EVE-NG routing between your lab and real network (static nat one-to-one).

Обсуждаем сайт и форум.

Модератор: f0s

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1288
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2019-12-31 0:01:20

Hello everybody, you can access to you virtual devices for management via ssh & https from your real network - office or home LAN.
And vice versa for instance if your virtual devices need access to the outside from your lab. Below is topology & config how to do this one.

You need to create or edit your /etc/rc.local file accordingly your IP addressing range - in that scenario real network 10.83.0.0/16 and lab network 192.168.255.0/24 (please see topology). Anyway, I sure that you SHOULD change IP addresses to yours - please do it. Please reboot EVE-NG for configuration changes have an effect. Please make snapshot your system before you configuration!

Код: Выделить всё

root@eve-ng:~# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

ip address add 192.168.255.1/24 dev pnet9

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111

iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

echo 1 > /proc/sys/net/ipv4/ip_forward

exit 0
root@eve-ng:~#
Description:

ip address add 192.168.255.1/24 dev pnet9
You assign ip address to Cloud9 interface that directly connected to R1.

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0
You assign the SECONDARY ip address to pnet0 interface that accessible from your real network, after that, you should ping this one.

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111
iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

Static NAT one2one Linux iptables.

echo 1 > /proc/sys/net/ipv4/ip_forward
Enable Linux IP routing.

Verification:

Код: Выделить всё

root@eve-ng:~# telnet 192.168.255.2
Trying 192.168.255.2...
Connected to 192.168.255.2.
Escape character is '^]'.

       -=R1=-

User Access Verification

Username: ed
Password:
R1#
R1#show ip route | include 0.0.0.0/0
S*    0.0.0.0/0 [250/0] via 192.168.255.1
R1#
R1#ping 192.168.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#
R1#
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/17/18 ms
R1#
R1#
R1#ping da.ru
Translating "da.ru"

Translating "da.ru"
% Unrecognized host or address, or protocol not running.

R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip name
R1(config)#ip name-server 8.8.8.8
R1(config)#ip do
R1(config)#ip domain-
R1(config)#ip domain-lo
R1(config)#ip domain-lookup
R1(config)#
R1(config)#
R1(config)#do ping da.ru
Translating "da.ru"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.36.35.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/11/12 ms
R1(config)#
R1(config)#no ip domain-lookup
R1(config)#no ip name-server 8.8.8.8
R1(config)#end
R1#
R1#wr
Building configuration...
[OK]
R1#
You can add one more SECONDARY ip address and iptables entries for another virtual device. But you also can create port forwarding on the R1 (Cisco router) in that scenario for downstream devices in your lab like this;

Код: Выделить всё

R1#show running-config | include nat
 ip nat inside
 ip nat inside
 ip nat outside
ip nat inside source static tcp 10.1.3.3 23 10.1.4.10 23 extendable
ip nat inside source static 3.3.3.1 10.1.4.100
ip nat inside source static tcp 10.0.22.222 22 192.168.255.2 2222 extendable
ip nat inside source static tcp 10.0.22.223 22 192.168.255.2 2223 extendable
ip nat inside source static tcp 10.1.4.1 22 192.168.255.2 2333 extendable
ip nat inside source static tcp 10.0.30.1 443 192.168.255.2 4333 extendable
ip nat inside source static tcp 10.0.30.1 80 192.168.255.2 8888 extendable
R1#
Or you can access directly from the Cisco router - it depends on your choice:

Код: Выделить всё

R1#show ip route isis | begin Gateway
Gateway of last resort is 192.168.255.1 to network 0.0.0.0

      2.0.0.0/32 is subnetted, 4 subnets
i L2     2.2.2.1 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.2 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.4 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
i L2     10.0.20.0/24 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                      [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.222/32 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                        [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.223/32 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.23.0/24 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
R1#
R1#telnet 10.0.22.222
Trying 10.0.22.222 ... Open
-=vmx1=-

vmx1 (ttyp0)

login: ed
Password:

--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC
ed@vmx1>

ed@vmx1> show system users
11:20PM  up 4 days,  7:14, 1 user, load averages: 0.37, 2.09, 1.50
USER     TTY      FROM                              LOGIN@  IDLE WHAT
ed       p0       10.1.1.1                         11:20PM     - -cli (cli)

ed@vmx1>

ed@vmx1> quit


[Connection to 10.0.22.222 closed by foreign host]
R1#
I tested access to the Checkpoint Smartconsole & Cisco ASA ASDM that way - all works fine!

Helpful commands:

iptables -nvL -t nat

ip addr

cat /proc/sys/net/ipv4/ip_forward


---

PS.
Here is a description of how you can do it on the Hypervisor VMware ESXi configuration lever, but in my case, I have not access & authorization to Vcenter.
https://www.petenetlive.com/KB/Article/0001432
http://www.eve-ng.net/images/EVE-COOK-BOOK-1.2.pdf

PS2.
Here is a description of how to configure NAT overload or one to many.
https://d-herrmann.de/2018/04/nat-cloud ... y-edition/

PS3.
Please give us your feedback or let me know if you have any trouble with configurations.
Вложения
pic1.JPG
EVE-NG topology
Junos OS kernel based on FreeBSD UNIX.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1288
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2019-12-31 0:03:58

Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников)). Если нужен перевод на русский - дайте знать плз. Спасибо большое!
Junos OS kernel based on FreeBSD UNIX.

