infrastructure-services.nat.static.twice.553889d2

1. Inside Local will translate
2. Inside Global will translate
3. Outside Local will translate
4. Outside Global will translate

1. 553889d2-667e-4bb2-b279-389241d53d29
2. Lab is same to:
   1. infrastructure-services.nat.static.outside.5a390ddc.yaml · master · CCIE Enterprise Infrastructure v1.0 / labs · GitLab
   2. Cisco: Static NAT: ip nat outside source

Common Configuration Snippet

R1

configure terminal
!
interface GigabitEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 no shutdown
interface GigabitEthernet0/1
 ip address 172.16.2.1 255.255.255.0
 no shutdown
!
end

ubuntu-0

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-0
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
packages:
   - curl
   - ftp
   - iperf
   - iperf3
   - netcat-openbsd
   - bind9-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           ens2:
              match:
                 name: ens2
              addresses:
                 - 172.16.1.101/24
              gateway4: 172.16.1.1
              nameservers:
                 addresses:
                    - 8.8.8.8
                    - 8.8.4.4
                    - 1.1.1.1
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

ubuntu-1

#cloud-config
password: cisco
chpasswd: { expire: False }
hostname: ubuntu-1
ssh_pwauth: True
ssh_authorized_keys:
   - ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbn2VyO9Mby6BwkijQmGfH8O2+Uqewn0/oIOXOxMNgCZiztR3v2o5n1l9ET1GuN7iVMe9whoUiNuZMUVEv0INb+A6Yd0M/37tlWlC+qbIjjqL6UzJAqRISdGP1oVmnV2g== wnoguchi@lasthope.pg1x.net
packages:
   - curl
   - ftp
   - iperf
   - iperf3
   - netcat-openbsd
   - bind9-utils
write_files:
- path: /etc/netplan/51-cloud-init_static.yaml
  permissions: '0644'
  content: |
     network:
        version: 2
        ethernets:
           ens2:
              match:
                 name: ens2
              addresses:
                 - 172.16.2.102/24
              gateway4: 172.16.2.1
              nameservers:
                 addresses:
                    - 8.8.8.8
                    - 8.8.4.4
                    - 1.1.1.1
runcmd:
   - [ sudo, netplan, generate ]
   - [ sudo, netplan, apply ]

configure terminal
!
ip nat inside source static 172.16.1.101 172.16.2.101
ip nat outside source static 172.16.2.102 172.16.1.102 no-alias
!
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside
!
! Seems Invalid on newer IOS because Directly connected route AD is preferred?
ip route 172.16.1.102 255.255.255.255 172.16.2.102
! Seems Invalid Configuration unless Serial Interface or newer IOS version?
!ip route 172.16.1.102 255.255.255.255 GigabitEthernet0/1
!
end

show ip nat translation
show ip route
show running-config | include ip route|ip nat (inside|outside) source
show ip arp

ping 172.16.1.102
ping 172.16.1.101
# success...
ping 172.16.2.102

nc 172.16.1.101 1234
nc -l 1234

ssh 172.16.1.102
ssh 172.16.1.101
# timeout
ssh 172.16.2.102

sudo tcpdump -nni ens2 host 172.16.1.101
# except DNS query, ICMP unreachable
sudo tcpdump -nni ens2 "not port 53 and not icmp[icmptype] == 3"

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.1/32 is directly connected, GigabitEthernet0/0
S        172.16.1.102/32 [1/0] via 172.16.2.102
C        172.16.2.0/24 is directly connected, GigabitEthernet0/1
L        172.16.2.1/32 is directly connected, GigabitEthernet0/1
L        172.16.2.101/32 is directly connected, GigabitEthernet0/1

R1(config)#do sh ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.1              -   5254.0006.f311  ARPA   GigabitEthernet0/0
Internet  172.16.1.101            0   5254.001a.b554  ARPA   GigabitEthernet0/0
Internet  172.16.2.1              -   5254.001a.b690  ARPA   GigabitEthernet0/1
Internet  172.16.2.101            -   5254.001a.b690  ARPA   GigabitEthernet0/1
Internet  172.16.2.102            0   5254.0017.cd84  ARPA   GigabitEthernet0/1

1. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-0-wrong.r1ge0-1_ubuntu-1-ens2.pcapng
2. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-0-wrong.r1ge0-0_ubuntu-0-ens2.pcapng

R1(config)#do sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                172.16.1.102       172.16.2.102
tcp 172.16.1.101:22    172.16.1.101:22    172.16.1.102:54376 172.16.2.102:54376
--- 172.16.2.101       172.16.1.101       ---                ---

1. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-1-icmp.r1ge0-1_ubuntu-1-ens2.pcapng
2. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-1-icmp.r1ge0-0_ubuntu-0-ens2.pcapng

R1(config)#do sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                172.16.1.102       172.16.2.102
icmp 172.16.2.101:3    172.16.1.101:3     172.16.1.102:3     172.16.2.102:3
tcp 172.16.1.101:22    172.16.1.101:22    172.16.1.102:54376 172.16.2.102:54376
--- 172.16.2.101       172.16.1.101       ---                ---

1. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-2-ssh-from-ubuntu-0.r1ge0-1_ubuntu-1-ens2.pcapng
2. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-2-ssh-from-ubuntu-0.r1ge0-0_ubuntu-0-ens2.pcapng

R1(config)#do sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                172.16.1.102       172.16.2.102
tcp 172.16.1.101:22    172.16.1.101:22    172.16.1.102:54376 172.16.2.102:54376
tcp 172.16.2.101:46378 172.16.1.101:46378 172.16.1.102:22    172.16.2.102:22
tcp 172.16.2.101:46438 172.16.1.101:46438 172.16.1.102:22    172.16.2.102:22
--- 172.16.2.101       172.16.1.101       ---                ---

1. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-3-ssh-from-ubuntu-1.r1ge0-1_ubuntu-1-ens2.pcapng
2. infrastructure-services.nat.static.outside.553889d2.7696e436.lab1-3-ssh-from-ubuntu-1.r1ge0-0_ubuntu-0-ens2.pcapng

R1(config)#do sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                172.16.1.102       172.16.2.102
tcp 172.16.2.101:22    172.16.1.101:22    172.16.1.102:51744 172.16.2.102:51744
--- 172.16.2.101       172.16.1.101       ---                ---

1. 双方向NAT（ Twice NAT ）- Ciscoコンフィグ設定
2. Cisco: Static NAT: ip nat outside source