cisco asa 82与84的nat区别Word文件下载.docx
《cisco asa 82与84的nat区别Word文件下载.docx》由会员分享,可在线阅读,更多相关《cisco asa 82与84的nat区别Word文件下载.docx(17页珍藏版)》请在冰点文库上搜索。
04timeout0:
30
2.8.2(动态的一对一转换)
global(outside)10201.100.1.110-201.100.1.120netmask255.255.255.0
ASA/pri/act#showxlatedetail
2inuse,2mostused
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
NATfrominside:
10.1.1.1tooutside:
201.100.1.110flagsi
10.1.1.2tooutside:
201.100.1.111flagsi
objectnetworkoutside-nat
range201.100.1.110201.100.1.120
nat(inside,outside)dynamicoutside-nat
201.100.1.115flagsiidle0:
01:
13timeout3:
00
3.8.2(转换成接口地址)
nat(inside)1010.1.1.0255.255.255.0
global(outside)10interface
10.1.1.1/61971tooutside:
201.100.1.10/1024flagsri
subnet10.1.1.0255.255.255.0
nat(inside,outside)dynamicinterface
ASA8-4(config)#showxlate
10.1.1.1/35322tooutside:
201.100.1.10/52970flagsriidle0:
03timeout0:
4.8.2(不同的内部地址转换成不同的外部地址)
nat(inside)91.1.1.0255.255.255.0
//排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小的在前面,在实际作用的时候也是按照这个面序来的。
global(outside)10interface
global(outside)9201.100.1.111
1.1.1.1/51343tooutside:
201.100.1.111/1026flagsri
10.1.1.1/13938tooutside:
201.100.1.10/1028flagsri
8.4
ASA8-4#showrunning-configobject
objectnetworkinside1
objectnetworkinside2
subnet1.1.1.0255.255.255.0
objectnetworkouside-inside2
host201.100.1.110
ASA8-4#showrunning-confignat
!
nat(inside,outside)dynamicinterface
nat(inside,outside)dynamicouside-inside2
1.1.1.1/59611tooutside:
201.100.1.110/34338flagsriidle0:
08timeout0:
10.1.1.1/22181tooutside:
201.100.1.10/53371flagsriidle0:
19timeout0:
5.8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换)
ASA/pri/act#showrunning-confignat
ASA/pri/act#showrunning-configglobal
global(outside)10201.100.1.110-201.100.1.112
global(outside)10201.100.1.116
4inuse,5mostused
10.1.1.3tooutside:
201.100.1.112flagsi
10.1.1.6/19799tooutside:
201.100.1.116/1025flagsri
objectnetworkoutside
range201.100.1.110201.100.1.112
objectnetworkinside
nat(inside,outside)dynamicoutsideinterface
4inuse,4mostused
10.1.1.4/49994tooutside:
201.100.1.10/52626flagsriidle0:
201.100.1.111flagsiidle0:
31timeout3:
201.100.1.110flagsiidle0:
16timeout3:
201.100.1.112flagsiidle0:
33timeout3:
006.
