发信人: ciscomyrice(pingcisco)
整理人: firphoenix(2001-11-06 11:45:22), 站内信件
|
NAT Configuration
The following commands identify the pool of inside global and outside local addresses available for assignment to NAT1. Also shown are the required interface commands.
ip nat pool iga 140.16.10.1 140.16.10.254 netmask 255.255.255.0
ip nat pool ola 192.168.1.1 192.168.1.254 netmask 255.255.255.0
ip nat inside source list 1 nat pool iga
ip nat outside source list 2 nat pool ola
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit any
!
interface s 0
! Link to Upstream ISP
ip address <address> <netmask>
ip nat outside
interface e 0
! Link to Internal Network
ip address <address> <netmask>
ip nat inside
!
ip route 192.168.1.0 255.255.255.0 serial 0 ; Default route from in-> out
The following commands on NAT1 are necessary for the DNS bootstrapping.
! mapping for the internal DNS server
ip nat inside source static 10.20.20.10 140.16.10.254
! mapping for the forwarder
ip nat outside source static 128.9.0.107 192.168.1.254
The following commands on NAT1 are necessary to advertise into interior routing (OSPF) direct reachability to the outside local addresses.
router ospf 1
redistribute static
ip route 192.168.1.0 255.255.255.0 null 0
The following commands identify the pool of inside global and outside local addresses available for assignment to NAT2. Also shown are the required interface commands.
ip nat pool iga 193.17.15.1 193.17.15.254 netmask 255.255.255.0
ip nat pool ola 192.168.2.1 192.168.2.254 netmask 255.255.255.0
ip nat inside source list 1 nat pool ola
ip nat outside source list 2 nat pool iga
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 permit any
!
interface s 0
! Link to Upstream ISP
ip address <address> <netmask>
ip nat outside
interface e 0
! Link to Internal Network
ip address <address> <netmask>
ip nat inside
!
ip route 192.168.2.0 255.255.255.0 serial 0 ; Default route from in-> out
The following commands on NAT2 are necessary for the DNS bootstrapping.
! mapping for the internal DNS server
ip nat inside source static 10.20.20.10 193.17.15.250
! mapping for the forwarder
ip nat outside source static 128.9.0.107 192.168.2.254
The following commands on NAT2 are necessary to advertise into interior routing (OSPF) direct reachability to the outside local addresses.
router ospf 1
redistribute static
ip route 192.168.2.0 255.255.255.0 null 0
Mapping for DNS Servers
The address translation tables maintained by NATs have to be preconfigured to enable communication between the DNS server(s) within the enterprise, and the DNS server(s) that outside the enterprise that the DNS server(s) within the enterprise use to resolve DNS queries.
We assume the following DNS scenario throughout this paper:
1. Clients in the foo.com domain use ns.foo.com as their default DNS server.
2. All DNS queries which cannot be handled out of the ns.foo.com cache are forwarded, either through NAT1 or NAT2, to an external DNS server at 128.9.0.107 (OG).
3. The ns.foo.com DNS server provides recursive resolution.
4. Clients in the bar.com domain use ns.bar.com as their default DNS server.
5. The ns.bar.com DNS server provides recursive resolution.
DNS Configuration
Shown below are the DNS files for the DNS server (ns.foo.com) inside the enterprise that is authoritative for the foo.com zone. Note that these configuration files do not fully represent all the necessary configuration that may be needed in an operational environment.
Setting Up a Boot File
Here we configure db.foo as the database for local host name to address mappings, db.10 as the database for local address to host name mapping.
; BSDI $Id: named.boot.sample,v 2.1 1996/01/16 17:39:49 polk Exp $
; @(#)named.boot 8.1 (Berkeley) 6/9/93
directory /etc/namedb
primary foo.com db.foo
primary 10.in-addr.arpa db.10
;
; the following two lines are for handling queries for PTR RRs for hosts outside the
; enterprise
primary 1.168.192.in-addr.arpa db.192.168.1
primary 2.168.192.in-addr.arpa db.192.168.2
;
forwarders 192.168.1.254 192.168.2.254; Outside Local addresses
options forward-only
;
primary 0.0.127.in-addr.arpa localhost.rev
db.foo file
The file db.foo contains the name to address mappings for hosts within the enterprise
;
@ IN SOA ns.foo.com. hostmaster.ns.foo.com. (
2 ; Serial number
3600 ; Refresh every 2 days
3600 ; Retry every hour
3600 ; Expire every 20 days
3600(?) Minimum 2 days
;
; Name Servers
foo.com. IN NS ns.foo.com.
