cjh 11.4 思科ASA:ASA8.3之前的NAT转换
11.4 思科ASA:ASA8.3之前的NAT转换
NAT在ASA8.3及后续版本引入了统一NAT表(Unified NAT table)的概念,这种统一NAT表让管理员能够决定转换策略的执行次序。
这些策略会根据各个NAT条目的具体内容来执行(在统一NAT表中按照从上到下的哺育进行匹配),只要策略中出现了第一条匹配设备就不会继续进行处理。
在8.3及后续版本中不能使用static和global命令。
NetworkObject NAT配置介绍
1.DynamicNAT(动态NAT,动态一对一)
实例一:
传统配置方法:
nat (Inside) 1 10.1.1.0255.255.255.0
global (Outside) 1202.100.1.100-202.100.1.200
新配置方法(Network ObjectNAT)
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkInside-Network
nat (Inside,Outside) dynamic Outside-Nat-Pool
实例二:
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkOutside-PAT-Address
host 202.100.1.201
object-group networkOutside-Address
network-object object Outside-Nat-Pool
network-object object Outside-PAT-Address
object network Inside-Network
(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)
nat(Inside,Outside) dynamic Outside-Address interface
新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0+ acl来旁路)
2.DynamicPAT (Hide)(动态PAT,动态多对一)
传统配置方式:
nat (Inside) 1 10.1.1.0255.255.255.0
global(outside) 1202.100.1.101
新配置方法(Network ObjectNAT)
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkOutside-PAT-Address
host 202.100.1.101
object networkInside-Network
nat (Inside,Outside) dynamic Outside-PAT-Address
or
nat (Inside,Outside) dynamic 202.100.1.102
3.StaticNAT or Static NAT with PortTranslation(静态一对一转换,静态端口转换)
实例一:(静态一对一转换)
传统配置方式:
static (Inside,outside)202.100.1.101 10.1.1.1
新配置方法(Network ObjectNAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object networkStatic-Inside-Address
nat (Inside,Outside) static Static-Outside-Address
or
nat (Inside,Outside) static 202.100.1.102<dns>
实例二:(静态端口转换)
传统配置方式:
static (inside,outside) tcp202.100.1.102 2323 10.1.1.1 23
新配置方法(Network Object NAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address service tcptelnet 2323
or
nat(Inside,Outside) static 202.100.1.101 service tcp telnet 2323
4.IdentityNAT
传统配置方式:
nat (inside) 0 10.1.1.1255.255.255.255
新配置方法(Network Object NAT)
object networkInside-Address
host 10.1.1.1
object networkInside-Address
nat (Inside,Outside) static Inside-Address
or
nat (Inside,Outside) static 10.1.1.1
Twice NAT(类似于PolicyNAT)
实例一:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202
实例二:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
static (outside,inside) 10.1.1.101 1.1.1.1
static (outside,inside) 10.1.1.102 202.100.1.1
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network map-dst-1
host 10.1.1.101
object network map-dst-202
host 10.1.1.102
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static map-dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static map-dst-202 dst-202
实例三:
传统配置:
access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host1.1.1.1 eq 23
access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host202.100.1.1 eq 3032
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 1 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object service telnet23
service tcp destination eq telnet
object service telnet3032
service tcp destination eq 3032
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1 service telnet23 telnet23
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
思科Cisco ASA防火墙(列表、list、全)asalist、防火墙list
http://www.zh-cjh.com/wenzhangguilei/2594.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 11.4 思科ASA:ASA8.3之前的NAT转换
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm