|
1. NAT(nat-control,8.2有这条命令,开了的话没有nat是不通的) 1. 8.2(PAT转换) global(outside) 10 201.100.1.100 nat (inside) 10 10.1.1.0 255.255.255.0 ASA/pri/act(config)# show xlate 1 in use, 1 most used PAT Global 201.100.1.100(1024) Local 10.1.1.1(11298) 8.4 object network nat subnet 10.1.1.0 255.255.255.0 object network nat nat (inside,outside) dynamic201.100.1.100 ASA8-4# show xlate 1 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twice TCP PAT from inside:10.1.1.1/53851 to outside:201.100.1.100/5810flags ri idle 0:00:04 timeout 0:00:30 2. 8.2(动态的一对一转换) nat (inside) 10 10.1.1.0 255.255.255.0 global (outside) 10 201.100.1.110-201.100.1.120 netmask255.255.255.0 ASA/pri/act#show xlate detail 2 in use,2 most used Flags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static NAT frominside:10.1.1.1 to outside:201.100.1.110 flags i NAT from inside:10.1.1.2 to outside:201.100.1.111 flags i 8.4 objectnetwork nat subnet 10.1.1.0 255.255.255.0 objectnetwork outside-nat range 201.100.1.110 201.100.1.120 object network nat nat (inside,outside) dynamic outside-nat ASA8-4# showxlate 1 in use, 2most used Flags: D - DNS,i - dynamic, r - portmap, s - static, I - identity, T - twice NAT frominside:10.1.1.1 to outside:201.100.1.115 flags i idle 0:01:13 timeout 3:00:00 3. 8.2(转换成接口地址) nat (inside) 1010.1.1.0 255.255.255.0 global (outside) 10interface ASA/pri/act#show xlate detail 1 in use,2 most used Flags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static TCP PAT from inside:10.1.1.1/61971 tooutside:201.100.1.10/1024 flags ri 8.4 objectnetwork nat subnet 10.1.1.0 255.255.255.0 objectnetwork nat nat (inside,outside) dynamic interface ASA8-4(config)#show xlate 1 in use,2 most used Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice TCP PAT frominside:10.1.1.1/35322 to outside:201.100.1.10/52970 flags ri idle 0:00:03timeout 0:00:30 4. 8.2(不同的内部地址转换成不同的外部地址) nat (inside) 9 1.1.1.0 255.255.255.0 nat (inside) 1010.1.1.0 255.255.255.0 //排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小的在前面,在实际作用的时候也是按照这个面序来的。 global (outside)10 interface global (outside)9 201.100.1.111 ASA/pri/act#show xlate detail 2 in use, 2 mostused Flags: D - DNS,d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static TCP PAT frominside:1.1.1.1/51343 to outside:201.100.1.111/1026 flags ri TCP PAT frominside:10.1.1.1/13938 to outside:201.100.1.10/1028 flags ri 8.4 ASA8-4# show running-config object object network inside1 subnet 10.1.1.0 255.255.255.0 object network inside2 subnet 1.1.1.0 255.255.255.0 object network ouside-inside2 host201.100.1.110 ASA8-4# show running-config nat ! object network inside1 nat(inside,outside) dynamic interface object network inside2 nat(inside,outside) dynamic ouside-inside2 ASA8-4# show xlate 2 in use, 2 most used Flags: D - DNS, i - dynamic, r - portmap, s- static, I - identity, T - twice TCP PAT from inside:1.1.1.1/59611 tooutside:201.100.1.110/34338 flags ri idle 0:00:08 timeout 0:00:30 TCP PAT from inside:10.1.1.1/22181 tooutside:201.100.1.10/53371 flags ri idle 0:00:19 timeout 0:00:30 5. 