Стоит задача :
существует компания, которая для доступа к своим сервисам предоставила IP из своей сети и только с 1 IP. Нужно открыть порт на Real-IP 8080 так чтобы на обращение к этому порту происходило обращение к адресу 10.149.5.166 от адреса 192.168.117.21
Т.е. класическая задача tcp port mapping (на Windows + wingate решается просто, но хотелось бы решить на Cisco)
Налицо потребность в двойном NAT - сначала транслировать 10.149.5.166 в Real-IP На outside interface, а потом транслировать src IP машин из Internet в адрес 192.168.117.21.
Нужно сделать все на одном маршрутизаторе
Cisco 1841 IOS (C1841-ADVIPSERVICESK9-M), Version 15.0(1)M
Из того что мне пришло на ум - это разделить маршрутизатор на два с помощью VRF и соединить их туннелем (интерфейсы которого будут inside интерфейсами, а реальные интерфейсы - Outside)
БУДУ ПРИЗНАТЕЛЕН, если у кого есть идеи решения задачи другим способом.
Проблема заткнулась в NAT over VRF - в VRF DEFAULT натинг срабатывает, а на втором VRF - нет.
конфиг:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1841
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.150-1.M.bin
boot-end-marker
!
logging buffered 102400
enable secret 5 $1$MNyM$MjGjYsxzNENLOhR0.lFGV1
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip vrf operator
!
ip cef
ip domain name mydomain.com
ip name-server 210.245.0.11
ip name-server 210.245.86.11
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
redundancy
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.1 255.255.255.255
!
!
interface Loopback1
ip address 192.168.0.2 255.255.255.255
!
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source Loopback0
tunnel destination 192.168.0.2
!
!
interface Tunnel1
ip vrf forwarding operator
ip address 192.168.1.2 255.255.255.252
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source Loopback1
tunnel destination 192.168.0.1
!
!
interface FastEthernet0/0
description IP Front (To->FPT)
ip address x.y.z.46 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
description IP Route (To->LAN)
ip vrf forwarding operator
ip address 192.168.117.21 255.255.255.0
ip access-group 100 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 2 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.149.5.166 8080 x.y.z.46 8080 extendable
ip route 0.0.0.0 0.0.0.0 x.y.z.45
ip route 10.149.5.166 255.255.255.255 192.168.1.2
ip route vrf operator 0.0.0.0 0.0.0.0 192.168.1.1
ip route vrf operator 10.149.5.166 255.255.255.255 192.168.117.254
!
access-list 2 remark NAT Source addreses
access-list 2 permit 0.0.0.0
access-list 10 permit 192.168.117.0 0.0.0.255
access-list 100 permit ip any any log
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end
show ip route :
S* 0.0.0.0/0 [1/0] via x.y.z.45
10.0.0.0/32 is subnetted, 1 subnets
S 10.149.5.166 [1/0] via 192.168.1.2
x.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C x.y.z.44/30 is directly connected, FastEthernet0/0
L x.y.z.46/32 is directly connected, FastEthernet0/0
192.168.0.0/32 is subnetted, 2 subnets
C 192.168.0.1 is directly connected, Loopback0
C 192.168.0.2 is directly connected, Loopback1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Tunnel0
L 192.168.1.1/32 is directly connected, Tunnel0
show ip route vrf operator:
S* 0.0.0.0/0 [1/0] via 192.168.1.1
10.0.0.0/32 is subnetted, 1 subnets
S 10.149.5.166 [1/0] via 192.168.117.254
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/30 is directly connected, Tunnel1
L 192.168.1.2/32 is directly connected, Tunnel1
192.168.117.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.117.0/24 is directly connected, FastEthernet0/1
L 192.168.117.21/32 is directly connected, FastEthernet0/1
DEBUG NAT:
May 20 16:23:18.194: NAT*: o: tcp (a.b.c.d, 45129) -> (x.y.z.46, 8080) [3728]
May 20 16:23:18.194: NAT*: o: tcp (a.b.c.d, 45129) -> (x.y.z.46, 8080) [3728]
May 20 16:23:18.194: NAT*: s=a.b.c.d, d=x.y.z.46->10.149.5.166 [3728]
May 20 16:23:18.198: NAT: GRE port: 0 - [18]
May 20 16:23:18.198: %SEC-6-IPACCESSLOGP: list 100 permitted tcp a.b.c.d(0) -> 10.149.5.166(0), 1 packet
May 20 16:23:21.194: NAT*: o: tcp (a.b.c.d, 45129) -> (x.y.z.46, 8080) [3740]
May 20 16:23:21.194: NAT*: s=a.b.c.d, d=x.y.z.46->10.149.5.166 [3740]
May 20 16:23:21.194: NAT: GRE port: 0 - [20]
May 20 16:23:27.198: NAT*: o: tcp (a.b.c.d, 45129) -> (x.y.z.46, 8080) [3752]
May 20 16:23:27.198: NAT*: s=a.b.c.d, d=x.y.z.46->10.149.5.166 [3752]
May 20 16:23:27.198: NAT: GRE port: 0 - [22]
Cisco1841#
Cisco1841#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp x.y.z.46:8080 10.149.5.166:8080 a.b.c.d:45129 a.b.c.d:45129
tcp x.y.z.46:8080 10.149.5.166:8080 --- ---
Cisco1841#sh ip nat tr vrf operator
Pro Inside global Inside local Outside local Outside global
Cisco1841#ping 10.149.5.166
.May 20 17:21:52.834: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 61, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 61, proto 6
.May 20 17:21:53.690: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 62, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 62, proto 6
.May 20 17:21:54.546: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 63, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 63, proto 6
.May 20 17:22:13.646: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 64, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 64, proto 6
.May 20 17:22:14.314: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 65, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 65, proto 6
.May 20 17:22:15.202: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 66, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 66, proto 6
.May 20 17:22:36.134: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 67, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 67, proto 6
.May 20 17:22:36.582: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 68, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 68, proto 6
.May 20 17:22:36.718: NAT - SYSTEM PORT for 192.168.117.21: allocated port 0, refcount 69, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 69, proto 6
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Маршрутизация)
(??) on 20-Май-10, 21:27 
