Category Archives: 路由器技术

NAT – Ability to Use Route Maps with Static Translations

Posted on by
Reply

一个INSIDE口 多个OUTSIDE口的NAT配置

 

Feature History

Release  Modification 
12.2(4)T
 This feature was introduced.
 
12.2(4)T2
 Support for the Cisco 7500 series routers was added.
 

This document describes the NAT—Ability to Use Route Maps with Static Translations feature. It includes the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Configuration Tasks

Configuration Examples

Command Reference

Feature Overview
Previous to this feature, route mapping was supported only with dynamic Network Address Translation (NAT) translation.

The NAT—Ability to Use Route Maps with Static Translations feature enables NAT multihoming capability with static address translations. Multihomed internal networks now can host common services such as the Internet and Domain Name System (DNS), which are accessed from different outside networks.

——————————————————————————–
 Note   Network static support is not included in this feature.

 

Benefits
The ability to configure route map statements provides the option of using IP Security (IPSec) with NAT.
Translation decisions can be made based on the destination IP address when static translation entries are used.
Related Documents
Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
Cisco IOS IP Configuration Guide, Release 12.2
Supported Platforms
Cisco 2500 series
Cisco 2600 series
Cisco 3620 router
Cisco 3640 router
Cisco 3660 router
Cisco 7100 series
Cisco 7200 series
Cisco 7500 series
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.

To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.

Feature Navigator is updated when major Cisco IOS software releases and technology releases occur. As of May 2001, Feature Navigator supports M, T, E, S, and ST releases. You can access Feature Navigator at the following URL:

http://www.cisco.com/go/fn

Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.

MIBs
No new or modified MIBs are supported by this feature.

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs
No new or modified RFCs are supported by this feature.

Configuration Tasks
See the following sections for configuration tasks for the NAT—Ability to Use Route Maps with Static Translations feature. Each task in the list is identified as either required or optional:

Enabling Static NAT Route Mapping (required)
Verifying Static NAT Route Mapping (optional)
Enabling Static NAT Route Mapping
To enable route mapping with static NAT configurations, use the following command in global configuration mode:

Command  Purpose 
Router(config)# ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip route-map map-name} Enables route mapping with static NAT translation configured on the NAT inside interface.
 

Verifying Static NAT Route Mapping
To verify the static NAT route mapping configuration, use the following command in privileged EXEC mode:

Command  Purpose 
Router# show ip nat translations [verbose] Displays active NAT translations.
 

Configuration Examples
This section provides the following configuration example:

Enabling Static NAT Route Mapping
Enabling Static NAT Route Mapping Example
The following example shows the use of route mapping with static NAT translations:

interface Ethernet3
 ip address 172.68.1.100 255.255.255.0
 ip nat outside
 media-type 10BaseT
!
interface Ethernet4
 ip address 192.68.1.100 255.255.255.0
 ip nat outside
 media-type 10BaseT
!
interface Ethernet5
 ip address 11.1.1.100 255.255.255.0
 ip nat inside
 media-type 10BaseT
!
router rip
 network 172.68.0.0
 network 192.68.1.0
!
 ip nat inside source static 11.1.1.2 192.68.1.21 route-map isp2
 ip nat inside source static 11.1.1.2 172.68.1.21 route-map isp1
 ip nat inside source static 11.1.1.1 192.68.1.11 route-map isp2
 ip nat inside source static 11.1.1.1 172.68.1.11 route-map isp1
 access-list 101 permit ip 11.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255.
 access-list 102 permit ip 11.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255
!
route-map isp2 permit 10
 match ip address 102
 set ip next-hop 192.68.1.1
!
route-map isp1 permit 10
 match ip address 101
 set ip next-hop 172.68.1.1

Command Reference
This section documents the modified ip nat inside source command. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.

ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip route-map map-name}
no ip nat inside source {list {access-list-number | access-list-name} pool pool-name [overload] | static local-ip global-ip route-map map-name}
Syntax Description

list access-list-number
 Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
 
list access-list-name
 Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
 
pool pool-name
 Name of the pool from which global IP addresses are allocated dynamically.
 
overload
 (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, the TCP or UDP port number of each inside host distinguishes between the multiple conversations using the same local IP address.
 
static local-ip
 Sets up a single static translation. The local-ip argument establishes the lo

cal IP address assigned to
a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
 
global-ip
 Sets up a single static translation. The global-ip argument establishes the globally unique IP address of an inside host as it appears to the outside world.
 
route-map map-name
 Name of the route map configuration on the NAT inside interface in static translations.
 

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release  Modification 
11.2
 This command was introduced.
 
12.2(4)T
 This command was modified to include the ability to use route maps with static translations, and the route-map map-name keyword/argument was added.
 

Usage Guidelines

This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Alternatively, the syntax form with the keyword static establishes a single static translation.

Examples

The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 network to the globally unique 171.69.233.208/28 network:

ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 171.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.168.1.94 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The following example shows the use of route mapping with static NAT translations:

!
interface Ethernet3
 ip address 172.68.1.100 255.255.255.0
 ip nat outside
 media-type 10BaseT
!
interface Ethernet4
 ip address 192.68.1.100 255.255.255.0
 ip nat outside
 media-type 10BaseT
!
interface Ethernet5
 ip address 11.1.1.100 255.255.255.0
 ip nat inside
 media-type 10BaseT
!
router rip
 network 172.68.0.0
 network 192.68.1.0
!
 ip nat inside source static 11.1.1.2 192.68.1.21 route-map isp2
 ip nat inside source static 11.1.1.2 172.68.1.21 route-map isp1
 ip nat inside source static 11.1.1.1 192.68.1.11 route-map isp2
 ip nat inside source static 11.1.1.1 172.68.1.11 route-map isp1
 access-list 101 permit ip 11.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255.
 access-list 102 permit ip 11.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255
!
route-map isp2 permit 10
 match ip address 102
 set ip next-hop 192.68.1.1
!
route-map isp1 permit 10
 match ip address 101
 set ip next-hop 172.68.1.1
Related Commands

Share

NAT Support for Multiple Pools Using Route Maps

Posted on by
Reply

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Background Information
Access List Approach
      Host 1 to Host 2
      Host 1 to Host 3
Route Map Approach
      Host 1 to Host 2
      Host 1 to Host 3
Related Information



Introduction

This document explains how the use of access lists versus route maps changes the functionality of Network Address Translation (NAT). For more information on NAT, see Cisco IOS NAT.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco 2500 Series Routers.

  • Cisco IOS® Software Release 12.3(3).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

NAT only uses access lists and route maps when it needs to create a translation entry. If a translation entry already exists that matches the traffic then the translation entry will be used; any access lists or route maps will not be consulted. The difference between using an access list or route map is the type of translation entry that will be created.

Route Maps

When NAT uses a route map to decide to create a translation entry, it will always create a "fully extended" translation entry. This translation entry will contain both the inside and outside (local and global) address entries and any TCP or UDP port information. Refer to NAT: Local and Global Definitions for more information on inside and outside (local and global) addresses.

Access Lists (no overload)

When NAT uses an access list to decide to create a translation entry, it will create a "simple" translation entry. This "simple" entry will only contain local and global IP address entries for just the inside or outside depending on whether the ip nat inside or ip nat outside command is configured. Also, it will not include any TCP or UDP port information.

Access Lists (with overload)

When NAT uses an access list, and overload has also been specified, NAT will create a "fully extended" translation entry. (Refer to Note1 ). The operation is similar to the route-map case except that route-map has some additional features. Refer to Note 2 for more details. You can see an example of a simple NAT translation entry and a fully extended NAT translation entry by selecting one of the links below:

Below is an example network diagram we will use to illustrate the difference between using a route map and an access list with NAT.

nat_routemap1.gif

In the example network diagram above, it is required that hosts on 10.1.1.0 be translated to the following:

  • 131.108.2.0 when going to 131.108.1.0

  • 131.118.2.0 when going to 131.118.1.0

Access List Approach

With an access list approach, you would do the following to translate the hosts on 10.1.1.0:

ip nat pool pool108 131.108.2.1 131.108.2.254 prefix-length 24!--- Defines a pool of global addresses to be allocated as needed.      ip nat pool pool118 131.118.2.1 131.118.2.254 prefix-length 24     ip nat inside source list 108 pool pool108     !--- Establishes dynamic source translation, specifying the      !--- access list defined below.      ip nat inside source list 118 pool pool118     interface ethernet0       ip address 10.1.1.1 255.255.255.0       ip nat inside       !--- Marks the interface as connected to the inside.      interface ethernet1       ip address 10.1.2.1 255.255.255.0       ip nat outside       !--- Marks the interface
as connected to the outsid
e.     access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255     !--- Defines the access-list mentioning those addresses      !--- that are to be translated.     access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255

Refer to IP Addressing and Services Commands for more information on these commands.

Host 1 to Host 2

Here is what happens when Host 1 Telnets to Host 2.

Packet on (Network 1) s:10.1.1.2(1024)     d:131.108.1.2(23)     Packet on (Network 2) s:131.108.2.1(1024)  d:131.108.1.2(23)   (after NAT)

Because an access list was used by NAT to match this traffic a simple translation entry is created, which only includes inside translation information and no protocol or port information:

inside                         outside         local        global          global         local        10.1.1.2     131.108.2.1       ----           ----

Return packet: Host 2 to Host 1:

Packet on (Network 2)  s:131.108.1.2(23)  d:131.108.2.1(1024)     Packet on (Network 1)  s:131.108.1.2(23)  d:10.1.1.2(1024)      (after NAT)

Host 1 to Host 3

With the above simple translation in place, here is what happens when Host 1 also Telnets to Host 3:

Packet on (Network 1)  s:10.1.1.2(1025)     d:131.118.1.2(23)     Packet on (Network 2)  s:131.108.2.1(1025)  d:131.118.1.2(23)   (after NAT)

We can see that there is a problem. Packets going from 10.1.1.0 hosts to 131.118.1.0 hosts should get translated into 131.118.2.0, not 131.108.2.0. The reason that this happens is because there is already a NAT translation entry for 10.1.1.2 <–> 131.108.2.1 which also matches the traffic between Host 1 and Host 3. Therefore, this translation entry will be used and access lists 108 and 118 are not checked.

While the simple translation entry is in place in the NAT translation table, it can be used by any outside user on any outside host to send a packet to Host 1 as long as the outside user uses the inside global address (131.108.2.1) for Host 1. Normally a static NAT translation would be needed to allow this.

Route Map Approach

The correct way to configure the example in this document is to use route maps. With a route map approach, you would do the following to translate the hosts on 10.1.1.0:

ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24     ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24     ip nat inside source route-map MAP-108 pool pool-108     !--- Establishes dynamic source translation, specifying      !--- the route-map MAP-108 which is defined below.      ip nat inside source route-map MAP-118 pool pool-118     !--- Establishes dynamic source translation, specifying the route-map MAP-118.     !--- Here, the route-maps are consulted instead of      !--- access-lists (as in the previous case).     interface ethernet0       ip address 10.1.1.1 255.255.255.0       ip nat inside     interface ethernet1       ip address 10.1.2.1 255.255.255.0       ip nat outside     access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255     access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255     route-map MAP-108 permit 10     !--- Defines the Route-map MAP-108.     match ip address 108     !--- Specifies the criteria for translation. Here, the IP      !--- address mentioned in the access-list 108 is translated.     !--- The translation is defined.         in the ip nat inside source route-map MAP-108 pool pool-108 command     route-map MAP-118 permit 10     !--- Defines the Route-map MAP-108.     match ip address 118     !--- The IP address mentioned in the access-list 118 is translated.      !--- The translation is defined in the      !--- ip nat inside source route-map MAP-118 pool pool-118 command.

Refer to IP Addressing and Services Commands for more information on these commands.