8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换) ASA/pri/act#show running-config nat nat (inside) 1010.1.1.0 255.255.255.0 ASA/pri/act# show running-config global global(outside) 10 201.100.1.110-201.100.1.112 global(outside) 10 201.100.1.116 ASA/pri/act# show xlate detail 4 in use, 5 most used Flags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - static NAT from inside:10.1.1.1 tooutside:201.100.1.110 flags i NAT from inside:10.1.1.3 tooutside:201.100.1.112 flags i TCP PAT from inside:10.1.1.6/19799 tooutside:201.100.1.116/1025 flags ri NAT from inside:10.1.1.2 tooutside:201.100.1.111 flags i 8.4 object network outside range 201.100.1.110 201.100.1.112 object network inside subnet 10.1.1.0 255.255.255.0 object network inside nat(inside,outside) dynamic outside interface ASA8-4# show xlate 4 in use, 4 most used Flags: D - DNS, i - dynamic, r - portmap, s- static, I - identity, T - twice TCP PAT from inside:10.1.1.4/49994 tooutside:201.100.1.10/52626 flags ri idle 0:00:04 timeout 0:00:30 NAT from inside:10.1.1.1 tooutside:201.100.1.111 flags i idle 0:01:31 timeout 3:00:00 NAT from inside:10.1.1.3 tooutside:201.100.1.110 flags i idle 0:00:16 timeout 3:00:00 NAT from inside:10.1.1.2 tooutside:201.100.1.112 flags i idle 0:00:33 timeout 3:00:006. 6. 8.0 (策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略nat永远是优于普通的nat的) access-list pat1 extended permit tcp host 10.1.1.1 host 201.100.1.1eq telnet access-list pat2 extended permit tcp host 10.1.1.1 host201.100.1.1 eq www nat (inside) 10 access-list pat1 nat (inside) 20 access-list pat2 global (outside) 10 201.100.1.100 global (outside) 20 201.100.1.200 ASA/pri/act#show xlate deta ASA/pri/act#show xlate detail 2 in use,5 most used Flags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static TCP PAT from inside:10.1.1.1/30449 tooutside(pat2):201.100.1.200/1024 flags ri TCP PAT from inside:10.1.1.1/43167 tooutside(pat1):201.100.1.100/1024 flags ri 8.42 新版本(Twice NAT) ,这个是两次NAT,一般加入了基于目的的元素,而之前的network object 只是基于源的,通常情 况下使用object 就能解决问题了,这个只是在特殊情况下使用。一般我们把object 叫做Auto NAT ,而Twice NAT 叫 做manual NAT objectnetwork outside1 host 201.100.1.100 objectnetwork outside2 host 201.100.1.200 objectnetwork inside subnet 10.1.1.0 255.255.255.0 objectnetwork outside host 201.100.1.1 objectservice telnet service tcp destination eq telnet objectservice http service tcpdestination eq www nat (inside,outside) source dynamic inside outside1destination static outside outside service telnet telnet nat (inside,outside) source dynamic inside outside2destination static outside outside service http http ASA8-4#show xlate 1 in use,4 most used Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice TCP PATfrom outside:201.100.1.1 23-23 to inside:201.100.1.1 80-80 flags srIT idle 0:00:37 timeout0:00:00 注意T是twice nat就是源地址和目的地址都可以转换的。 7.0 (I – identitynat 自已转换成自已多用于remote vpn) 8.0 nat(inside) 0 10.1.1.0 255.255.255.0 ( <0-2147483647> The <nat_id> of this group ofhosts/networks. This <nat_id> will be referenced by theglobal command to associate a global pool with the local IPaddress. <nat_id> '0' is used to indicate no address translationfor local IP. The limit is 65535 with access-lists)0表示自已转让换成自已。 ASA/pri/act#show xlate detail 1 in use, 5 most used Flags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - static NAT from inside:10.1.1.1 tooutside:10.1.1.1 flags iI注意这里面的I自已转换成自已。(这种情况下外部是不是访问内部的) 8.4 objectnetwork iden-nat subnet 10.1.1.0 255.255.255.0 object network iden-nat nat (inside,outside) staticiden-nat ASA8-4# show xlate 1 in use, 4 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twice NAT from inside:10.1.1.0/24 to outside:10.1.1.0/24 flags sI idle 0:00:07 timeout 0:00:00 上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。 8.8.02(静态nat转换,从outside到inside静态的一对一转换) ASA/pri/act# show running-config static static (inside,outside) 201.100.1.100 10.1.1.1 netmask255.255.255.255 访问列表放行的是转换后的地址 access-list out line 1 extended permit tcp host 201.100.1.1 host201.100.1.100 (hitcnt=9) 0x4a668fb0 ASA/pri/act# show xlate detail 1 in use,5 most used Flags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static NAT frominside:10.1.1.1 to outside:201.100.1.100 flags s 8.42 ASA8-4#show running-config object object network nat host 10.1.1.1 ASA8-4# show running-config nat ! object network nat nat (inside,outside) static 201.100.1.100 ASA8-4#show xlate 1 in use, 4 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twice NAT from inside:10.1.1.1 to outside:201.100.1.100 flags sidle 0:00:52 timeout 0:00:00 access-listout line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 (hitcnt=1)0xe8e098f5 列表放行的是内部主机真实的IP地址。 9. 8.0static pat(PORT redirection )只有一个公网地址,将访问公网地址不同的端口号,转换到不同的服务器上去。 ASA/pri/act#show running-config static static(inside,outside) tcp 201.100.1.100 telnet 10.1.1.1 www netmask 255.255.255.255 static(inside,outside) tcp 201.100.1.100 www 10.1.1.2 telnet netmask 255.255.255.255 ASA/pri/act#show xlate detail 2 in use, 5most used Flags: D -DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static TCP PAT frominside:10.1.1.1/80 to outside:201.100.1.100/23 flags sr TCP PAT frominside:10.1.1.2/23 to outside:201.100.1.100/80 flags sr access-listout line 1 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq telnet(hitcnt=1) 0x57c792d9 access-listout line 2 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq www(hitcnt=0) 0x463b6a3b 列表放行的也是转换后的地址及端口号。 8.4 新版本(Twice NAT) object network inside1 host10.1.1.1 object network inside2 host10.1.1.2 object network outside host201.100.1.100 object service telnet service tcp destination eq telnet object service http service tcp destination eq www object network outside-des host201.100.1.1 ASA8-4(config)# show running-config nat nat (outside,inside) source staticoutside-des outside-des destination static outside inside1 service http telnet access-list out line 1 extended permit tcphost 201.100.1.1 host 10.1.1.1 eq telnet (hitcnt=1) 0x213cb7ce R5-outside8.4#telnet 201.100.1.100 80 Trying 201.100.1.100, 80 ... Open R4-inside1-8.4> 10.8.2 static-Identity转换,将内部地址自已转换成自已,并且外部可以访问。 外面可以访部内的static-Identity转换。 ASA/pri/act# show running-config static static (inside,outside) 10.1.1.1 10.1.1.1netmask 255.255.255.255 ASA/pri/act# show xlate detail 1 in use, 5 most used Flags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - static NAT from inside:10.1.1.1 tooutside:10.1.1.1 flags s access-list out line 1 extended permit tcphost 201.100.1.1 host 10.1.1.1 (hitcnt=1) 0xe8e098f5 R2-outside#telnet 10.1.1.1 Trying 10.1.1.1 ... Open R1-inside> R1-inside>show user R1-inside>show users Line User Host(s) Idle Location 0con 0 idle 00:00:08 *130 vty 0 idle 00:00:00 201.100.1.1 Interface User Mode Idle Peer Address 8.4 ASA8-4# show running-config object object network iden-nat host10.1.1.1 object network iden-nat nat(inside,outside) static 10.1.1.1 ASA8-4# show xlate 1 in use, 4 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I- identity, T - twice NAT from inside:10.1.1.1 to outside:10.1.1.1 flags sI idle0:00:07 timeout 0:00:00 R5-outside8.4#tel R5-outside8.4#telnet 10.1.1.1 Trying 10.1.1.1 ... Open 11.