Страница 1 из 1

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2019-12-31 0:01:20
vintovkin
Hello everybody, you can access to you virtual devices for management via ssh & https from your real network - office or home LAN.
And vice versa for instance if your virtual devices need access to the outside from your lab. Below is topology & config how to do this one.

You need to create or edit your /etc/rc.local file accordingly your IP addressing range - in that scenario real network 10.83.0.0/16 and lab network 192.168.255.0/24 (please see topology). Anyway, I sure that you SHOULD change IP addresses to yours - please do it. Please reboot EVE-NG for configuration changes have an effect. Please make snapshot your system before you configuration!

Код: Выделить всё

root@eve-ng:~# cat /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

ip address add 192.168.255.1/24 dev pnet9

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111

iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

echo 1 > /proc/sys/net/ipv4/ip_forward

exit 0
root@eve-ng:~#
Description:

ip address add 192.168.255.1/24 dev pnet9
You assign ip address to Cloud9 interface that directly connected to R1.

ip addr add 10.83.1.111/16 broadcast 10.83.255.255 dev pnet0
You assign the SECONDARY ip address to pnet0 interface that accessible from your real network, after that, you should ping this one.

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 10.83.1.111
iptables -t nat -A PREROUTING -i pnet0 -d 10.83.1.111 -j DNAT --to-destination 192.168.255.2

Static NAT one2one Linux iptables.

echo 1 > /proc/sys/net/ipv4/ip_forward
Enable Linux IP routing.

Verification:

Код: Выделить всё

root@eve-ng:~# telnet 192.168.255.2
Trying 192.168.255.2...
Connected to 192.168.255.2.
Escape character is '^]'.

       -=R1=-

User Access Verification

Username: ed
Password:
R1#
R1#show ip route | include 0.0.0.0/0
S*    0.0.0.0/0 [250/0] via 192.168.255.1
R1#
R1#ping 192.168.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms
R1#
R1#
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/17/18 ms
R1#
R1#
R1#ping da.ru
Translating "da.ru"

Translating "da.ru"
% Unrecognized host or address, or protocol not running.

R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip name
R1(config)#ip name-server 8.8.8.8
R1(config)#ip do
R1(config)#ip domain-
R1(config)#ip domain-lo
R1(config)#ip domain-lookup
R1(config)#
R1(config)#
R1(config)#do ping da.ru
Translating "da.ru"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 193.36.35.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/11/12 ms
R1(config)#
R1(config)#no ip domain-lookup
R1(config)#no ip name-server 8.8.8.8
R1(config)#end
R1#
R1#wr
Building configuration...
[OK]
R1#
You can add one more SECONDARY ip address and iptables entries for another virtual device. But you also can create port forwarding on the R1 (Cisco router) in that scenario for downstream devices in your lab like this;

Код: Выделить всё

R1#show running-config | include nat
 ip nat inside
 ip nat inside
 ip nat outside
ip nat inside source static tcp 10.1.3.3 23 10.1.4.10 23 extendable
ip nat inside source static 3.3.3.1 10.1.4.100
ip nat inside source static tcp 10.0.22.222 22 192.168.255.2 2222 extendable
ip nat inside source static tcp 10.0.22.223 22 192.168.255.2 2223 extendable
ip nat inside source static tcp 10.1.4.1 22 192.168.255.2 2333 extendable
ip nat inside source static tcp 10.0.30.1 443 192.168.255.2 4333 extendable
ip nat inside source static tcp 10.0.30.1 80 192.168.255.2 8888 extendable
R1#
Or you can access directly from the Cisco router - it depends on your choice:

Код: Выделить всё

R1#show ip route isis | begin Gateway
Gateway of last resort is 192.168.255.1 to network 0.0.0.0

      2.0.0.0/32 is subnetted, 4 subnets
i L2     2.2.2.1 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.2 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
i L2     2.2.2.4 [115/10] via 10.1.1.2, 2d01h, Ethernet0/0
      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
i L2     10.0.20.0/24 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                      [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.222/32 [115/30] via 10.1.1.2, 2d01h, Ethernet0/0
                        [115/30] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.22.223/32 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
i L2     10.0.23.0/24 [115/20] via 10.0.30.3, 2d01h, Ethernet0/3.10
R1#
R1#telnet 10.0.22.222
Trying 10.0.22.222 ... Open
-=vmx1=-

vmx1 (ttyp0)

login: ed
Password:

--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC
ed@vmx1>

ed@vmx1> show system users
11:20PM  up 4 days,  7:14, 1 user, load averages: 0.37, 2.09, 1.50
USER     TTY      FROM                              LOGIN@  IDLE WHAT
ed       p0       10.1.1.1                         11:20PM     - -cli (cli)

ed@vmx1>

ed@vmx1> quit


[Connection to 10.0.22.222 closed by foreign host]
R1#
I tested access to the Checkpoint Smartconsole & Cisco ASA ASDM that way - all works fine!

