see the return packet of DNS:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/C7/wKioL1WH8ADDeMeGAAJJ3TcLl4M102.jpg "title=" P3. JPG "alt=" Wkiol1wh8addemegaajj3tcll4m102.jpg "/>

At this point, because the router has this record, so directly reply to the client, the external DNS packet can not see the DNS request packet

However, if another domain name is requested, the external DNS has a return packet

R5#ping R1.yuntian.cn

Translating "R1.yuntian.cn" ... domain server (192.168.1.3) [OK]

Type escape Sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is percent (5/5), round-trip Min/avg/max = 52/84/152 ms
r5#
*mar  1 03:46:26.579:icmp:ec Ho reply Rcvd, src 202.100.1.1, dst 192.168.1.6
*mar  1 03:46:26.647:icmp:echo reply Rcvd, src 202.100.1.1, DST 192.168.1.6
*mar  1 03:46:26.731:icmp:echo reply Rcvd, src 202.100.1.1, dst 192.168.1.6
*mar  1 03:46:26 .795:icmp:echo reply Rcvd, src 202.100.1.1, dst 192.168.1.6
*mar  1 03:46:26.851:icmp:echo reply Rcvd, SRC 202 .100.1.1, DST 192.168.1.6
r5#650) this.width=650; src= http://s3.51cto.com/wyfs02/M02/6E/C7/ Wkiol1wh8oltydapaam4oaarm_0068.jpg "title=" R4. JPG "alt=" wkiol1wh8oltydapaam4oaarm_0068.jpg "/>

This article is from the "Httpyuntianjxxll.spac.." Blog, make sure to keep this source http://333234.blog.51cto.com/323234/1664196

Cisco router Ppoe client+nat address reflow problem test