静态的网段转换(整个网段一对一转换) 8.0 static (inside,outside) 201.100.1.0 10.1.1.0 netmask255.255.255.0 ASA/pri/act# show xlate detail 1 in use, 5 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n -no random, r -portmap, s - static NAT from inside:10.1.1.0 to outside:201.100.1.0 flags s access-list out line 1 extended permit tcp 201.100.1.0255.255.255.0 201.100.1.0 255.255.255.0 (hitcnt=1) 0x34f8fd73 R2-outside#telnet 201.100.1.2 Trying 201.100.1.2 ... Open 8.4 object network inside subnet 10.1.1.0255.255.255.0 object network outside subnet201.100.1.0 255.255.255.0 object network inside nat(inside,outside) static outside ASA# show xlate 1 in use, 1 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I- identity, T - twice NAT from inside:10.1.1.0/24 to outside:201.100.1.0/24 flags s idle0:03:19 timeout 0:00:00 access-list out line 1 extended permit tcp host201.100.1.1 host 10.1.1.2 (hitcnt=1) 0x0b722de5 R5-outside8.4#telnet 201.100.1.2 Trying 201.100.1.2 ... Open R4-inside1-8.4> R4-inside1-8.4>show user R4-inside1-8.4>show users Line User Host(s) Idle Location 0 con 0 idle 00:00:04 *130 vty 0 idle 00:00:00201.100.1.1 Interface User Mode Idle Peer Address 12. 8.0 nat (inside) 0 access-list特殊的nat 称为no-nat或者nat by-pass一般用于vpn Vpn的流量不能被nat掉。 Nat (inside) 0 access-list(匹配vpn流量),access-list的流量是不会被nat转换的。 access-list vpn line 1 extended permit ip host 10.1.1.1host 201.100.1.1 (hitcnt=0) 0x732d93c0 nat (inside) 0 access-list vpn nat (inside) 10 10.1.1.0 255.255.255.0 匹配的流量没有做nat 没有匹配的流量做了nat转换。 R1-inside#show running-config interface eth0/0 Building configuration... Current configuration : 77 bytes ! interface Ethernet0/0 ip address10.1.1.1 255.255.255.0 half-duplex end R1-inside# R1-inside#telnet 201.100.1.1 Trying 201.100.1.1 ... Open R2-outside>show user R2-outside>show users Line User Host(s) Idle Location 0 con 0 idle 00:04:19 *130 vty 0 idle 00:00:0010.1.1.1 Interface User Mode Idle Peer Address R1-inside#show running-config interface ethernet 0/0 Building configuration... Current configuration : 77 bytes ! interface Ethernet0/0 ip address10.1.1.2 255.255.255.0 half-duplex end R1-inside# R1-inside# R1-inside#tle R1-inside#te R1-inside#tel R1-inside#telnet 201.100.1.1 Trying 201.100.1.1 ... Open R2-outside>show user R2-outside>show users Line User Host(s) Idle Location 0 con 0 idle 00:04:49 *130 vty 0 idle 00:00:00201.100.1.10 Interface User Mode Idle Peer Address R2-outside> 8.4要想旁路掉VPN流量,我们用identity nat自已转换成自已。 VPN 流量旁路 在老版本里面我们用NAT 0 来解决这个问题,而在新版本里面没有NAT 0 这个概念了,它用Twice NAT+Identify 组 合的使用 8.0 access-list 100 permit ip host 1.1.1.1 host2.2.2.2 nat (inside) 0 access-list 100 8.4 object network local-vpn-traffic host 1.1.1.1 object netowork remote-vpn-traffic host 2.2.2.2 nat (inside,outside) source static local-vpn-trafficlocal-vpn-traffic destination static remote-vpn-traffic remote-vpn-traffic
| 
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
成长值: 55240
发表于 2016-6-10 13:19:22
置顶卡
喧嚣卡
变色卡
千斤顶