ciscoASA83及以上版本的NAT.docx
《ciscoASA83及以上版本的NAT.docx》由会员分享,可在线阅读,更多相关《ciscoASA83及以上版本的NAT.docx(12页珍藏版)》请在冰点文库上搜索。
ciscoASA83及以上版本的NAT
8.3及以上版本的NAT
NetworkObjectNAT配置介绍
1.DynamicNAT(动态NAT,动态一对一)
实例一:
传统配置方法:
nat(Inside)110.1.1.0255.255.255.0
global(Outside)1202.100.1.100-202.100.1.200
新配置方法(NetworkObjectNAT)
objectnetworkOutside-Nat-Pool
range202.100.1.100202.100.1.200
objectnetworkInside-Network
subnet10.1.1.0255.255.255.0
objectnetworkInside-Network
nat(Inside,Outside)dynamicOutside-Nat-Pool
实例二:
objectnetworkOutside-Nat-Pool
range202.100.1.100202.100.1.200
objectnetworkOutside-PAT-Address
host202.100.1.201
object-groupnetworkOutside-Address
network-objectobjectOutside-Nat-Pool
network-objectobjectOutside-PAT-Address
objectnetworkInside-Network
(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)
nat(Inside,Outside)dynamicOutside-Addressinterface
主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0+acl来旁路)
2.DynamicPAT(Hide)(动态PAT,动态多对一)
传统配置方式:
nat(Inside)110.1.1.0255.255.255.0
global(outside)1202.100.1.101
新配置方法(NetworkObjectNAT)
objectnetworkInside-Network
subnet10.1.1.0255.255.255.0
objectnetworkOutside-PAT-Address
host202.100.1.101
objectnetworkInside-Network
nat(Inside,Outside)dynamicOutside-PAT-Address
or
nat(Inside,Outside)dynamic202.100.1.102
3.StaticNATorStaticNATwithPortTranslation(静态一对一转换,静态端口转换)
实例一:
(静态一对一转换)
传统配置方式:
static(Inside,outside)202.100.1.10110.1.1.1
新配置方法(NetworkObjectNAT)
objectnetworkStatic-Outside-Address
host202.100.1.101
objectnetworkStatic-Inside-Address
host10.1.1.1
objectnetworkStatic-Inside-Address
nat(Inside,Outside)staticStatic-Outside-Address
or
nat(Inside,Outside)static202.100.1.102
实例二:
(静态端口转换)
传统配置方式:
static(inside,outside)tcp202.100.1.102232310.1.1.123
新配置方法(NetworkObjectNAT)
objectnetworkStatic-Outside-Address
host202.100.1.101
objectnetworkStatic-Inside-Address
host10.1.1.1
objectnetworkStatic-Inside-Address
nat(Inside,Outside)staticStatic-Outside-Addressservicetcptelnet2323
or
nat(Inside,Outside)static202.100.1.101servicetcptelnet2323
4.IdentityNAT
传统配置方式:
nat(inside)010.1.1.1255.255.255.255
新配置方法(NetworkObjectNAT)
objectnetworkInside-Address
host10.1.1.1
objectnetworkInside-Address
nat(Inside,Outside)staticInside-Address
or
nat(Inside,Outside)static10.1.1.1
TwiceNAT(类似于PolicyNAT)
实例一:
传统配置:
access-listinside-to-1permitip10.1.1.0255.255.255.0host1.1.1.1
access-listinside-to-202permitip10.1.1.0255.255.255.0host202.100.1.1
nat(inside)1access-listinside-to-1
nat(inside)2access-listinside-to-202
global(outside)1202.100.1.101
global(outside)2202.100.1.102
新配置方法(TwiceNAT):
objectnetworkdst-1
host1.1.1.1
objectnetworkdst-202
host202.100.1.1
objectnetworkpat-1
host202.100.1.101
objectnetworkpat-2
host202.100.1.102
objectnetworkInside-Network
subnet10.1.1.0255.255.255.0
nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1
nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202
实例二:
传统配置:
access-listinside-to-1permitip10.1.1.0255.255.255.0host1.1.1.1
access-listinside-to-202permitip10.1.1.0255.255.255.0host202.100.1.1
nat(inside)1access-listinside-to-1
nat(inside)2access-listinside-to-202
global(outside)1202.100.1.101
global(outside)2202.100.1.102
static(outside,inside)10.1.1.1011.1.1.1
static(outside,inside)10.1.1.102202.100.1.1
新配置方法(TwiceNAT):
objectnetworkdst-1
host1.1.1.1
objectnetworkdst-202
host202.100.1.1
objectnetworkpat-1
host202.100.1.101
objectnetworkpat-2
host202.100.1.102
objectnetworkInside-Network
subnet10.1.1.0255.255.255.0
objectnetworkmap-dst-1
host10.1.1.101
objectnetworkmap-dst-202
host10.1.1.102
nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticmap-dst-1dst-1
nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticmap-dst-202dst-202
实例三:
传统配置:
access-listinside-to-1permittcp10.1.1.0255.255.255.0host1.1.1.1eq23
