30选5玩法|福彩30选5开奖结果321|
 

标签:nat

IP NAT OUSIDE 反向NAT项目解决方案

1 Comment CISCO, 网络技术

-microsoft-office-visio-

项目目的:

北京IDC服务器需要去 X.X.X.X安全网段获取数据,但目的服务器只允行100.1.1.0段的IP地址访问相应服务。

项目分析:

根据需求,有两个最佳方案可选

1.在入口或出口路由器上做反向NAT。将外网流量映射进来变成可信任流量。即反向NAT? ip nat outside

2.做代理服务器。不过前提是将代理服务器映射出去给 客户服务器。

项目实施:

这次我们用ROUTER2做主路由

配置如下

interface GigabitEthernet0/0

ip address 192.168.130.44 255.255.255.0

ip nat inside

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 99.1.1.1 255.255.255.0

------中间广告---------

ip nat outside

image

本文隐藏内容 登陆 后才可以浏览

为防止映射进来的服务器获取其它数据需要?#36816;?#36827;行限制

access-list

image

140 deny ip any any (108 matches)

interface GigabitEthernet0/0

ip address 192.168.130.x 255.255.255.0

image?? 为什么要放在这个口,可以动下脑袋

ip access log

.Feb 18 09:22:14.113: %SEC-6-IPACCESSLOGP: list D100 permitted udp 100.1.1.3(9909) -> 192.168.130.218(8000), 1 packet

原创:使用cisco路由器拨号,nat内网共享上网

No Comments 网络技术 , ,

使用cisco路由器拨号,nat内网共享上网。

配置步骤:

分2大部分

第一部分:

1.创建一个acl , 可?#20801;?#26631;准acl,也可?#20801;?#25193;展acl。(抓上网用户的网段)

access-list 1 permit 192.168.0.0 0.0.255.255

或者

access-list 100 permit ip any any

2.配置nat(NAT映射)

ip nat inside source list 1 interface dialer1 overload

|

此接口,为拨号接口

不明白,可以接着往下看

3.将nat配置运用到接口(dialer拨号接口)

int dialer1 //拨号接口

ip nat outside //out出去方向

int e0/1 //局域网接口,需要做NAT出去的接口可?#20801;?#22810;个.

ip nat inside //in进入的方向

第二部分PPPOE拨号的创建

1.开启VPDN(建立PPOE标识)

vpdn enable

vpdn-group pppoe_client

request-dialin

protocol pppoe

exit

exit

2.进入拨号接口的物理接口

int e0/0 //与mode相连的那个接口

no ip add //没有地址

no shut

pppoe enable //开启pppoe功能

pppoe-client dial-pool-number 1 //这里是个关键点,与虚拟拨号接口关联起来。请认真揣摩一下这句话。

注意这个pppoe-client 和上面的pppoe_client 是完全2个不同的东西,后者是命令,前者是个标识,是个名称。

3.最关键的部分了,配置虚拟拨号接口。

int dialer 1 //进入虚拟拨号接口

encapsulation ppp //封装协议ppp

ppp pap sent-username [email protected] password 13714240380 //pap ?#29616;?账号[email protected] 密码13714240380,就是你的ADSL拨号账号和密码

本实验指的是电信是PAP?#29616;ぃ?#22914;果是CHAP?#29616;ぃ?#37197;置要稍微复杂点,你必须得去了解CHAP?#29616;ぁ?/b>

dialer pool 1 //注意,虚拟接口和上面的物理接口是关联起

ip mtu 1492 //MTU 知道吧。为什么不是1500?

ip nat outside //前面有提到

ip address negotiated //获取ip地址。使用电脑拨号,不也需要动态获取个IP

最后别忘了添加一条默认路由

ip route 0.0.0.0 0.0.0.0 dialer1

图:

image

实例:

2811#sh run

Building configuration…

Current configuration : 1306 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2811

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

clock timezone GMT 8

!

!

ip cef

!

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group pppoe_client

request-dialin

l2tp tunnel receive-window 1024

!

!

!

!

username cisco privilege 15 password 0 cisco

archive

log config

hidekeys

!

!

!

!

!

interface FastEthernet0/0

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp pap sent-username ad65039771 password 0 vGQifu7S

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.2.0 255.255.255.0 192.168.1.1

!

!

ip http server

ip nat inside source list 101 interface Dialer1 overload

!

access-list 101 permit ip any any

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login local

line vty 5 15

login local

!

scheduler allocate 20000 1000

!

end

NAT 详解

No Comments 网络技术 ,

 

 

 

提问 调整NAT翻译表中条目的时长

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat translation tcp-timeout 500

Router(config)#ip nat translation udp-timeout 30

Router(config)#ip nat translation dns-timeout 30

Router(config)#ip nat translation icmp-timeout 30

Router(config)#ip nat translation finrst-timeout 30

Router(config)#ip nat translation syn-timeout 30

Router(config)#end

Router#

也可以限制翻译表的最大条目数

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat translation max-entries 1000

Router(config)#end

Router#

注释 缺省TCP为24小时,UDP为5分钟,DNS为1分钟

21.11.  修改FTP的TCP端口

提问 FTP服务器使用非正常端口

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 19 permit 192.168.55.5

Router(config)#ip nat service list 19 ftp tcp port 8021

Router(config)#ip nat service list 19 ftp tcp port 21

Router(config)#end

Router#

注释 在12.2(4)T后思科引入了no-payload关键词来防止对数据包载荷的地址信息进行修改

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source static 192.168.1.10 172.16.1.5 no-payload

Router(config)#end

Router#

21.12.  检查NAT状态

提问 查看当前NAT信息

回答

Router#show ip nat translation

Router#clear ip nat translation *

Router#clear ip nat translation inside 172.18.3.2

Router#clear ip nat translation outside 192.168.1.10

Router#show ip nat statistics

Router#clear ip nat statistics

注释 Router#show ip nat translation

Pro Inside global      Inside local       Outside local      Outside global

"Inside global" 为内部设备翻译的地址"Inside local"为内部设备的真?#26723;?#22336;"Outside local" 为外部设备翻译的地址"Outside global" 为外部设备的真?#26723;?#22336;,global addresses在outside, local addresses 在 inside.

<!–[if !supportLists]–>21.13.       <!–[endif]–>NAT排错

提问 对NAT进行排错

回答

Router#debug ip nat

Router#debug ip nat detailed

Router#debug ip nat 15

Router#debug ip nat 15 detailed

提问 在路由器上启用基本的NAT功能

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source list 15 interface FastEthernet0/0 overload

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 例子中的配置实现了对地址段192.168.0.0/16访问外部网络重写为172.16.1.5的功能,基本的地址翻译功能

21.2.  动态分配外部地址

提问 从某个特定的地址池来动态分配地址

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 ip nat inside source list 15 pool NATPOOL 定义了翻译出去的地址池,如果地址池可以地址用完新的翻译将不成功,如果?#30001;?#20102;overload?#38382;?#23558;会从第一个地址开始翻译进行复用。另外这里的地址池并不一定要和outside端口的地址在同一网段,只要有相应的路由就可以

 

静态分配外部地址

提问 翻译某些特定的内部地址为特定的外部地址

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 静态地址翻译

21.4.  地址静态和动态翻译结合

提问 静态和动态地址翻译相结合

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15 0.0.0.0

Router(config)#access-list 15 deny 192.168.1.16 0.0.0.0

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat inside source static 192.168.1.16 172.16.1.11

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 这里?#30446;?#21046;列表把所要静态内部地址排除了,当然这一步也不是必须的,因为静态翻译的优先级要高于动态翻译的,不过静态翻译的外部地址必须要从动态翻译的地址池?#20449;?#38500;。

21.5.  使用Route Maps来进行翻译规则控制

提问 使用Route Maps来进行更好的静态地址翻译

回答

Router1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 172.16.1.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 172.16.2.5 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#interface FastEthernet0/2

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#ip nat inside source route-map ISP-1 interface FastEthernet0/0 overload

Router(config)#ip nat inside source route-map ISP-2 interface FastEthernet0/1 overload

Router(config)#route-map ISP-1 permit 10

Router(config-route-map)#match interface FastEthernet0/0

Router(config-route-map)#exit

Router(config)#route-map ISP-2 permit 10

Router(config-route-map)#match interface FastEthernet0/1

Router(config-route-map)#exit

Router(config)#end

Router#

注释 适用于多个outside端口?#37027;?#20917;

21.6.  同时两个方向地址翻译

提问 同时对内部地址和外部地?#26041;?#34892;翻译

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 15 deny 192.168.1.15

Router(config)#access-list 15 permit 192.168.0.0 0.0.255.255

Router(config)#access-list 16 deny 172.16.5.25

Router(config)#access-list 16 permit 172.16.0.0 0.0.255.255

Router(config)#ip nat pool NATPOOL 172.16.1.100 172.16.1.150 netmask 255.255.255.0

Router(config)#ip nat pool INBOUNDNAT 192.168.15.100 192.168.15.200 netmask 255.255.255.0

Router(config)#ip nat inside source list 15 pool NATPOOL overload

Router(config)#ip nat inside source list 16 pool INBOUNDNAT overload

Router(config)#ip nat inside source static 192.168.1.15 172.16.1.10

Router(config)#ip nat outside source static 172.16.5.25 192.168.15.5

Router(config)#ip route 192.168.15.0 255.255.255.0 Ethernet0/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet 0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#interface Ethernet0/0

Router(config-if)#ip address 172.16.1.2 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

 

 

网络前缀重写

提问 简单的改变某个网络段?#37027;白?/p>

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#ip nat outside source static network 172.16.0.0 172.17.0.0 /16 no-alias

Router(config)#ip route 172.16.0.0 255.255.0.0 Ethernet1/0

Router(config)#ip route 172.17.0.0 255.255.0.0 Ethernet1/0

Router(config)#interface FastEthernet 0/0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface Ethernet1/0

Router(config-if)#ip address 172.16.1.6 255.255.255.252

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#end

Router#

注释 适用于两个网络互访而地址段冲突?#37027;?#20917;

21.8.  使用NAT来进行服务器负荷分担

提问 多个服务器使用同一IP地?#21453;?#32780;实现应用的负荷分担

回答

Router#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#interface FastEthernet0/0

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#ip nat inside

Router(config-if)#exit

Router(config)#interface FastEthernet0/1

Router(config-if)#ip address 192.168.2.1 255.255.255.0

Router(config-if)#ip nat outside

Router(config-if)#exit

Router(config)#ip nat pool WEBSERVERS 192.168.1.101 192.168.1.105 netmask 255.255.255.0 type rotary

Router(config)#access-list 20 permit host 192.168.1.100

Router(config)#ip nat inside destination list 20 pool WEBSERVERS

Router(config)#end

Router#

注释 这里不同点在于使用了rotary的?#38382;?#21644;使用了destination而不是source在翻译规则中,当然这种是穷人的负载均衡解决方案

21.9.  基于状态的NAT切换

提问 在高可用性网络中部署NAT,这样一台设备?#26723;艫那?#20917;下另一台可以切换起到NAT作用

回答

RouterA

Router-A#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router-A(config)#access-list 11 permit any

Router-A(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-A(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-A(config)#interface FastEthernet0/0

Router-A(config-if)#ip address 192.168.1.3 255.255.255.0

Router-A(config-if)#ip nat inside

Router-A(config-if)#standby 1 ip 192.168.1.1

Router-A(config-if)#standby 1 preempt

Router-A(config-if)#standby 1 name SNATGROUP

Router-A(config-if)#exit

Router-A(config)#interface Serial0/0

Router-A(config-if)#ip address 172.17.55.2 255.255.255.252

Router-A(config-if)#ip nat outside

Router-A(config-if)#exit

Router-A(config)#ip nat Stateful id 1

Router-A(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-A(config)#end

Router-A#

RouterB

Router-B#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router-B(config)#access-list 11 permit any

Router-B(config)#ip nat pool NATPOOL 172.17.100.100 172.17.100.150 netmask 255.255.255.0

Router-B(config)#ip nat inside source list 11 pool NATPOOL mapping-id 1

Router-B(config)#interface FastEthernet0/0

Router-B(config-if)#ip address 192.168.1.2 255.255.255.0

Router-B(config-if)#ip nat inside

Router-B(config-if)#standby 1 ip 192.168.1.1

Router-B(config-if)#standby 1 priority 90

Router-B(config-if)#standby 1 preempt

Router-B(config-if)#standby 1 name SNATGROUP

Router-B(config-if)#exit

Router-B(config)#interface Serial0/0

Router-B(config-if)#ip address 172.17.55.6 255.255.255.252

Router-B(config-if)#ip nat outside

Router-B(config-if)#exit

Router-B(config)#ip nat Stateful id 1

Router-B(config-ipnat-snat)#redundancy SNATGROUP

Router(config-ipnat-snat-red)#mapping-id 1

Router(config-ipnat-snat-red)#exit

Router-B(config)#end

Router-B#

注释 虽然说通过使用HSRP可以解决可用性的问题,但是不能同步NAT翻译表,从12.2(13)T以后思科引入了基于状态的NAT(SNAT),这样可以保持两台设备的翻译表同步,其关键命令为ip nat Stateful 要注意的是这里的Stateful是大写开头的,这里是区分大小写的。另外SNAT只和HSRP连用,不能跟VRRP或者GLBP一起作用。同时也可?#20801;?#29992;多组HSRP的?#38382;?#26469;保?#25351;?#36733;均衡。

asa 版本 8.3 nat nat0的配置方法

No Comments CISCO

8.3的nat和以前有很大变化

Network Object NAT配置介绍

1.Dynamic NAT(动态NAT,动态一对一)

  实例一:

传统配置方法:

nat (Inside) 1 10.1.1.0 255.255.255.0

global (Outside) 1 202.100.1.100-202.100.1.200

新配置方法(Network Object NAT)

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Inside-Network

nat (Inside,Outside) dynamic Outside-Nat-Pool

实例二:

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Outside-PAT-Address

host 202.100.1.201

object-group network Outside-Address

network-object object Outside-Nat-Pool

network-object object Outside-PAT-Address

object network Inside-Network

(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)

  nat (Inside,Outside) dynamic Outside-Address interface

教主认为这种配置方式的?#20040;?#26159;,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0 + acl来?#26376;罰?

2.Dynamic PAT (Hide)(动态PAT,动态多对一)

传统配置方式:

nat (Inside) 1 10.1.1.0 255.255.255.0

global(outside) 1 202.100.1.101

新配置方法(Network Object NAT)

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Outside-PAT-Address

host 202.100.1.101

object network Inside-Network

nat (Inside,Outside) dynamic Outside-PAT-Address

or

nat (Inside,Outside) dynamic 202.100.1.102

3.Static NAT or Static NAT with Port Translation(静态一对一转换,静态端口转换)

实例一:(静态一对一转换)

传统配置方式:

static (Inside,outside) 202.100.1.101 10.1.1.1

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address

or

nat (Inside,Outside) static 202.100.1.102

实例二:(静态端口转换)

传统配置方式:

static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

  nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323

  or

nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2323

4.Identity NAT

传统配置方式:

nat (inside) 0 10.1.1.1 255.255.255.255

新配置方法(Network Object NAT)

object network Inside-Address

host 10.1.1.1

object network Inside-Address

nat (Inside,Outside) static Inside-Address

or

nat (Inside,Outside) static 10.1.1.1

Twice NAT(类似于Policy NAT)

实例一:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202

实例二:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

static (outside,inside) 10.1.1.101 1.1.1.1

static (outside,inside) 10.1.1.102 202.100.1.1

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network map-dst-1

host 10.1.1.101

object network map-dst-202

host 10.1.1.102

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202

实例三:

传统配置:

access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 1 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object service telnet23

service tcp destination eq telnet

object service telnet3032

service tcp destination eq 3032

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main Differences Between Network Object NAT and Twice NAT(Network Object NAT和Twice NAT的主要区别)

How you define the real address.(从如何定义真?#26723;?#22336;的角度来比较)

– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.

– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.

How source and destination NAT is implemented.(源和目的nat被运用)

– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.

– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).

排序实例:

192.168.1.1/32 (static)  10.1.1.0/24 (static)  192.168.1.0/24 (static)  172.16.1.0/24 (dynamic) (object abc)  172.16.1.0/24 (dynamic) (object def)  192.168.1.0/24 (dynamic)

查看NAT顺序的命令:

ASA(config)# sh run nat

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

object network Inside-Network

nat (Inside,Outside) dynamic 202.100.1.105

!

nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

ASA(config)# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

  translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105

  translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0

如何调整和插入NAT

nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

30选5玩法