вопрос по NAT (Cisco IOS)

[zugunder]

Господа гуру,

подскажите как правильно сделать трансляцию чтоб хост 172.16.1.29 был доступен извне как 1.1.1.4, с учетом того что в сети 172.16.1.x есть свой дефолт гейт с аплинком на другого провайдера.

схемка сетки в аттаче.

Вот текущий конфиг:

---------------------

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c2851

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxDELETEDxxx

enable password xxxDELETEDxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local group radius

aaa authorization exec default local

aaa authorization network default local group radius if-authenticated

!

!

aaa session-id common

!

!

ip cef

!

!

no ip domain lookup

ip domain name FOOBAR.COM

ip inspect name INSPEKTOR tcp

ip inspect name INSPEKTOR udp

ip inspect name INSPEKTOR icmp

ip inspect name INSPEKTOR pptp

ip inspect name INSPEKTOR smtp

ip inspect name INSPEKTOR ftp

ip inspect name INSPEKTOR cuseeme

ip inspect name INSPEKTOR dns

ip inspect name INSPEKTOR https

ip inspect name INSPEKTOR http

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip dhcp-server 10.0.0.2

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

l2tp tunnel receive-window 1024

ip pmtu

ip mtu adjust

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username xxxDELETEDxxx privilege 15 password 0 xxxDELETEDxxx

archive

log config

hidekeys

!

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

track 1 rtr 1 reachability

delay down 10 up 30

!

!

!

!

interface GigabitEthernet0/0

description LAN1

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map GEN-POLICY

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description TO_LAN2

ip address 172.16.1.3 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1/0

description UPLINK_ISP1

ip address 1.1.1.2 255.255.255.248

ip nat outside

ip inspect INSPEKTOR out

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/3/0

description UPLINK_ISP2

ip address 2.2.2.2 255.255.255.252

ip access-group fw_in in

ip nat outside

ip inspect INSPEKTOR out

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

autodetect encapsulation ppp

peer default ip address dhcp

no keepalive

compress mppc

ppp encrypt mppe auto

ppp authentication ms-chap-v2 callin

ppp timeout idle 600

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1

ip route 0.0.0.0 0.0.0.0 2.2.2.1 50

ip route 192.168.193.0 255.255.255.0 10.0.0.254

ip route 192.168.200.0 255.255.255.0 10.0.0.254

ip route 192.168.212.0 255.255.255.0 172.16.1.2

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map ISP1-NAT interface FastEthernet0/1/0 overload

ip nat inside source route-map NAT_TO_LAN2 interface GigabitEthernet0/1 overload

ip nat inside source route-map ISP2-NAT interface FastEthernet0/3/0 overload

ip nat inside source static tcp 10.0.0.2 20 2.2.2.2 20 extendable

ip nat inside source static tcp 10.0.0.2 21 2.2.2.2 21 extendable

ip nat inside source static tcp 10.0.0.5 25 2.2.2.2 25 extendable

ip nat inside source static tcp 10.0.0.7 443 2.2.2.2 443 extendable

ip nat inside source static tcp 10.0.0.2 20 1.1.1.3 20 extendable

ip nat inside source static tcp 10.0.0.2 21 1.1.1.3 21 extendable

ip nat inside source static tcp 10.0.0.5 25 1.1.1.3 25 extendable

ip nat inside source static tcp 10.0.0.7 443 1.1.1.3 443 extendable

ip nat inside source static tcp 172.16.1.29 21 1.1.1.4 21 extendable

!

ip access-list extended fw_in

permit gre any any

permit tcp any any established

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit tcp any host 2.2.2.2 eq 22

permit tcp any host 1.1.1.2 eq 22

permit tcp any host 2.2.2.2 eq 1723

permit tcp any host 1.1.1.2 eq 1723

permit tcp any host 2.2.2.2 eq smtp

permit tcp any host 2.2.2.2 eq 443

permit tcp any host 2.2.2.2 eq ftp

permit tcp any host 2.2.2.2 eq ftp-data

permit tcp any host 1.1.1.3 eq smtp

permit tcp any host 1.1.1.3 eq 443

permit tcp any host 1.1.1.3 eq ftp

permit tcp any host 1.1.1.3 eq ftp-data

permit tcp any host 1.1.1.4 eq ftp

permit tcp any host 1.1.1.4 eq ftp-data

deny ip any any

!

ip sla 1

icmp-echo 192.58.128.30 source-interface FastEthernet0/1/0

timeout 1000

threshold 3

frequency 10

ip sla schedule 1 life forever start-time now

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 2 permit 172.16.1.29

access-list 102 permit tcp any host some.outside.box.address eq 22

access-list 104 permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 105 permit icmp any host 192.58.128.30 echo

access-list 106 permit ip any 172.16.1.0 0.0.0.255

access-list 107 permit tcp any host 1.1.1.4 eq ftp

!

!

!

route-map NAT_TO_LAN2 permit 10

match ip address 106

match interface GigabitEthernet0/1

!

route-map GEN-POLICY permit 5

match ip address 102

set ip next-hop 2.2.2.1

!

route-map GEN-POLICY permit 10

match ip address 105

set ip next-hop 1.1.1.1

!

route-map ISP2-NAT permit 10

match ip address 1

match interface FastEthernet0/3/0

!

route-map ISP1-NAT deny 5

match ip address 102

match interface FastEthernet0/1/0

!

route-map ISP1-NAT deny 6

match ip address 103

match interface FastEthernet0/1/0

!

route-map ISP1-NAT deny 7

match ip address 104

match interface FastEthernet0/1/0

!

route-map ISP1-NAT permit 10

match ip address 1

match interface FastEthernet0/1/0

!

!

!

radius-server configure-nas

radius-server host 10.0.0.5 auth-port 1645 acct-port 1646

radius-server key xxxDELETEDxxx

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxDELETEDxxx

transport input ssh

!

scheduler allocate 20000 1000

!

event manager applet ISP_SWITCHED

event track 1

action 1.0 cli command "enable"

action 2.0 cli command "clear ip nat trans forced"

!

end

[snark]

тыц

[zugunder]

Эт я читал ужо :) Нужно сделать две трансляции одновременно, 1 inside source и 1 outside source

Вопрос как сделать overload на один адрес при nat outside source? :)