Skip to content

Belajar Mengkonfigurasi NAT Di Cisco Device

19 April 2010
tags: , , ,
Belajar Mengkonfigurasi PAT,Static NAT,Port Static Map NAT
Dynamic NAT,Dynamic NAT with Overload,Serta Gabungan
Dynamic NAT with Overload dan Port Static Map NAT diRouter Cisco 

Percobaan Pertama (PAT)
Langkah-langkahnya adalah sebagai berikut:
---------------------------------------------------
1.Tentukan Inside Interface dari NAT
---------------------------------------------------
cnc1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z. 

cnc1(config)#interface FastEthernet0/0
cnc1(config-if)#ip address 192.168.30.1 255.255.255.0
cnc1(config-if)#ip nat inside
cnc1(config-if)#exit
---------------------------------------------------
2.Tentukan Outside Interface dari NAT, kita asumsikan
bahwa ip 192.168.20.2 adalah IP Public (analogi IP Public yang salah
,karena sudah terlanjur ke save di router T_T)
---------------------------------------------------
cnc1(config)#interface Ethernet1/0
cnc1(config-if)#ip address 192.168.20.2 255.255.255.0
cnc1(config-if)#ip nat outside
cnc1(config-if)#exit
---------------------------------------------------
3.Buat a standard access list, Identify internal IP
Address to be translated and enable NAT Overload
---------------------------------------------------
cnc1(config)#access-list 20 permit 192.168.30.0 0.0.0.255
cnc1(config)#ip nat inside source list 20 interface FastEthernet1/0 overload
cnc1(condig)#end
cnc1# 

---------------------------------------------------
How to check 1 (ping  dari host di dalam nat to host diluar nat)
---------------------------------------------------
C:\>ipconfig 

Windows IP Configuration 

Ethernet adapter Local Area Connection 5: 

 Connection-specific DNS Suffix  . :
 IP Address. . . . . . . . . . . . : 192.168.30.2
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 IP Address. . . . . . . . . . . . : fec0::1:2%1
 IP Address. . . . . . . . . . . . : fe80::4cff:fe4f:4f50%4
 Default Gateway . . . . . . . . . : 192.168.30.1 

C:\>ping 192.168.10.2 

Pinging 192.168.10.2 with 32 bytes of data: 

Reply from 192.168.10.2: bytes=32 time=233ms TTL=126
Reply from 192.168.10.2: bytes=32 time=187ms TTL=126
Reply from 192.168.10.2: bytes=32 time=208ms TTL=126
Reply from 192.168.10.2: bytes=32 time=170ms TTL=126 

Ping statistics for 192.168.10.2:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 170ms, Maximum = 233ms, Average = 199ms 

C:\>
-----------------------------------------------------
How to check 2 (ping dari host di diluar nat to host didalam nat)
-----------------------------------------------------
C:\>ipconfig 

Windows IP Configuration 

Ethernet adapter Local Area Connection: 

 Connection-specific DNS Suffix  . :
 IP Address. . . . . . . . . . . . : 192.168.10.2
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 IP Address. . . . . . . . . . . . : fec0::3:2%1
 IP Address. . . . . . . . . . . . : fe80::20c:29ff:fe63:5efd%4
 Default Gateway . . . . . . . . . : 192.168.10.1 

C:\>ping 192.168.30.2 

Pinging 192.168.30.2 with 32 bytes of data: 

Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable.
Reply from 192.168.10.1: Destination host unreachable. 

Ping statistics for 192.168.30.2:
 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 0ms, Maximum = 0ms, Average = 0ms 

C:\> 

-----------------------------------------------------
How to check 3 (debug ip nat [no access-list ] detailed)
-----------------------------------------------------
cnc1#debug ip nat 20 detailed
IP NAT detailed debugging is on for access list 20
cnc1#
*Apr 18 13:08:53.451:  mapping pointer available mapping:0
*Apr 18 13:08:53.451: NAT: [0] Allocated Port for 192.168.30.2 -> 192.168.20.2: wanted 512 got 512
*Apr 18 13:08:53.451: NAT*: i: icmp (192.168.30.2, 512) -> (192.168.10.2, 512) [21978]
*Apr 18 13:08:53.455: NAT*: i: icmp (192.168.30.2, 512) -> (192.168.10.2, 512) [21978]
*Apr 18 13:08:53.455: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [21978]
*Apr 18 13:08:53.587: NAT*: o: icmp (192.168.10.2, 512) -> (192.168.20.2, 512) [1813]
*Apr 18 13:08:53.587: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1813]
*Apr 18 13:08:55.823: NAT*: i: icmp (192.168.30.2, 512) -> (192.168.10.2, 512) [22033]
*Apr 18 13:08:55.827: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22033]
*Apr 18 13:08:55.919: NAT*: o: icmp (192.168.10.2, 512) -> (192.168.20.2, 512) [1814]
*Apr 18 13:08:55.919: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1814]
*Apr 18 13:08:58.035: NAT*: i: icmp (192.168.30.2, 512) -> (192.168.10.2, 512) [22087]
*Apr 18 13:08:58.035: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22087]
*Apr 18 13:08:58.199: NAT*: o: icmp (192.168.10.2, 512) -> (192.168.20.2, 512) [1816]
*Apr 18 13:08:58.199: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1816]
*Apr 18 13:08:58.827: NAT*: i: icmp (192.168.30.2, 512) -> (192.168.10.2, 512) [22136]
*Apr 18 13:08:58.827: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22136]
*Apr 18 13:08:58.943: NAT*: o: icmp (192.168.10.2, 512) -> (192.168.20.2, 512) [1817]
*Apr 18 13:08:58.943: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1817]
*Apr 18 13:09:01.947:  mapping pointer available mapping:0
*Apr 18 13:09:01.947: NAT: [0] Allocated Port for 192.168.30.2 -> 192.168.20.2: wanted 1270 got 1270
*Apr 18 13:09:01.947: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22325]
*Apr 18 13:09:01.951: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22325]
*Apr 18 13:09:01.951: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22325]
*Apr 18 13:09:02.067: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1819]
*Apr 18 13:09:02.067: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1819]
*Apr 18 13:09:02.087: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22336]
*Apr 18 13:09:02.087: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22336]
*Apr 18 13:09:04.011: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1821]
*Apr 18 13:09:04.011: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1821]
*Apr 18 13:09:04.103: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22470]
*Apr 18 13:09:04.107: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22470]
*Apr 18 13:09:04.251: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1822]
*Apr 18 13:09:04.251: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1822]
*Apr 18 13:09:04.271: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22485]
*Apr 18 13:09:04.275: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22485]
*Apr 18 13:09:04.415: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1823]
*Apr 18 13:09:04.415: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1823]
*Apr 18 13:09:04.511: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [22510]
*Apr 18 13:09:04.511: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [22510]
*Apr 18 13:09:15.767: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [23245]
*Apr 18 13:09:15.767: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [23245]
*Apr 18 13:09:15.863: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1828]
*Apr 18 13:09:15.867: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1828]
*Apr 18 13:09:15.891: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [23258]
*Apr 18 13:09:15.891: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [23258]
*Apr 18 13:09:16.723: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1829]
*Apr 18 13:09:16.723: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1829]
*Apr 18 13:09:16.843: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [23300]
*Apr 18 13:09:16.843: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [23300]
*Apr 18 13:09:17.159: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1830]
*Apr 18 13:09:17.163: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1830]
*Apr 18 13:09:17.171: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1831]
*Apr 18 13:09:17.171: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1831]
*Apr 18 13:09:17.207: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [23321]
*Apr 18 13:09:17.207: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [23321]
*Apr 18 13:09:17.231: NAT*: i: tcp (192.168.30.2, 1270) -> (192.168.10.2, 23) [23322]
*Apr 18 13:09:17.231: NAT*: s=192.168.30.2->192.168.20.2, d=192.168.10.2 [23322]
*Apr 18 13:09:17.279: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1832]
*Apr 18 13:09:17.279: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1832]
*Apr 18 13:09:17.303: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1833]
*Apr 18 13:09:17.303: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1833]
*Apr 18 13:09:17.327: NAT*: o: tcp (192.168.10.2, 23) -> (192.168.20.2, 1270) [1834]
*Apr 18 13:09:17.327: NAT*: s=192.168.10.2, d=192.168.20.2->192.168.30.2 [1834]
cnc1#
-----------------------------------------------------
How to check 4 (sh ip nat translations)
-----------------------------------------------------
cnc1#
cnc1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.20.2:512  192.168.30.2:512   192.168.10.2:512   192.168.10.2:512
tcp 192.168.20.2:1270  192.168.30.2:1270  192.168.10.2:23    192.168.10.2:23
cnc1# 