Host 1 to Host 2

Here is what happens when Host 1 Telnets to Host 2:

Packet on (Network 1) s:10.1.1.2(1024)     d:131.108.1.2(23)     Packet on (Network 2) s:131.108.2.1(1024)  d:131.108.1.2(23)   (after NAT)

In this case, because a route map was used by NAT to match the traffic to be translated, NAT will create a fully extended translation entry, which includes both inside and outside translation information:

 inside                               outside         local            global             global             local     10.1.1.2:1024    131.108.2.1:1024   131.108.1.2:23     131.108.1.2:23

Return packet: Host 2 to Host 1:

Packet on (Network 2) s:131.108.1.2(23)  d:131.108.2.1(1024)     Packet on (Network 1) s:131.108.1.2(23)  d:10.1.1.2(1024)      (after NAT)

Host 1 to Host 3

Now when Host 1 sends a packet to Host 3 we get the following:

Packet on (Network 1) s:10.1.1.2(1025)     d:131.118.1.2(23)     Packet on (Network 2) s:131.118.2.1(1025)  d:131.118.1.2(23)   (after NAT)

The translation worked correctly because the packet on (N1) doesn’t match the fully extended translation entry that was used for the Host 1 to Host 2 traffic. Because the existing translation doesn’t match, NAT creates another translation entry for the Host 1 to Host 3 traffic.

Below are the fully extended translation entries on the NAT router:

inside                               outside         local            global             global             local     10.1.1.2:1024    131.108.2.1:1024   131.108.1.2:23     131.108.1.2:23     10.1.1.2:1025    131.118.2.1:1025   131.118.1.2:23     131.118.1.2:23

Because the NAT translation table has two full entries, it will correctly translate traffic going to the two different destinations from the same source.

Unlike the simple translation entry that was created via the access list, the fully extended translation entry created via the route map cannot be used by any other outside user to send a packet to Host 1. A static NAT translation would be needed to allow this.

Note 1

In the case of access-list with overload, the configuration is similar to the access-list without overload case. The exception is that you need to add the keyword overload to the command ip nat inside source list 108 pool pool108 and ip nat inside source list 118 pool pool118.

Note 2

The advantage of using route-maps is that under the match command you can have more options other than source IP address. For example, under the route-map, match interface or match ip next-hop can be specified. By using route-maps, you can specify the IP address as well as the interface or the next-hop address to which the packet is to be forwarded. Therefore, route-maps with NAT are used in a scenario where the subscriber is multi-homing to different ISPs.

Share

NAT and Same Security Level Interfaces

Posted on by
Reply

NAT and Same Security Level Interfaces

NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See the "NAT Control" section for more information. Also, when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.

See the "Allowing Communication Between Interfaces on the Same Security Level" section on page 7-6 to enable same security communication

Share

Order of NAT Commands Used to Match Real Addresses

Posted on by
Reply

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

Share

Bypassing NAT When NAT Control is Enabled

Posted on by
Reply

Bypassing NAT When NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT (see the "When to Use Application Protocol Inspection" section on page 25-2 for information about inspection engines that do not support NAT).

You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility with inspection engines. However, each method offers slightly different capabilities, as follows:

Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

Static identity NAT (static command)—Static identity NAT lets you specify the interface on which you want to allow the real addresses to appear, so you can use identity NAT when you access interface A, and use regular translation when you access interface B. Static identity NAT also lets you use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate (see the "Policy NAT" section for more information about policy NAT). For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B.

NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.

Share

NAT-T&l2l下的keepalive

Posted on by
1

Enable NAT−Traversal (#1 RA VPN Issue)
NAT−Traversal or NAT−T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys
SOHO router. If NAT−T is not enabled, VPN Client users often appear to connect to the PIX or ASA without
a problem, but they are unable to access the internal network behind the security appliance.
Note: With IOS 12.2(13)T and later, NAT−T is enabled by default in IOS.
Here is the command to enable NAT−T on a Cisco Security Appliance. The 20 in this example is the
keepalive time (default).
PIX/ASA 7.1 and earlier
pix(config)# isakmp nat−traversal 20
·
PIX/ASA 7.2(1) and later
securityappliance(config)# crypto isakmp nat−traversal 20
·
Note: This command is the same for both PIX 6.x and PIX/ASA 7.x.

————————————————————————————————————-

Enable ISAKMP Keepalives
If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN−to−LAN VPN tunnels and
LAN−to−LAN tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint
monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes
unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN
endpoints must support them.