6.8.0(策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略nat永远是优于普通的nat的)
access-listpat1extendedpermittcphost10.1.1.1host201.100.1.1eqtelnet
access-listpat2extendedpermittcphost10.1.1.1host201.100.1.1eqwww
nat(inside)10access-listpat1
nat(inside)20access-listpat2
global(outside)10201.100.1.100
global(outside)20201.100.1.200
ASA/pri/act#showxlatedeta
2inuse,5mostused
10.1.1.1/30449tooutside(pat2):
201.100.1.200/1024flagsri
10.1.1.1/43167tooutside(pat1):
201.100.1.100/1024flagsri
8.42
新版本(TwiceNAT),这个是两次NAT,一般加入了基于目的的元素,而之前的networkobject只是基于源的,通常情
况下使用object就能解决问题了,这个只是在特殊情况下使用。
一般我们把object叫做AutoNAT,而TwiceNAT叫
做manualNAT
objectnetworkoutside1
host201.100.1.100
objectnetworkoutside2
host201.100.1.200
host201.100.1.1
objectservicetelnet
servicetcpdestinationeqtelnet
objectservicehttp
servicetcpdestinationeqwww
nat(inside,outside)sourcedynamicinsideoutside1destinationstaticoutsideoutsideservicetelnettelnet
nat(inside,outside)sourcedynamicinsideoutside2destinationstaticoutsideoutsideservicehttphttp
1inuse,4mostused
TCPPATfromoutside:
201.100.1.123-23toinside:
201.100.1.180-80
flagssrITidle0:
37timeout0:
注意T是twicenat就是源地址和目的地址都可以转换的。
7.0(I–identitynat自已转换成自已多用于remotevpn)
8.0
nat(inside)010.1.1.0255.255.255.0(<
0-2147483647>
The<
nat_id>
ofthisgroupofhosts/networks.This<
willbereferencedbytheglobalcommandtoassociatea
globalpoolwiththelocalIPaddress.<
'
0'
isused
toindicatenoaddresstranslationforlocalIP.Thelimitis
65535withaccess-lists)0表示自已转让换成自已。
ASA/pri/act#showxlatedetail
1inuse,5mostused
10.1.1.1flagsiI注意这里面的I自已转换成自已。
(这种情况下外部是不是访问内部的)
objectnetworkiden-nat
objectnetworkiden-nat
nat(inside,outside)staticiden-nat
10.1.1.0/24tooutside:
10.1.1.0/24
flagssIidle0:
07timeout0:
上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。
8.8.02(静态nat转换,从outside到inside静态的一对一转换)
ASA/pri/act#showrunning-configstatic
static(inside,outside)201.100.1.10010.1.1.1netmask255.255.255.255
访问列表放行的是转换后的地址
access-listoutline1extendedpermittcphost201.100.1.1host201.100.1.100(hitcnt=9)0x4a668fb0
201.100.1.100flagss
8.42
ASA8-4#showrunning-configobject
host10.1.1.1
ASA8-4#showrunning-confignat
nat(inside,outside)static201.100.1.100
ASA8-4#showxlate
201.100.1.100
flagssidle0:
52timeout0:
access-listoutline1extendedpermittcphost201.100.1.1host10.1.1.1(hitcnt=1)0xe8e098f5
列表放行的是内部主机真实的IP地址。
9.8.0staticpat(PORTredirection)只有一个公网地址,将访问公网地址不同的端口号,转换到不同的服务器上去。
static(inside,outside)tcp201.100.1.100telnet10.1.1.1wwwnetmask255.255.255.255
static(inside,outside)tcp201.100.1.100www10.1.1.2telnetnetmask255.255.255.255
10.1.1.1/80tooutside:
201.100.1.100/23flagssr
10.1.1.2/23tooutside:
201.100.1.100/80flagssr
access-listoutline1extendedpermittcphost201.100.1.1host201.100.1.100eqtelnet(hitcnt=1)0x57c792d9
access-listoutline2extendedpermittcphost201.100.1.1host201.100.1.100eqwww(hitcnt=0)0x463b6a3b
列表放行的也是转换后的地址及端口号。
新版本(TwiceNAT)
host10.1.1.1
host10.1.1.2
servicetcpdestinationeqwww
objectnetworkoutside-des
ASA8-4(config)#showrunning-confignat
nat(outside,inside)sourcestaticoutside-desoutside-desdestinationstaticoutsideinside1servicehttptelnet
access-listoutline1extendedpermittcphost201.100.1.1host10.1.1.1eqtelnet(hitcnt=1)0x213cb7ce
R5-outside8.4#telnet201.100.1.10080
Trying201.100.1.100,80...Open
R4-inside1-8.4>
10.8.2static-Identity转换,将内部地址自已转换成自已,并且外部可以访问。
外面可以访部内的static-Identity转换。
ASA/pri/act#showrunning-configstatic
static(inside,outside)10.1.1.110.1.1.1netmask255.255.255.255
AS