IT備忘録

Cisco
PPPoE+NAT+ACLのコンフィグ

2つの拠点がインターネットにPPPoE接続している検証環境を構築し、Ciscoルータの設定例を記載します。




構成図

構成図


検証環境について

  • RT-1とRT-2はPPPoEサーバからグローバルIPアドレスを払い出されるようにします。


  • RT-1とRT-2はNTPサーバに同期をとります。


  • 拠点1にはPCを、拠点2にはWebサーバを配置します。


  • 拠点1のPCは、拠点2のRT-2とWebサーバにSSHアクセスできるようにします。WebサーバのSSHポート番号は22ではなく22222でインターネットに公開します。


  • MTUは検証環境に合わせた1492バイト(PPPoEフレームサイズ)にします。

    なお、実環境でよく使用されるフレッツ回線の場合は、1454バイト(L2TPフレームサイズ)、MSSは1414バイトで設定します。MTU/MSS確認用フレームフォーマット図




RT-1コンフィグ

RT-2コンフィグ

RT-1#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$UZ.d$263eCd7jDVJHAqwgfcFNL0
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$ztjJ$yET4V3rcbtkvdA9yjTJin.
!
!
!
ip ssh version 2
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.1.1.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard Internet-PAT
 permit 10.1.1.0 0.0.0.255
ip access-list standard SSH-ACL
 permit 10.1.1.0 0.0.0.255
!
!
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp host 11.11.11.11 eq ntp
 permit icmp any host 11.11.11.11
!
!
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end
RT-2#show run

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname RT-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 512000
enable secret 5 $1$RBil$/zAAQLKQrekcrMgQIHCwW1
!
no aaa new-model
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip cef
no ipv6 cef
!
!
!
multilink bundle-name authenticated
!
!
!
no spanning-tree vlan 1
username admin secret 5 $1$hwGG$LTC0VpW218k/mT9dMrcO.0
!
!
!
ip ssh version 2
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 10.2.1.22 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Async3
 no ip address
 encapsulation slip
!
interface Dialer1
 ip address negotiated
 ip access-group Internet-ACL in
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 10
 ppp authentication chap callin
 ppp chap hostname user1
 ppp chap password 0 cisco
 no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list Internet-PAT interface Dialer1 overload
ip nat inside source static tcp 10.2.1.2 80 22.22.22.22 80 extendable
ip nat inside source static tcp 10.2.1.2 22 22.22.22.22 22222 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard Internet-PAT
 permit 10.2.1.0 0.0.0.255
ip access-list standard SSH-ACL
 permit 11.11.11.11
 permit 10.2.1.0 0.0.0.255
!
ip access-list extended Internet-ACL
 permit udp host 9.9.9.1 eq ntp host 22.22.22.22 eq ntp
 permit icmp any host 22.22.22.22
 permit tcp any host 22.22.22.22 eq www
 permit tcp host 11.11.11.11 host 22.22.22.22 eq 22222
!
dialer-list 10 protocol ip permit
no cdp run
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 access-class SSH-ACL in
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end



PPPoEサーバコンフィグ

C841#show run

version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
service sequence-numbers
no service dhcp
!
hostname C841
!
boot-start-marker
boot-end-marker
!
!
logging buffered 512000
enable secret 5 $1$.vFe$X3glXptv2jXtYOqn3xFqB1
!
no aaa new-model
ethernet lmi ce
clock timezone JST 9 0
!
!
!
no ip bootp server
no ip domain lookup
ip domain name free-ne.com
ip cef
no ipv6 cef
!
!
!
no spanning-tree vlan 10
no spanning-tree vlan 20
username admin secret 5 $1$HLPb$sD8LIY1xdcme67UY/K5Kf0
username user1 password 0 cisco
!
redundancy
!
!
!
no cdp run
!
!
!
bba-group pppoe PPPoE1
 virtual-template 1
!
bba-group pppoe PPPoE2
 virtual-template 2
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback2
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 no ip address
!
interface GigabitEthernet0/1
 switchport access vlan 10
 no ip address
!
interface GigabitEthernet0/2
 switchport access vlan 20
 no ip address
!
interface GigabitEthernet0/3
 no ip address
!
interface GigabitEthernet0/4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/5
 ip address 9.9.9.9 255.255.255.0
 duplex auto
 speed auto
!
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback1
 peer default ip address pool Pool1
 ppp authentication chap
!
interface Virtual-Template2
 mtu 1492
 ip unnumbered Loopback2
 peer default ip address pool Pool2
 ppp authentication chap
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 no ip address
 pppoe enable group PPPoE1
!
interface Vlan20
 no ip address
 pppoe enable group PPPoE2
!
ip local pool Pool1 11.11.11.11
ip local pool Pool2 22.22.22.22
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip ssh version 2
!
!
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line vty 0 4
 exec-timeout 60 0
 logging synchronous
 login local
 transport input ssh
!
!
monitor session 1 source interface Gi0/2
monitor session 1 destination interface Gi0/0
scheduler allocate 20000 1000
ntp server 9.9.9.1
!
end

※パケットキャプチャ用にミラーポートを設定しています。




設定解説は以下のページに記載しています。