EVE-NG routing between your lab and real network (static nat one-to-one).

Обсуждаем сайт и форум.

Модератор: f0s

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1286
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2019-12-31 0:01:20

Hello everybody, you can access to you virtual devices for management via ssh & https from your real network - office or home LAN.
And vice versa for instance if your virtual devices need access to the outside from your lab. Below is topology & config how to do this one.

You need to create or edit your /etc/rc.local file accordingly your IP addressing range - in that scenario real network 10.83.0.0/16 and lab network 192.168.255.0/24 (please see topology). Anyway, I sure that you SHOULD change IP addresses to yours - please do it. Please reboot EVE-NG for configuration changes have an effect. Please make snapshot your system before you configuration!

Код: Выделить всё

root@eve-ng:~# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

ip address add 192.168.255.1/24 dev pnet9

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111

iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

echo 1 > /proc/sys/net/ipv4/ip_forward

exit 0
root@eve-ng:~#
Description:

ip address add 192.168.255.1/24 dev pnet9
You assign ip address to Cloud9 interface that directly connected to R1.

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0
You assign the SECONDARY ip address to pnet0 interface that accessible from your real network, after that, you should ping this one.

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111
iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

Static NAT one2one Linux iptables.

echo 1 > /proc/sys/net/ipv4/ip_forward
Enable Linux IP routing.

Verification:

Код: Выделить всё

root@eve-ng:~# telnet 192.168.255.2
Trying 192.168.255.2...
Connected to 192.168.255.2.
Escape character is '^]'.

       -=R1=-

User Access Verification

Username: ed
Password:
R1#
R1#show ip route | include 0.0.0.0/0
S*    0.0.0.0/0 [250/0] via 192.168.255.1
R1#
R1#ping 192.168.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#
R1#
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/17/18 ms
R1#
R1#
R1#ping da.ru
Translating "da.ru"

Translating "da.ru"
% Unrecognized host or address, or protocol not running.

R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip name
R1(config)#ip name-server 8.8.8.8
R1(config)#ip do
R1(config)#ip domain-
R1(config)#ip domain-lo
R1(config)#ip domain-lookup
R1(config)#
R1(config)#
R1(config)#do ping da.ru
Translating "da.ru"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.36.35.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/11/12 ms
R1(config)#
R1(config)#no ip domain-lookup
R1(config)#no ip name-server 8.8.8.8
R1(config)#end
R1#
R1#wr
Building configuration...
[OK]
R1#
You can add one more SECONDARY ip address and iptables entries for another virtual device. But you also can create port forwarding on the R1 (Cisco router) in that scenario for downstream devices in your lab like this;

Код: Выделить всё

R1#show running-config | include nat
 ip nat inside
 ip nat inside
 ip nat outside
ip nat inside source static tcp 10.1.3.3 23 10.1.4.10 23 extendable
ip nat inside source static 3.3.3.1 10.1.4.100
ip nat inside source static tcp 10.0.22.222 22 192.168.255.2 2222 extendable
ip nat inside source static tcp 10.0.22.223 22 192.168.255.2 2223 extendable
ip nat inside source static tcp 10.1.4.1 22 192.168.255.2 2333 extendable
ip nat inside source static tcp 10.0.30.1 443 192.168.255.2 4333 extendable
ip nat inside source static tcp 10.0.30.1 80 192.168.255.2 8888 extendable
R1#
Or you can access directly from the Cisco router - it depends on your choice:

Код: Выделить всё

R1#show ip route isis | begin Gateway
Gateway of last resort is 192.168.255.1 to network 0.0.0.0

      2.0.0.0/32 is subnetted, 4 subnets
i L2     2.2.2.1 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.2 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.4 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
i L2     10.0.20.0/24 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                      [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.222/32 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                        [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.223/32 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.23.0/24 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
R1#
R1#telnet 10.0.22.222
Trying 10.0.22.222 ... Open
-=vmx1=-

vmx1 (ttyp0)

login: ed
Password:

--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC
ed@vmx1>

ed@vmx1> show system users
11:20PM  up 4 days,  7:14, 1 user, load averages: 0.37, 2.09, 1.50
USER     TTY      FROM                              LOGIN@  IDLE WHAT
ed       p0       10.1.1.1                         11:20PM     - -cli (cli)

ed@vmx1>

ed@vmx1> quit


[Connection to 10.0.22.222 closed by foreign host]
R1#
I tested access to the Checkpoint Smartconsole & Cisco ASA ASDM that way - all works fine!

Helpful commands:

iptables -nvL -t nat

ip addr

cat /proc/sys/net/ipv4/ip_forward


---

PS.
Here is a description of how you can do it on the Hypervisor VMware ESXi configuration lever, but in my case, I have not access & authorization to Vcenter.
https://www.petenetlive.com/KB/Article/0001432
http://www.eve-ng.net/images/EVE-COOK-BOOK-1.2.pdf

PS2.
Here is a description of how to configure NAT overload or one to many.
https://d-herrmann.de/2018/04/nat-cloud ... y-edition/

PS3.
Please give us your feedback or let me know if you have any trouble with configurations.
Вложения
pic1.JPG
EVE-NG topology
Junos OS kernel based on FreeBSD UNIX.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1286
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2019-12-31 0:03:58

Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников)). Если нужен перевод на русский - дайте знать плз. Спасибо большое!
Junos OS kernel based on FreeBSD UNIX.

ыть
проходил мимо

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение ыть » 2020-01-01 20:18:19

vintovkin писал(а):
2019-12-31 0:03:58
Если нужен перевод на русский - дайте знать плз. Спасибо большое!
не принципиально.. любой Советский инженер в состоянии разобрать язык самых жЫрных и тупых людей в мире.. ))
полезней был бы обзор возможностей, отличающих тот или иной симулятор (гнс3\юнетлаб\юнетлаб-2.0\ева-нг)
а "азбуку" мы и так знаем ))

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35222
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение Alex Keda » 2020-01-15 9:16:25

блин, сижу, читаю, думал крыша может поехала у тебя, или шибко грамотные спамеры аккаунт увели...
до конца дочитал, понял =))
vintovkin писал(а):
2019-12-31 0:03:58
Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников))
Убей их всех! Бог потом рассортирует...