asa 8.3 nat nat0

來源:本站原創 CISCO 超過3,268 views圍觀 0條評論

8.3的nat和以前有很大變化
Network Object NAT配置介紹
1.Dynamic NAT(動態NAT,動態一對一)
  實例一:
傳統配置方法:
nat (Inside) 1 10.1.1.0 255.255.255.0
global (Outside) 1 202.100.1.100-202.100.1.200
新配置方法(Network Object NAT)
object network Outside-Nat-Pool
range 202.100.1.100 202.100.1.200
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network Inside-Network
nat (Inside,Outside) dynamic Outside-Nat-Pool
實例二:
object network Outside-Nat-Pool
range 202.100.1.100 202.100.1.200
object network Outside-PAT-Address
host 202.100.1.201
object-group network Outside-Address
network-object object Outside-Nat-Pool
network-object object Outside-PAT-Address
object network Inside-Network
(先100-200動態一對一,然后202.100.1.201動態PAT,最后使用接口地址動態PAT)
  nat (Inside,Outside) dynamic Outside-Address interface
教主認為這種配置方式的好處是,新的NAT命令綁定了源接口和目的接口,所以不會出現傳統配置影響DMZ的問題(當時需要nat0 + acl來旁路)
2.Dynamic PAT (Hide)(動態PAT,動態多對一)
傳統配置方式:
nat (Inside) 1 10.1.1.0 255.255.255.0
global(outside) 1 202.100.1.101
新配置方法(Network Object NAT)
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network Outside-PAT-Address
host 202.100.1.101
object network Inside-Network
nat (Inside,Outside) dynamic Outside-PAT-Address
or
nat (Inside,Outside) dynamic 202.100.1.102
3.Static NAT or Static NAT with Port Translation(靜態一對一轉換,靜態端口轉換)
實例一:(靜態一對一轉換)
傳統配置方式:
static (Inside,outside) 202.100.1.101 10.1.1.1
新配置方法(Network Object NAT)
object network Static-Outside-Address
host 202.100.1.101
object network Static-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address
or
nat (Inside,Outside) static 202.100.1.102
實例二:(靜態端口轉換)
傳統配置方式:
static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23
 新配置方法(Network Object NAT)
object network Static-Outside-Address
host 202.100.1.101
object network Static-Inside-Address
host 10.1.1.1
 object network Static-Inside-Address
  nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323
  or
  nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2323
4.Identity NAT
傳統配置方式:
nat (inside) 0 10.1.1.1 255.255.255.255
 新配置方法(Network Object NAT)
object network Inside-Address
host 10.1.1.1
object network Inside-Address
nat (Inside,Outside) static Inside-Address
or
nat (Inside,Outside) static 10.1.1.1
Twice NAT(類似于Policy NAT)
實例一:
傳統配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202
實例二:
傳統配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
static (outside,inside) 10.1.1.101 1.1.1.1
static (outside,inside) 10.1.1.102 202.100.1.1
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network map-dst-1
host 10.1.1.101
object network map-dst-202
host 10.1.1.102
nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202
實例三:
傳統配置:
access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23
access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 1 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object service telnet23
service tcp destination eq telnet
object service telnet3032
service tcp destination eq 3032
nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23
nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032
Main Differences Between Network Object NAT and Twice NAT(Network Object NAT和Twice NAT的主要區別)
How you define the real address.(從如何定義真實地址的角度來比較)
– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.
– Twice NAT—You identify a network object or network object group for both the real and
mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.
How source and destination NAT is implemented.(源和目的nat被運用)
– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.
– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.
We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).
排序實例:
192.168.1.1/32 (static)  10.1.1.0/24 (static)  192.168.1.0/24 (static)  172.16.1.0/24 (dynamic) (object abc)  172.16.1.0/24 (dynamic) (object def)  192.168.1.0/24 (dynamic)
查看NAT順序的命令:
ASA(config)# sh run nat
nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032
!
object network Inside-Network
nat (Inside,Outside) dynamic 202.100.1.105
!
nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23
ASA(config)# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032
  translate_hits = 1, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105
  translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23
translate_hits = 0, untranslate_hits = 0
如何調整和插入NAT
nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文標題:asa 8.3 nat nat0
本文鏈接:http://www.qdxgqk.live/?p=272轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
暫時還木有人評論,坐等沙發!
發表評論

您必須 [ 登錄 ] 才能發表留言!

?
?
萌宠夺宝游戏