ыть
проходил мимо

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение ыть » 2020-01-01 20:18:19

vintovkin писал(а):
2019-12-31 0:03:58
Если нужен перевод на русский - дайте знать плз. Спасибо большое!
не принципиально.. любой Советский инженер в состоянии разобрать язык самых жЫрных и тупых людей в мире.. ))
полезней был бы обзор возможностей, отличающих тот или иной симулятор (гнс3\юнетлаб\юнетлаб-2.0\ева-нг)
а "азбуку" мы и так знаем ))

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35411
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение Alex Keda » 2020-01-15 9:16:25

блин, сижу, читаю, думал крыша может поехала у тебя, или шибко грамотные спамеры аккаунт увели...
до конца дочитал, понял =))
vintovkin писал(а):
2019-12-31 0:03:58
Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников))
Убей их всех! Бог потом рассортирует...

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1288
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2022-08-12 13:34:08

Hi Team, one more working example, unnecessary lines\configs omitted for brevity.

See Network topology in the attachment (chose CLOUD 9 in the EVE), platform Lenovo laptop & Virtualbox VM eve-ng:
[192.168.0.0/24 EXTERNAL LAN] <---> [PNET0, EVE-NG, PNET9] <---> [e0/0, LAB LAN 192.168.255.0/24, CISCO]

Finally, cisco will be accessible via ssh & pingable via ip address 192.168.0.222 - it's SECONDARY ip on the interface pnet0

EVE-NG rc.local & show cmd (see description of the cmd in the initial post)

Код: Выделить всё

root@eve-ng:~# cat /etc/rc.local
#!/bin/sh -e

ip address add 192.168.255.1/24 dev pnet9

ip addr add 192.168.0.222/24 broadcast 192.168.0.255 dev pnet0

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 192.168.0.222
iptables -t nat -A PREROUTING -i pnet0 -d 192.168.0.222 -j DNAT --to-destination 192.168.255.2

echo 1 > /proc/sys/net/ipv4/ip_forward
root@eve-ng:~#

root@eve-ng:~# ip addr show pnet0
3: pnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 08:00:27:e2:cb:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic pnet0
       valid_lft 85391sec preferred_lft 85391sec
    inet 192.168.0.222/24 brd 10.83.255.255 scope global secondary pnet0
       valid_lft forever preferred_lft forever
	   
root@eve-ng:~# ip addr show pnet9
12: pnet9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether 5a:c7:23:f5:90:be brd ff:ff:ff:ff:ff:ff
    inet 192.168.255.1/24 scope global pnet9
       valid_lft forever preferred_lft forever

root@eve-ng:~#

CISCO L3 switch - IMPORTANT the revers route MUST BE whether static or default (default in my case).

Код: Выделить всё

sw1#show running-config
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Vlan10
 ip address 192.168.255.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.255.1 250
!
sw1#
TESTS & Verification:

Код: Выделить всё

sw1#
sw1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/139 ms
sw1#
sw1#
sw1#tra
sw1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.255.1 0 msec 0 msec 0 msec
  2 192.168.0.1 4 msec 4 msec 4 msec
  3  *  *  *
  4 88888888 15 msec 17 msec 14 msec
  5 9999999999 36 msec 36 msec 20 msec
  6 9999999999 23 msec 18 msec 25 msec
  7 0000000000 22 msec 22 msec 21 msec
  8  *  *  *
  9 8.8.8.8 25 msec 20 msec 20 msec
sw1#
sw1#
sw1#w
% No connections open
sw1#who
    Line       User       Host(s)              Idle       Location
*  2 vty 0     ed         idle                 00:00:00 192.168.0.164

  Interface    User               Mode         Idle     Peer Address

sw1#
sw1#
sw1#sh
sw1#show ip int br | ex unass
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 192.168.255.2   YES NVRAM  up                    up

sw1#
sw1#
sw1#
sw1#sh
sw1#show ip rou
Gateway of last resort is 192.168.255.1 to network 0.0.0.0

S*    0.0.0.0/0 [250/0] via 192.168.255.1
      192.168.255.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.255.0/24 is directly connected, Vlan10
L        192.168.255.2/32 is directly connected, Vlan10
sw1#
Stay well!
Вложения
Capture.JPG
network
Junos OS kernel based on FreeBSD UNIX.

Аватара пользователя
vintovkin
ВДВ
Сообщения: 1288
Зарегистрирован: 2007-05-11 9:39:11
Откуда: CSKA

EVE-NG routing between your lab and real network (static nat one-to-one).

Непрочитанное сообщение vintovkin » 2022-09-05 10:35:30

update, on the newest Linux OS (like eve-ng) there is no this file "etc/rc.local" so create it and make it executable:

Код: Выделить всё

 touch /etc/rc.local
 chmod +x /etc/rc.local
Junos OS kernel based on FreeBSD UNIX.