This document explains how to use Network Address Translation (NAT) to connect a single machine with a single public (outside) IP address, while simultaneously NAT'ing other multiple machines to a different Internet IP address. This type of configuration is common for many small offices running an internal web server. The features used in this HOW TO are STATIC NAT and MASQUERADE NAT.
Network Address Translation (NAT) is most often used to allow a large number of machines to connect to the Internet using a single IP address. Often a service provider will assign a small group of IP addresses (4 - 16 addresses) to a site which needs to connect multiple computers (30 or more computers) to the Internet.
Note: Throughout this document, the addresses 10.192.192.0 - 255 will be used to represent the "public IP address block". The IP address 192.168.0.0 - 255 will be used to represent the "private IP address block". For more information on public and private IP addressing see RFC 1918 (ftp://ftp.rfc-editor.org/in-notes/rfc1918.txt) or the Vyatta Knowledge Base Entry "Public and Private IP Addresses Explained".
Please be sure to replace the addresses used for this document with the addresses assigned by your Internet Service Provider (ISP).
PROCEDURE
Configure the primary IP addresses on the outside interface
Configure the secondary IP address on the outside interface
Configure the primary IP address on the inside interface
Configure a default gateway
Configure outbound STATIC NAT rule
Configure an inbound STATIC NAT rule
Configure an outside MASQUERADE rule
Test the configuration
1. Configure the primary IP address on the outside interface
Configuration of the primary IP address of the router on the outside interface sets up the router to connect to the Internet. This is also the address which will be used in for the MASQUERADE section of the NAT. Many hosts on the inside of the network will use this IP address when connecting to the Internet.
set interfaces ethernet eth0 address 10.192.192.2 prefix-length 24
2. Configure the secondary IP address on the outside interface
The secondary IP address on the outside interface is the Internet-facing IP address of the web server.
set interfaces ethernet eth0 address 10.192.192.84 prefix-length 24
3. Configure the primary IP address on the inside interface
The primary IP address on the inside interface will be the IP address on the local office LAN. This address will be used as the default gateway for all PC's on the local network.
set interfaces ethernet eth1 address 192.168.0.1 prefix-length 24
4. Configure the a default gateway
The default gateway is an address which is assigned by an Internet Service Provider (ISP) to a customer. The default gateway address is the IP address of the router at the ISP which will receive all traffic destined for the Internet.
set system gateway-address 10.192.192.1
5. Configure the outbound STATIC NAT rule
The outbound STATIC NAT rule configures the Vyatta router to send all traffic it receives from the web server's address on the office LAN using the outside address of the web server on the Internet.
set service nat rule 13
set service nat rule 13 type source
set service nat rule 13 outbound-interface eth0
set service nat rule 13 protocols all
set service nat rule 13 source address 192.168.0.17
set service nat rule 13 destination network 0.0.0.0/0
set service nat rule 13 outside-address address 10.192.192.84
6. Configure an inbound STATIC NAT rule
The inbound STATIC NAT rule configures the Vyatta router to send all traffic it receives from the Internet on the outside address of the web server to its inside address.
set service nat rule 14
set service nat rule 14 type destination
set service nat rule 14 inbound-interface eth0
set service nat rule 14 protocols all
set service nat rule 14 source network 0.0.0.0/0
set service nat rule 14 destination address 10.192.192.84
set service nat rule 14 inside-address address 192.168.0.17
7. Configure an outside MASQUERADE rule
The outside MASQUERADE rule configures the Vyatta router to send any traffic from the office LAN to the Internet using the outside IP address of the Vyatta router. MASQUERADE is used only for outbound traffic. Traffic which is part of an outbound session which originated from the office LAN will be associated with the originating host.
set service nat rule 20
set service nat rule 20 type masquerade
set service nat rule 20 outbound-interface eth0
set service nat rule 20 protocols all
set service nat rule 20 source network 192.168.0.0/24
set service nat rule 20 destination network 0.0.0.0/0
8. Test the configuration
Using a web browser go to a site such as http://www.whatismyip.com/ from the STATIC NAT'ed machine, in this case the web server. The IP address which should appear is 10.192.192.84.
Using a web browser go to http://www.whatismyip.com/ from a MASQUERADEd machine, in this case any machine on the office LAN which is not the web server. The IP address which should appear is 10.192.192.1.
MORE INFORMATION
For more information about the Vyatta CLI see the Vyatta website at: http://www.vyatta.com/documentation
For more information on RFC 1918: ftp://ftp.rfc-editor.org/in-notes/rfc1918.txt
Vyatta Knowledge Base "Public and Private IP Addresses Explained"
REFERENCES
RFC 1918: ftp://ftp.rfc-editor.org/in-notes/rfc1918.txt
LAST REVISED
25-NOV-2007 - spk
Applies to Product
Vyatta Software - Not Hardware Specific
Vyatta 514
Non-Vyatta Hardware
Vyatta 2501
Applies to Software
v2.3.1
v2.3
v2.2
0 comments:
Post a Comment