Use these commands to configure ISAKMP keepalives on the PIX/ASA Security Appliances:
Cisco PIX 6.x
pix(config)# isakmp keepalive 15
¨
Cisco PIX/ASA 7.x, for the tunnel group named 10.165.205.222
securityappliance(config)# tunnel−group 10.165.205.222
ipsec−attributes
securityappliance(config−tunnel−ipsec)# isakmp keepalive
threshold 15 retry 10

Share

动态VPN 与静态VPN共存问题

Posted on by
Reply

Verify Crypto Map Sequence Numbers
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very
important. The sequence number of the dynamic crypto map entry must be higher than all of the other static
crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those
peers fail.
Here is an example of a properly numbered crypto map that contains a static entry and a dynamic entry. Note
that the dynamic entry has the highest sequence number and room has been left to add additional static entries:
crypto dynamic−map cisco 20 set transform−set myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transform−set myset
crypto map mymap 60000 ipsec−isakmp dynamic cisco
Disable XAUTH for L2L Peers
If a LAN−to−LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the
LAN−to−LAN peer is prompted for XAUTH information, and the LAN−to−LAN tunnel fails.
Note: This issue only applies to Cisco IOS and PIX 6.x. Because it uses tunnel−groups, PIX/ASA 7.x is not
affected by this issue.
Use the no−xauth keyword when you enter the isakmp key, so the device does not prompt the peer for
XAUTH information (username and password). This keyword disables XAUTH for static IPSec peers. Enter a
command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:
router(config)# crypto isakmp key cisco123 address
172.22.1.164 no−xauth

Share

[summary]缺省路由在各种协议下的发布总结

Posted on by
2

RIP
1。使用8个0作为缺省路由,加执行redistribute static(IOS12.0是个分界,之前的IOS中RIP,EIGRP能自动传播8个0)。
2。使用ip default-network,注意点:RIP可以不宣告那个被作为缺省网络的网段,配置该命令的路由器不产生gateway last..,而使其他路由器
产生8个0缺省路由。使用EIGRP的话,则配置该命令的路由器一定要宣告这个网段(其实如果一旦宣告这个缺省网段,那么其他EIGRP路由器就会通过EIGRP学习到这个网络,
所以此时的ip default-network等于起到了告知其他路由器将某某网络标记为缺省网络的作用),自己会产生Gateway of last resort is 0.0.0.0 to network 10.0.0.0类似这样的
其他路由器会产生一个到这个缺省网段的路由,而且会作为一个D*标记(要删除它则需要使用no ip route方式)。
3。使用default-information originate,注意配置该命令的机器上不要再配置8个0
4。ip route 0.0.0.0 0.0.0.0 null 0
  ip summary-address rip 0.0.0.0 0.0.0.0 (抑制所有明细)
  注意只在RIP ver2下有效且必须关闭自动汇总。
5 ip route 0.0.0.0 0.0.0.0 null 0
  network 0.0.0.0 (这样宣告导致不想进RIP域的网络都被宣告进RIP域,实际意义不大,除非过滤)

EIGRP
1。使用8个0作为缺省路由,加执行redistribute static(IOS12.0是个分界,之前的IOS中RIP,EIGRP能自动传播8个0)。
2。使用ip default-network,注意点:使用EIGRP的话,则配置该命令的路由器一定要宣告这个网段(其实如果一旦宣告这个缺省网段,那么其他EIGRP路由器就会通过EIGRP学习到这个网络,
所以此时的ip default-network等于起到了告知其他路由器将某某网络标记为缺省网络的作用),自己会产生Gateway of last resort is 0.0.0.0 to network 10.0.0.0类似这样的
其他路由器会产生一个到这个缺省网段的路由,而且会作为一个D*标记(要删除它则需要使用no ip route方式)。
3。ip route 0.0.0.0 0.0.0.0 null 0
  ip summary-address eigrp 0.0.0.0 0.0.0.0 (抑制所有明细)
 要关闭自动汇总
4。ip route 0.0.0.0 0.0.0.0 null 0
  network 0.0.0.0 (这样宣告导致不想进EIGRP域的网络都被宣告进EIGRP域,实际意义不大,除非过滤)
注意点:使用net 0.0.0.0 只对使用本路由器接口作为下一跳的有用,对使用ip route 0.0.0.0 0.0.0.0 address没用。
同时也不能使用ip default-network 0.0.0.0来企图注入缺省路有到其他路由器。

