2022年10月2日 星期日

ip nat outside source on Cisco / VyOS

References

https://deltaconfig.com/ip-nat-outside/

My Lab Setting 


Cisco 


csr1000v#sh run                  

Building configuration...


Current configuration : 1391 bytes

!

! Last configuration change at 08:55:23 TPE Sun Oct 2 2022 by cisco

!

version 15.5

service timestamps debug datetime localtime

service timestamps log datetime localtime

no platform punt-keepalive disable-kernel-core

platform console auto

!

hostname csr1000v

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

clock timezone TPE 8 0

!

       

subscriber templating

!

multilink bundle-name authenticated

!

!

!

license udi pid CSR1000V sn 9VRJUL4JW2V

license boot level ax

spanning-tree extend system-id

!

username cisco privilege 15 secret 5 $1$7wax$evNlQZGH2VorRL3bm/SRV0

!

redundancy

!

!

interface GigabitEthernet1

 ip address 192.168.1.1 255.255.255.252

 ip nat outside

 negotiation auto

!

interface GigabitEthernet2

 ip address 172.16.1.1 255.255.255.0

 ip nat inside

 negotiation auto

!

interface GigabitEthernet3

 ip address 192.168.100.10 255.255.255.0

 negotiation auto

!

!

virtual-service csr_mgmt

 ip shared host-interface GigabitEthernet1

!

ip nat outside source static 10.1.1.10 10.1.2.10

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.1.2

ip route 10.1.2.10 255.255.255.255 10.1.1.10

!

!

snmp-server community cisco RO

!

!

control-plane

!

!

line con 0

 stopbits 1

line vty 0 4

 login local

 transport input ssh

!

ntp server 168.95.195.12

!

end


csr1000v# sh ip nat translations 

Pro  Inside global         Inside local          Outside local         Outside global

---  ---                   ---                   10.1.2.10             10.1.1.10             

tcp  172.16.1.10:47186     172.16.1.10:47186     10.1.2.10:22          10.1.1.10:22

Total number of translations: 2


csr1000v#





VyOS


vyos@VyOS-L3:~$ show configuration commands 

set interfaces ethernet eth0 address '192.168.1.1/30'

set interfaces ethernet eth0 hw-id '00:0c:29:14:49:e0'

set interfaces ethernet eth1 address '172.16.1.1/24'

set interfaces ethernet eth1 hw-id '00:0c:29:14:49:ea'

set interfaces ethernet eth2 address '192.168.100.10/24'

set interfaces ethernet eth2 hw-id '00:0c:29:14:49:f4'

set interfaces loopback lo

set nat destination rule 10 destination address '10.1.2.10'

set nat destination rule 10 inbound-interface 'eth1'

set nat destination rule 10 log 'enable'

set nat destination rule 10 translation address '10.1.1.10'

set protocols static route 0.0.0.0/0 next-hop 192.168.1.2

set service ssh port '22'

set system config-management commit-revisions '100'

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

set system console device ttyS0 speed '115200'

set system host-name 'VyOS-L3'

set system login user vyos authentication encrypted-password '$6$tBrkCg.1Y8NuExC$Ivwq8e7//904.UjhwRtz4/9edu6MTczLalZHJnk20fJbZZA2dhWkSo/H6yQ/GBdOST9eUJlpehJwj0COhq1Wp1'

set system login user vyos authentication plaintext-password ''

set system ntp server time1.vyos.net

set system ntp server time2.vyos.net

set system ntp server time3.vyos.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'


vyos@VyOS-L3:~$ show nat destination rules 

Disabled rules are not shown

Codes: X - exclude rule


rule    intf              translation                                               

----    ----              -----------                                               

10      eth1              daddr 10.1.2.10 to 10.1.1.10                              

        proto-all         dport ANY                                                     


vyos@VyOS-L3:~$ show nat destination statistics 

rule   pkts    bytes   interface   

----   ----    -----   ---------   

10     88      5304    eth1        


vyos@VyOS-L3:~$ show nat destination translations 

Pre-NAT              Post-NAT             Prot  Timeout 

10.1.2.10            10.1.1.10            tcp   431978  



vyos@VyOS-L3:~$ show log nat  

/var/log/messages:Oct  2 01:37:51 VyOS-L3 kernel: [ 1796.299962] [NAT-DST-10] IN=eth1 OUT= MAC=00:0c:29:14:49:ea:00:0c:29:7d:d6:23:08:00 SRC=172.16.1.10 DST=10.1.2.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47467 DF PROTO=ICMP TYPE=8 CODE=0 ID=4811 SEQ=1 

/var/log/messages:Oct  2 01:38:23 VyOS-L3 kernel: [ 1827.865467] [NAT-DST-10] IN=eth1 OUT= MAC=00:0c:29:14:49:ea:00:0c:29:7d:d6:23:08:00 SRC=172.16.1.10 DST=10.1.2.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64953 DF PROTO=TCP SPT=58076 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0