;
; Addresses
ns.foo.com. IN A 10.20.20.10 ; Inside Local address
;
x.foo.com. IN A 10.1.1.1 ; Inside Local address
;
nat1-ns.foo.com. IN A 192.168.1.254 ; Outside Local address
nat2-ns.foo.com. IN A 192.168.2.254 ; Outside Local address
db.10 File
The file db.10 contains mapping of internal local addresses to host names.
;
; Reverse address resolution for local network addresses
;
@ IN SOA ns.foo.com. hostmaster.ns.foo.com. (
2 ; Serial number
600 ; Refresh every 2 days
3600 ; Retry every hour
600 ; Expire every 20 days
600(?) Minimum 2 days
;
; Name Servers
10.in-addr.arpa. IN NS ns.foo.com.
;
; Addresses
10.20.20.10.in-addr.arpa IN PTR ns.foo.com.
1.1.1.10.in-addr.arpa IN PTR x.foo.com.
;
db.192.168.1
The file db.192.168.1 contains information needed to resolve DNS Queries for PTR RRs that are originated within the enterprise:
;
; Reverse address resolution for local network addresses
;
@ IN SOA nat1-ns.foo.com. hostmaster.nat1-ns.foo.com. (
2 ; Serial number
600 ; Refresh every 2 days
3600 ; Retry every hour
600 ; Expire every 20 days
600(?) Minimum 2 days
;
1.168.192.in-addr.arpa. IN NS nat1-ns.foo.com.
db.192.168.2
The file db.192.168.2 contains information needed to resolve DNS Queries for PTR RRs that are originated within the enterprise:
;
; Reverse address resolution for local network addresses
;
@ IN SOA nat2-ns.foo.com. hostmaster.nat2-ns.foo.com. (
2 ; Serial number
600 ; Refresh every 2 days
3600 ; Retry every hour
600 ; Expire every 20 days
600(?) Minimum 2 days
;
2.168.192.in-addr.arpa. IN NS nat2-ns.foo.com.
When the NATs are configured as previously described, the address translation table maintained by NAT1 contains the following entries:
Table 1: NAT1 Table Original Address (OA) Type Translated Address (TA) Type
10.20.20.10
IL
140.16.10.254
IG
140.16.10.254
IG
10.20.20.10
IL
192.168.1.254
OL
128.9.0.107
OG
128.9.0.107
OG
192.168.1.254
OL
The first pair of entries in the table enable the ns.foo.com DNS server to be reachable to external hosts via the IG address 140.16.10.254. The second pair of entries in the table enable clients in the foo.com domain to reach their default external DNS server via OL address 192.168.1.254.
Likewise, the address translation table maintained by NAT2 contains the following entries:
Table 2: NAT2 Table Original Address (OA) Type Translated Address (TA) Type
10.20.20.10
IL
193.17.15.250
IG
193.17.15.250
IG
10.20.20.10
IL
192.168.2.254
OL
128.9.0.107
OG
128.9.0.107
OG
192.168.2.254
OL
Setting Up the "Glue"
To delegate the subdomain that corresponds to the 140.16.10/24 inside global addresses block, a DNS server authoritative for the 16.140.in-addr.arpa has to contain the following:
10.16.140.in-addr.arpa. 86400 IN NS foo-ns.isp1.com.
The DNS server authoritative for the isp1.com zone has to contain the following:
foo-ns.isp1.com. IN A 140.16.10.254
Note that this causes all DNS Queries for PTR RRs with addresses taken of the inside global 140.16.10/24 block to be handled by NAT1.
To delegate the subdomain that corresponds to the 193.17.15/24 inside global addresses block, a DNS server authoritative for the 17.193.in-addr.arpa has to contain the following:
15.17.193.in-addr.arpa. 86400 IN NS foo-ns.isp2.com.
The DNS server authoritative for the isp2.com zone has to contain the following:
foo-ns.isp2.com. IN A 193.17.15.250
Note that this causes all DNS Queries for PTR RRs with addresses taken of the inside global 193.17.15/24 block to be handled by NAT2.
A DNS server authoritative for the foo's parent zone (".com" DNS server) must contain the following:
foo 86400 IN NS ns.foo.com.
;
ns.foo.com. 86400 IN A 140.16.10.254 ; Inside Global address
IN A 193.17.15.250 ; Inside Global address
Note that because the enterprise has two NATs, we have two A RR (even if there is only one DNS server within the enterprise).
|
|