access-listinside-to-202permittcp10.1.1.0255.255.255.0host202.100.1.1eq3032
nat(inside)1access-listinside-to-1
nat(inside)2access-listinside-to-202
global(outside)1202.100.1.101
global(outside)1202.100.1.102
新配置方法(TwiceNAT):
objectnetworkdst-1
host1.1.1.1
objectnetworkdst-202
host202.100.1.1
objectnetworkpat-1
host202.100.1.101
objectnetworkpat-2
host202.100.1.102
objectnetworkInside-Network
subnet10.1.1.0255.255.255.0
objectservicetelnet23
servicetcpdestinationeqtelnet
objectservicetelnet3032
servicetcpdestinationeq3032
nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23
nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032
MainDifferencesBetweenNetworkObjectNATandTwiceNAT(NetworkObjectNAT和TwiceNAT的主要区别)
Howyoudefinetherealaddress.(从如何定义真实地址的角度来比较)
–NetworkobjectNAT—YoudefineNATasaparameterforanetworkobject;thenetworkobjectdefinitionitselfprovidestherealaddress.ThismethodletsyoueasilyaddNATtonetworkobjects.Theobjectscanalsobeusedinotherpartsofyourconfiguration,forexample,foraccessrulesorevenintwiceNATrules.
这种配置方式,让你轻松的为networkobject添加nat。
这个object能够被用在配置的其它部分,例如:
访问控制列表或者twicenat策略。
>
–TwiceNAT—Youidentifyanetworkobjectornetworkobjectgroupforboththerealand
mappedaddresses.Inthiscase,NATisnotaparameterofthenetworkobject;thenetworkobjectorgroupisaparameteroftheNATconfiguration.TheabilitytouseanetworkobjectgroupfortherealaddressmeansthattwiceNATismorescalable.
<为真实和映射后地址定义networkobject或者networkobjectgroup。
在twicenat中,NAT不是networkobject的一个参数,networkobject或者group是NAT配置的一个参数。
能够为真实地址使用networkobjectgroup,也体现了twicenat的可扩展性。
>
HowsourceanddestinationNATisimplemented.(源和目的nat被运用)
–NetworkobjectNAT—Eachrulecanapplytoeitherthesourceordestinationofapacket.Sotworulesmightbeused,oneforthesourceIPaddress,andoneforthedestinationIPaddress.Thesetworulescannotbetiedtogethertoenforceaspecifictranslationforasource/destinationcombination.
<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。
>
–TwiceNAT—Asingleruletranslatesboththesourceanddestination.Amatchingpacketonlymatchestheonerule,andfurtherrulesarenotchecked.EvenifyoudonotconfiguretheoptionaldestinationaddressfortwiceNAT,amatchingpacketstillonlymatchesonetwiceNATrule.Thesourceanddestinationaretiedtogether,soyoucanenforcedifferenttranslationsdependingonthesource/destinationcombination.Forexample,sourceA/destinationAcanhaveadifferenttranslationthansourceA/destinationB.
<一个单一策略,既能转换源也能转换目的。
一个包只能匹配上一个策略,并且不再做进一步检查了。
就算你没有配置twicenat的目的地址选项,一个数据包也只能匹配一个twicenat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:
源A/目的A与源A/目的B转换不同>
WerecommendusingnetworkobjectNATunlessyouneedtheextrafeaturesthattwiceNATprovides.NetworkobjectNATiseasiertoconfigure,andmightbemorereliableforapplicationssuchasVoiceoverIP(VoIP).
<我们推荐使用networkobjectNAT,除非你明确需要twicenat所提供的特性。
Networkobjectnat非常容易配置,并且对语音等运用更加可靠>
NATRuleOrder
排序实例:
192.168.1.1/32(static)
10.1.1.0/24(static)
192.168.1.0/24(static)
172.16.1.0/24(dynamic)(objectabc)
172.16.1.0/24(dynamic)(objectdef)
192.168.1.0/24(dynamic)
查看NAT顺序的命令:
ASA(config)#shrunnat
nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032
!
objectnetworkInside-Network
nat(Inside,Outside)dynamic202.100.1.105
!
nat(Inside,Outside)after-autosourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23
ASA(config)#shnat
ManualNATPolicies(Section1)
1(Inside)to(Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032
translate_hits=1,untranslate_hits=0
AutoNATPolicies(Section2)
1(Inside)to(Outside)sourcedynamicInside-Network202.100.1.105
translate_hits=0,untranslate_hits=0
ManualNATPolicies(Section3)
1(Inside)to(Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23
translate_hits=0,untranslate_hits=0
如何调整和插入NAT
nat(Inside,Outside)1sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23
升级会员 