IGRP
不能使用8个0+重发布静态(不认识8个0)。
使用ip default-network,基本和EIGRP一样,只是配置该命令的路由器不像EIGRP那样有gateway of last resort….

ospf,IS-IS
用default-information originate (always),产生5类LSA传播出去。
Always参数不管当前路由器是否存在一条缺省路由,都传播出去。
Always参数不能用在IS-IS上。

BGP
同时满足下面3个条件
1。配制缺省路由
2。分发静态路由redistribute static
3.使用default-information originate
另外,如果IGP中有0.0.0.0路由,通过network 0.0.0.0也可以

简洁归纳:
ip default-network用在rip ,igrp ,eigrp上

default-information originate用在rip,ospf,isis,bgp

redistr static配合用在rip  eigrp  bgp上

详细学习总结: 

mycisco.cn学习版.缺省路由总结.pdf

Share

[转]CISCO IOS ?下出现的命令帮助

Posted on by
Reply

Access-enable  允许路由器在动态访问列表中创建临时访问列表入口 
   Access-group  把访问控制列表(ACL)应用到接口上 
   Access-list  定义一个标准的IP ACL 
   Access-template  在连接的路由器上手动替换临时访问列表入口 
   Appn  向APPN子系统发送命令 
   Atmsig   执行ATM信令命令 
   B   手动引导操作系统 
   Bandwidth   设置接口的带宽 
   Banner motd   指定日期信息标语 
   Bfe   设置突发事件手册模式 
   Boot system   指定路由器启动时加载的系统映像 
   Calendar   设置硬件日历 
   Cd   更改路径 
   Cdp enable   允许接口运行CDP协议 
   Clear   复位功能 
   Clear counters   清除接口计数器 
   Clear interface   重新启动接口上的件逻辑 
   Clockrate   设置串口硬件连接的时钟速率,如网络接口模块和接口处理器能接受的速率 
   Cmt   开启/关闭FDDI连接管理功能 
   Config-register   修改配置寄存器设置 
   Configure   允许进入存在的配置模式,在中心站点上维护并保存配置信息 
   Configure memory   从NVRAM加载配置信息 
   Configure terminal   从终端进行手动配置 
   Connect   打开一个终端连接 
   Copy   复制配置或映像数据 
   Copy flash tftp   备份系统映像文件到TFTP服务器 
   Copy running-config startup-config   将RAM中的当前配置存储到NVRAM 
   Copy running-config tftp   将RAM中的当前配置存储到网络TFTP服务器上 
   Copy tftp flash   从TFTP服务器上下载新映像到Flash 
   Copy tftp running-config   从TFTP服务器上下载配置文件 
   Debug   使用调试功能 
   Debug dialer   显示接口在拨什么号及诸如此类的信息 
   Debug ip rip   显示RIP路由选择更新数据 
   Debug ipx routing activity   显示关于路由选择协议(RIP)更新数据包的信息 
   Debug ipx sap   显示关于SAP(业务通告协议)更新数据包信息 
   Debug isdn q921   显示在路由器D通道ISDN接口上发生的数据链路层(第2层)的访问过程 
   Debug ppp   显示在实施PPP中发生的业务和交换信息 
   Delete   删除文件 
   Deny   为一个已命名的IP ACL设置条件 
   Dialer idle-timeout   规定线路断开前的空闲时间的长度 
   Dialer map   设置一个串行接口来呼叫一个或多个地点 
   Dialer wait-for-carrier-time   规定花多长时间等待一个载体 
   Dialer-group   通过对属于一个特定拨号组的接口进行配置来访问控制 
   Dialer-list protocol   定义一个数字数据接受器(DDR)拨号表以通过协议或ACL与协议的组合来控制控制拨号 
   Dir   显示给定设备上的文件 
   Disable   关闭特许模式 
   Disconnect   断开已建立的连接 
   Enable   打开特许模式 
   Enable password   确定一个密码以防止对路由器非授权的访问