-----------------------------------------------------
-----------------------------------------------------
Wireshark 1 (host dalam nat to router nat)

-----------------------------------------------------
-----------------------------------------------------
Wireshark 2 (cloud )

----------------------------------------------------- 

Percobaan Selanjutnya:
-----------------------------------------------------
Static NAT
-----------------------------------------------------
ip nat inside source static [ip private] [ip public]
ex:
ip nat inside source static 192.168.30.2 192.168.20.2
-----------------------------------------------------
Port Static Map NAT
-----------------------------------------------------
ip nat inside source static tcp [ip private] [port] interface [ int public] [port]
ex:
ip nat inside source static tcp 192.168.30.2 80 interface f1/0 80
-----------------------------------------------------
Dynamic NAT  
-----------------------------------------------------  
ip nat pool [name-pool] [ip public-ip public] netmask []
ip nat inside soure list [access-list] pool [name-pool]  
ex:
ip nat pool iwing-pool 192.168.20.2 192.168.20.3 netmask 255.255.255.0
ip nat inside source list 20 pool iwing-pool
-----------------------------------------------------
Dynamic NAT with Overload
-----------------------------------------------------
ip nat pool [name-pool] [ip public-ip public] netmask []
ip nat inside soure list [access-list] pool [name-pool] overload
ex:
ip nat pool iwing-pool 192.168.20.2 192.168.20.3 netmask 255.255.255.0
ip nat inside source list 20 pool iwing-pool overload
-----------------------------------------------------
Dynamic NAT with Overload + Port Static Map  
-----------------------------------------------------
ip nat inside source static tcp [ip private] [port] interface [ int public] [port]
ip nat pool [name-pool] [ip public-public] netmask []
ip nat inside soure list [access-list] pool [name-pool] overload
ex:
ip nat inside source static tcp 192.168.30.2 80 interface f1/0 80
ip nat pool iwing-pool 192.168.20.3 192.168.20.4 netmask 255.255.255.0
ip nat inside source list 20 pool iwing-pool overload 

-----------------------------------------------------
How to check 5 (sh ip ip access-lists and sh run | in ip nat)
-----------------------------------------------------
cnc1#sh ip access-lists
Standard IP access list 20
 10 permit 192.168.30.0, wildcard bits 0.0.0.255 (2 matches)
cnc1#sh run | in ip nat
 ip nat inside
 ip nat outside
ip nat pool iwing-pool 192.168.20.3 192.168.20.4 netmask 255.255.255.0
ip nat inside source static tcp 192.168.30.2 80 interface FastEthernet1/0 80
ip nat inside source list 20 pool iwing-pool overload
cnc1#
-----------------------------------------------------
How to check 6 (sh ip nat translations)
-----------------------------------------------------
cnc1#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.20.2:80    192.168.30.2:80    192.168.10.2:1048  192.168.10.2:1048
tcp 192.168.20.2:80    192.168.30.2:80    192.168.10.2:1049  192.168.10.2:1049
tcp 192.168.20.2:80    192.168.30.2:80    ---                ---
icmp 192.168.20.4:512  192.168.30.2:512   192.168.10.2:512   192.168.10.2:512
cnc1#
-----------------------------------------------------
How to check 7 (screenshoot dari client luar nat)

----------------------------------------------------- 

------"Sekian dulu dan semoga bermanfaat"------------
About these ads
One Comment leave one →
  1. 29 April 2014 10:57 PM

    Trims atas artikelnya. Jelas dan padat sekali. Sekali lagi thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 27 other followers

%d bloggers like this: