Cisco | NAT Static, Dynamic and PAT + ACL
1. Switch (SW1) buat 4 VLAN
vlan 10 (sales) 10.10.0.x/24
vlan 20 (Production) 10.20.0.x/24
vlan 30 (server) 10.30.0.x/24
vlan 61 (Mgnt) 172.16.1.x/24
vlan 10 (sales) 10.10.0.x/24
vlan 20 (Production) 10.20.0.x/24
vlan 30 (server) 10.30.0.x/24
vlan 61 (Mgnt) 172.16.1.x/24
2. Konfigrasi Router R-HO
ACL (Blok IP bogoon dari internet ke LAN).
ACL (Permit access dari Branch ke HO).
Static NAT (untuk kedua server vlan 30, tujuannya supaya bisa akses internet dan servernya bisa dikases dari internet/WAN.
Dynamic PAT, supaya Van 10,20 dapat akses internet.
ACL (Blok IP bogoon dari internet ke LAN).
ACL (Permit access dari Branch ke HO).
Static NAT (untuk kedua server vlan 30, tujuannya supaya bisa akses internet dan servernya bisa dikases dari internet/WAN.
Dynamic PAT, supaya Van 10,20 dapat akses internet.
Berikut Konfigurasinya
SW1
no ip routing
no ip routing
clock timezone WIB 7
vlan 10
name Sales
!
vlan 20
name Production
!
vlan 30
name Server
!
vlan 161
name Mgnt
!
int vlan 161
ip add 172.16.1.10 255.255.255.0
no shu
!
int gi1/0/1
descrip " Link To R-HO"
switch trunk allow vlan 161,10,20,30
switchport trunk encapsulation dot1q
switch mode trunk
!
int ra gi1/0/3-4
switch mode access switch access vlan 10
no shu
!
int ra gi1/0/4-5
switch mode access
switch access vlan 20
no shu
!
int gi1/0/2
switch mode access
switch access vlan 30
no shu
!
int gi1/0/7
switch mode access
switch access vlan 30
no shu
!
int ra gi1/0/8-24
description “unused ports”
shutdown
switchport mode access
switchport access vlan 88
VERIFIKASI:
#sh vlan
Konfigurasi Router R-HO
hostname R-HO
clock timezone WIB 7
int gi0/0
no shu
descrip "Link To SW1"
no ip address
int gi0/0.10
encapsulation dot1Q 10
ip add 10.10.0.1 255.255.255.0
exit
int gi0/0.20
encapsulation dot1Q 20
ip add 10.20.0.1 255.255.255.0
exit
int gi0/0.30
encapsulation dot1Q 30
ip add 10.30.0.1 255.255.255.0
exit
encapsulation dot1Q 30
ip add 10.30.0.1 255.255.255.0
exit
int gi0/0.161
encapsulation dot1Q 161
ip add 172.16.1.1 255.255.255.0
exit
encapsulation dot1Q 161
ip add 172.16.1.1 255.255.255.0
exit
interface GigabitEthernet0/1
description "Link to internet"
ip address 123.1.2.2 255.255.255.248
no shutdown
exit
description "Link to internet"
ip address 123.1.2.2 255.255.255.248
no shutdown
exit
interface GigabitEthernet0/2
description "Link to internet"
ip address 192.168.0.1 255.255.255.252
no shutdown
exit
description "Link to internet"
ip address 192.168.0.1 255.255.255.252
no shutdown
exit
Lanjut konfigurasi DHCP di Router R-HO
ip dhcp excluded-address 10.10.0.1 10.10.0.10
ip dhcp excluded-address 10.20.0.1 10.20.0.10
ip dhcp pool VLAN10-IT
network 10.10.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 8.8.8.8
ip dhcp excluded-address 10.20.0.1 10.20.0.10
ip dhcp pool VLAN10-IT
network 10.10.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 8.8.8.8
ip dhcp pool VLAN20-Sales
network 10.20.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 8.8.8.8
exit
network 10.20.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 8.8.8.8
exit
Verifikasi:
sh ip dhcp binding
sh ip dhcp binding
Konfigurasi Named ACL untuk permit traffic dari Branch LAN ke server dan LAN-HO.
ip access-list extended ALLOW_FROM_BRANCH
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 443
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq www
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 80
permit icmp 192.168.1.0 0.0.0.255 host 10.30.0.2
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq telnet
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 22
permit udp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq domain
permit udp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq tftp
permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 443
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq www
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 80
permit icmp 192.168.1.0 0.0.0.255 host 10.30.0.2
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq telnet
permit tcp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq 22
permit udp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq domain
permit udp 192.168.1.0 0.0.0.255 host 10.30.0.2 eq tftp
permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 10.20.0.0 0.0.0.255
int gi0/2
ip access-group ALLOW_FROM_BRANCH in
end
Verifikasi
# sh access-list
# sh run | section access-list
!!! named ACL ke-2 untuk deny/block traffic dari internet berupa Bogon IP address (IP address untuk special use, tidak boleh digunakan di internet).