Helpful commands:

iptables -nvL -t nat

ip addr

cat /proc/sys/net/ipv4/ip_forward


---

PS.
Here is a description of how you can do it on the Hypervisor VMware ESXi configuration lever, but in my case, I have not access & authorization to Vcenter.
https://www.petenetlive.com/KB/Article/0001432
http://www.eve-ng.net/images/EVE-COOK-BOOK-1.2.pdf

PS2.
Here is a description of how to configure NAT overload or one to many.
https://d-herrmann.de/2018/04/nat-cloud ... y-edition/

PS3.
Please give us your feedback or let me know if you have any trouble with configurations.

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2019-12-31 0:03:58
vintovkin
Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников)). Если нужен перевод на русский - дайте знать плз. Спасибо большое!

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2020-01-01 20:18:19
ыть
vintovkin писал(а):
2019-12-31 0:03:58
Если нужен перевод на русский - дайте знать плз. Спасибо большое!
не принципиально.. любой Советский инженер в состоянии разобрать язык самых жЫрных и тупых людей в мире.. ))
полезней был бы обзор возможностей, отличающих тот или иной симулятор (гнс3\юнетлаб\юнетлаб-2.0\ева-нг)
а "азбуку" мы и так знаем ))

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2020-01-15 9:16:25
Alex Keda
блин, сижу, читаю, думал крыша может поехала у тебя, или шибко грамотные спамеры аккаунт увели...
до конца дочитал, понял =))
vintovkin писал(а):
2019-12-31 0:03:58
Коллеги, написал статью на английском, чтобы глобально было полезно для всех ИТшников))

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2022-08-12 13:34:08
vintovkin
Hi Team, one more working example, unnecessary lines\configs omitted for brevity.

See Network topology in the attachment (chose CLOUD 9 in the EVE), platform Lenovo laptop & Virtualbox VM eve-ng:
[192.168.0.0/24 EXTERNAL LAN] <---> [PNET0, EVE-NG, PNET9] <---> [e0/0, LAB LAN 192.168.255.0/24, CISCO]

Finally, cisco will be accessible via ssh & pingable via ip address 192.168.0.222 - it's SECONDARY ip on the interface pnet0

EVE-NG rc.local & show cmd (see description of the cmd in the initial post)

Код: Выделить всё

root@eve-ng:~# cat /etc/rc.local
#!/bin/sh -e

ip address add 192.168.255.1/24 dev pnet9

ip addr add 192.168.0.222/24 broadcast 192.168.0.255 dev pnet0

iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.255.2 -j SNAT --to-source 192.168.0.222
iptables -t nat -A PREROUTING -i pnet0 -d 192.168.0.222 -j DNAT --to-destination 192.168.255.2

echo 1 > /proc/sys/net/ipv4/ip_forward
root@eve-ng:~#

root@eve-ng:~# ip addr show pnet0
3: pnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 08:00:27:e2:cb:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.101/24 brd 192.168.0.255 scope global dynamic pnet0
       valid_lft 85391sec preferred_lft 85391sec
    inet 192.168.0.222/24 brd 10.83.255.255 scope global secondary pnet0
       valid_lft forever preferred_lft forever
	   
root@eve-ng:~# ip addr show pnet9
12: pnet9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000
    link/ether 5a:c7:23:f5:90:be brd ff:ff:ff:ff:ff:ff
    inet 192.168.255.1/24 scope global pnet9
       valid_lft forever preferred_lft forever

root@eve-ng:~#

CISCO L3 switch - IMPORTANT the revers route MUST BE whether static or default (default in my case).

Код: Выделить всё

sw1#show running-config
!
interface Ethernet0/0
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Vlan10
 ip address 192.168.255.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.255.1 250
!
sw1#
TESTS & Verification:

Код: Выделить всё

sw1#
sw1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/139 ms
sw1#
sw1#
sw1#tra
sw1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
  1 192.168.255.1 0 msec 0 msec 0 msec
  2 192.168.0.1 4 msec 4 msec 4 msec
  3  *  *  *
  4 88888888 15 msec 17 msec 14 msec
  5 9999999999 36 msec 36 msec 20 msec
  6 9999999999 23 msec 18 msec 25 msec
  7 0000000000 22 msec 22 msec 21 msec
  8  *  *  *
  9 8.8.8.8 25 msec 20 msec 20 msec
sw1#
sw1#
sw1#w
% No connections open
sw1#who
    Line       User       Host(s)              Idle       Location
*  2 vty 0     ed         idle                 00:00:00 192.168.0.164

  Interface    User               Mode         Idle     Peer Address

sw1#
sw1#
sw1#sh
sw1#show ip int br | ex unass
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 192.168.255.2   YES NVRAM  up                    up

sw1#
sw1#
sw1#
sw1#sh
sw1#show ip rou
Gateway of last resort is 192.168.255.1 to network 0.0.0.0

S*    0.0.0.0/0 [250/0] via 192.168.255.1
      192.168.255.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.255.0/24 is directly connected, Vlan10
L        192.168.255.2/32 is directly connected, Vlan10
sw1#
Stay well!

EVE-NG routing between your lab and real network (static nat one-to-one).

Добавлено: 2022-09-05 10:35:30
vintovkin
update, on the newest Linux OS (like eve-ng) there is no this file "etc/rc.local" so create it and make it executable:

Код: Выделить всё

 touch /etc/rc.local
 chmod +x /etc/rc.local