Enable password   设置本地口令控制不同特权级别的访问 
   Enable secret   为enable password命令定义额外一层安全性 (强制安全,密码非明文显示) 
   Encapsulation frame-relay   启动帧中继封装 
   Encapsulation novell-ether   规定在网络段上使用的Novell独一无二的格式 
   Encapsulation PPP   把PPP设置为由串口或ISDN接口使用的封装方法 
   Encapsulation sap   规定在网络段上使用的以太网802.2格式Cisco的密码是sap 
   End   退出配置模式 
   Erase   删除闪存或配置缓存 
   Erase startup-config   删除NVRAM中的内容 
   Exec-timeout   配置EXEC命令解释器在检测到用户输入前所等待的时间 
   Exit   退出所有配置模式或者关闭一个激活的终端会话和终止一个EXEC 
   Exit   终止任何配置模式或关闭一个活动的对话和结束EXEC 
   format   格式化设备 
   Frame-relay local-dlci   为使用帧中继封装的串行线路启动本地管理接口(LMI) 
   Help   获得交互式帮助系统 
   History   查看历史记录 
   Hostname   使用一个主机名来配置路由器,该主机名以提示符或者缺省文件名的方式使用 
   Interface   设置接口类型并且输入接口配置模式 
   Interface   配置接口类型和进入接口配置模式 
   Interface serial   选择接口并且输入接口配置模式 
   Ip access-group   控制对一个接口的访问 
   Ip address   设定接口的网络逻辑地址 
   Ip address   设置一个接口地址和子网掩码并开始IP处理 
   Ip default-network   建立一条缺省路由 
   Ip domain-lookup   允许路由器缺省使用DNS 
   Ip host   定义静态主机名到IP地址映射 
   Ip name-server   指定至多6个进行名字-地址解析的服务器地址 
   Ip route   建立一条静态路由 
   Ip unnumbered   在为给一个接口分配一个明确的IP地址情况下,在串口上启动互联网协议(IP)的处理过程 
   Ipx delay   设置点计数 
   Ipx ipxwan   在串口上启动IPXWAN协议 
   Ipx maximum-paths   当转发数据包时设置Cisco IOS软件使用的等价路径数量 
   Ipx network   在一个特定接口上启动互联网数据包交换(IPX)的路由选择并且选择封装的类型(用帧封装) 
   Ipx router   规定使用的路由选择协议 
   Ipx routing   启动IPX路由选择 
   Ipx sap-interval   在较慢的链路上设置较不频繁的SAP(业务广告协议)更新 
   Ipx type-20-input-checks   限制对IPX20类数据包广播的传播的]
]>

Share

2007开篇,一直不敢开篇

Posted on by
2

今天是2007.1.6

其实1号就想写,但我一直把自己的博客定位是技术博客,因为最近只是在看书,实验少了点,感觉没什么能写的.

今天看书,郁闷了2个问题.一个先不说了,估计是我没想明白或者哪弄错了,说这个吧:

TCP/IP路由技术卷一P494的案例13。1。2 ,书上认为彼此重发布会导致问题,如果不过滤的话,可是实际作并不是那样,不过滤也是正常的。实验环境是V12.2、3620平台。不知道大家怎么看那个问题。我认为是CISCO路由器智能的判断。

RIP域中的网络----------》重分发进入OSPF

OSPF的网络-----------》再重发进RIP

此时中间路由器和右边的其他OSPF路由器拥有一样的LSA数据库,这个数据库里保存有RIP域中网络,表现形式为TYPE5-LSA
如果按常规想法(或者说这个例子的最后一段文字说法),此时中间路由器因该使用OSPF类型的条目来到达RIP域,因为OSPF的管理距离比RIP小,然后事实并不是这样,中间路由器到达左边网络的条目依然是通过RIP走。

事实上没有过滤左右两边的路由器并不会因为相互重分发而导致混乱。

Share