注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

CCIE那点事-李萧明

博客已转移到www.jdccie.com CCIE那点事敬请期待

 
 
 

日志

 
 

asa 8.3 nat nat0  

2011-02-25 09:46:00|  分类: 施工经验 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

8.3的nat和以前有很大变化




Network Object NAT配置介绍



1.Dynamic NAT(动态NAT,动态一对一)


  实例一:

传统配置方法:

nat (Inside) 1 10.1.1.0 255.255.255.0

global (Outside) 1 202.100.1.100-202.100.1.200



新配置方法(Network Object NAT)

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Inside-Network

nat (Inside,Outside) dynamic Outside-Nat-Pool



实例二:

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Outside-PAT-Address

host 202.100.1.201

object-group network Outside-Address

network-object object Outside-Nat-Pool

network-object object Outside-PAT-Address



object network Inside-Network

(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)

  nat (Inside,Outside) dynamic Outside-Address interface




教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0 + acl来旁路)





2.Dynamic PAT (Hide)(动态PAT,动态多对一)


传统配置方式:

nat (Inside) 1 10.1.1.0 255.255.255.0

global(outside) 1 202.100.1.101



新配置方法(Network Object NAT)

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Outside-PAT-Address

host 202.100.1.101

object network Inside-Network

nat (Inside,Outside) dynamic Outside-PAT-Address

or

nat (Inside,Outside) dynamic 202.100.1.102




3.Static NAT or Static NAT with Port Translation(静态一对一转换,静态端口转换)


实例一:(静态一对一转换)

传统配置方式:

static (Inside,outside) 202.100.1.101 10.1.1.1



新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1



object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address

or

nat (Inside,Outside) static 202.100.1.102



实例二:(静态端口转换)

传统配置方式:

static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23



 新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1



 object network Static-Inside-Address

  nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323

  or

  nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2323




4.Identity NAT


传统配置方式:

nat (inside) 0 10.1.1.1 255.255.255.255



 新配置方法(Network Object NAT)

object network Inside-Address

host 10.1.1.1

object network Inside-Address

nat (Inside,Outside) static Inside-Address

or

nat (Inside,Outside) static 10.1.1.1




Twice NAT(类似于Policy NAT)


实例一:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102





新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0



nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202









实例二:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102



static (outside,inside) 10.1.1.101 1.1.1.1

static (outside,inside) 10.1.1.102 202.100.1.1





新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network map-dst-1

host 10.1.1.101

object network map-dst-202

host 10.1.1.102



nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202



实例三:

传统配置:

access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 1 202.100.1.102



新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object service telnet23

service tcp destination eq telnet

object service telnet3032

service tcp destination eq 3032



nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032




Main Differences Between Network Object NAT and Twice NAT(Network Object NAT和Twice NAT的主要区别)




How you define the real address.(从如何定义真实地址的角度来比较)

– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.



– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.





How source and destination NAT is implemented.(源和目的nat被运用)

– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.



– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.



We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).





排序实例:

192.168.1.1/32 (static)  10.1.1.0/24 (static)  192.168.1.0/24 (static)  172.16.1.0/24 (dynamic) (object abc)  172.16.1.0/24 (dynamic) (object def)  192.168.1.0/24 (dynamic)



查看NAT顺序的命令:

ASA(config)# sh run nat

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

object network Inside-Network

nat (Inside,Outside) dynamic 202.100.1.105

!

nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23



ASA(config)# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

  translate_hits = 1, untranslate_hits = 0



Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105

  translate_hits = 0, untranslate_hits = 0



Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0







如何调整和插入NAT

nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

  评论这张
 
阅读(11)| 评论(1)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018