ip access-list extended INET_ACL
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
permit ip any 123.1.2.0 0.0.0.7
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
permit ip any 123.1.2.0 0.0.0.7
int g0/1
ip access-group INET_ACL in
exit
ip access-group INET_ACL in
exit
Router Branch
hostname R-BRANCH
hostname R-BRANCH
int gi0/0
no shut
descr "Link to R-HO"
no shut
ip add 192.168.0.2 255.255.255.252
exit
int gi0/1
no shut
ip add 192.168.1.1 255.255.255.0
exit
ip rouet 0.0.0.0 0.0.0.0 192.168.0.1
Verifikasi:
# ping 192.168.0.1
# ping 10.10.0.1
# ping 10.20.0.1
# ping 10.30.0.2
Router-ISP
int gi0/0
no shu
ip add 123.1.2.1 255.255.255.248
exit
int gi0/1
ip add 8.8.8.1 255.255.255.0
no shu
exit
hostname R-ISP
do wr
no shu
ip add 123.1.2.1 255.255.255.248
exit
int gi0/1
ip add 8.8.8.1 255.255.255.0
no shu
exit
hostname R-ISP
do wr
Konfigurasi NAT di router R-HO, supaya server bisa diakses dari luar/internet. Berikut konfigurasi nat statik
ip route 0.0.0.0 0.0.0.0 123.1.2.1
ip nat inside source static 10.30.0.2 123.1.2.3
ip nat inside source static 10.30.0.3 123.1.2.4
ip nat inside source static 10.30.0.2 123.1.2.3
ip nat inside source static 10.30.0.3 123.1.2.4
int gi0/1
ip nat outside
exit
interface gi0/0.30
ip nat inside
exit
ip nat outside
exit
interface gi0/0.30
ip nat inside
exit
Verifikasi:
# sh ip nat statistic
# sh ip nat translation
# sh ip nat translation
Konfogurasi Dynamic PAT di router R-HO, supaya Vlan 10, 20 bisa akses internet.
ip access-list standard ALLOW_PAT
permit 10.10.0.0 0.0.0.255
permit 10.20.0.0 0.0.0.255
permit 10.10.0.0 0.0.0.255
permit 10.20.0.0 0.0.0.255
interface gi0/0.10
ip nat inside
exit
ip nat inside
exit
interface gi0/0.20
ip nat inside
exit
ip nat inside
exit
int gi0/1
ip nat outside
exit
ip nat inside source list ALLOW_PAT interface gi0/1 overload
ip nat outside
exit
ip nat inside source list ALLOW_PAT interface gi0/1 overload
Verifikasi:
# sh ip nat statistic
# sh ip nat translation
-----------------------------------------------------
MEGAMANKAN AKSES ILEGAL DI ROUTER
Jika ingin membatasi akses (ssh) ke router R-HO hanya dari segment vlan 10 (10.10.0.x/24), selain ip tersebut akses ssh akan ditolak. berikut commandnya:
R-HO(config)#ip domain-name imc.com
R-HO(config)#crypto key generate rsa general-keys modulus 2048
R-HO(config)#ip ssh version 2
R-HO(config)#username admin0 privilege 0 secret admin123
R-HO(config)#username admin7 privilege 7 secret admin123
R-HO(config)#username admin15 privilege 15 secret admin123
R-HO(config)#access-list 7 permit 10.10.0.0 0.0.0.255
R-HO(config)#crypto key generate rsa general-keys modulus 2048
R-HO(config)#ip ssh version 2
R-HO(config)#username admin0 privilege 0 secret admin123
R-HO(config)#username admin7 privilege 7 secret admin123
R-HO(config)#username admin15 privilege 15 secret admin123
R-HO(config)#access-list 7 permit 10.10.0.0 0.0.0.255
R-HO(config)#line vty 0 4
R-HO(config-line)#login local
R-HO(config-line)#access-class 7 in
R-HO(config-line)#transport input ssh
R-HO(config-line)#login local
R-HO(config-line)#access-class 7 in
R-HO(config-line)#transport input ssh
Maka hasilnya hanya network 10.10.0.x/24 yg bisa ssh ke router R-HO
Posting Komentar untuk "Cisco | NAT Static, Dynamic and PAT + ACL "