Technical documentation
发布日期:2022-05-07 浏览次数:2164 来源:杨广成
思科CCIE网络安全Security学习技术文档-防火墙ASA NAT转换(下)
WOLFLAB讲师:杨广成,CCIE#29957;HCIE#12877提供技术编辑
我们会陆续更新CCIE安全学习相关技术文档、视频等资料,CCIE培训其他资料联系网站客服获取视频(网盘)
3. Identity NAT (等同转换)
传统配置:
nat (inside) 0 10.1.1.1 255.255.255.255
新配置(Network Object NAT)
object network Inside-Address
host 10.1.1.1
object network Inside-Address
nat (inside,outside) static Inside-Address
或者直接写转换后地址
nat (inside,outside) static 10.1.1.1
4. 静态一对一转换
传统配置:
static (inside,outside) 202.100.1.101 10.1.1.1
新配置(Network Object NAT)
object network Static-Outside-Address
host 202.100.1.101
object network Static-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address
或者
nat (Inside,Outside) static 202.100.1.101
5. 静态端口转换
传统配置:
static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23
新配置(Network Object NAT)
object network Static-Outside-Address
host 202.100.1.102
object network Static-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address service tcp 23 2323
或者
nat (Inside,Outside) static 202.100.1.102 service tcp 23 2323
6. Twice NAT
多个不同的流量,只转换源地址,不转换目的地址
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1
access-list inside-to-2 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.2
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-2
global (outside) 1 202.100.1.101
global (outside) 2 202.100.1.102
新配置(Twice NAT):
object network dst-1
host 202.100.1.1
object network dst-2
host 202.100.1.2
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1
nat (inside,outside) source dynamic Inside-Network pat-2 destination static dst-2 dst-2
既转换源地址,也转换目的地址
说明:这种需求极为少见,例如两个私网(A,B)中间隔了一个公网,A私网只想直接通过B私网的地址去访问,就需要把A的源地址转换成公网地址,并且把目的地址B也转换成公网地址。当然需要在B的公网出口也做同样的工作。
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1
nat (inside) 1 access-list inside-to-1
global (outside) 1 202.100.1.101
static (outside,inside) 10.1.1.101 202.100.1.1
新配置方法(Twice NAT):
object network dst-1
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network map-dst
host 10.1.1.101
nat (inside,outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1
手工调整Twice Nat规则顺序
show nat
可以看到每条twice nat规则前面的序号,针对此序号操作,与access-list方法相同
如,在当前第1条前面插入一条:
nat (inside,outside) 1 source …… //插入到第1,将当前的第1行往下挤
NAT 0 + ACL 为什么不需要了
nat (inside) 1 30.0.0.0 255.255.255.0
global (outside) 1 interface
这两条配置做完, Inside路由器可以PAT转换后访问到Outside路由器,但会发现Inside到dmz不通了。就是因为nat (inside) 1 影响到了 inside去往其他接口的流量(没有定义转换项)
解决办法是加上:
access-list IN-TO-DMZ permit ip 30.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
nat (inside) 0 access-list IN-TO-DMZ
但是在Network Object Nat中, nat (inside,outside) 已经明确关联了两个接口,自然就不会影响到inside去dmz了。
等同转换和NAT免除都取消了,改为使用twiceNAT完成:
nat (inside,outside) source dynamic NONAT-Network NONAT-Network destination static DST-Network DST-Network //mapped 和 real 相同,等于不翻译,或是等同翻译。 加之twiceNAT可以指定源地址和目的地址,即是可以匹配特定流量
CCIE安全课程循环开班,联系网站客服参与免费试听及领取免费学习资料
欢迎关注WOLFLAB沃尔夫网络实验室:
我们会陆续更新CCNA,CCNP,EI CCIE;HCIA,HCIP,HCIE Datacom等学习视频,IT技术,学习技巧