asa的nat配置,所有的情況都在這裏了
NAT 1
將內部所有地址段轉化為外部地址段的某一段IP
nat (inside) 1 0 0
glob (outside) 1 172.16.0.150-172.16.0.160
shxlate查看NAT轉換項
sh conn 查看不同區域的IP連接項
sh glob
(sh running-config global) 查看glob地址池配置
clear nat清除NAT配置
clear glob 清除lob地址池配置
clear xlate清除現有NAT轉換項
NAT 2
將內部網段轉化為外部接口地址
nat (inside) 1 192.168.10.0 255.255.255.0
glob (outside) 1 interface
INFO:outside interface address added to PAT pool
也可以把以上兩項結合起來:關聯兩個glob
nat (inside) 1 0 0
glob (outside) 1 172.16.0.150-172.16.0.160
glob (outside) 1 interface
訪問控制列表:放行內部icmp流量
access-list out per icmp any any echo-reply
access-group out in interface outside
NAT 3
針對協議的NAT轉換:
只容許TELNET協議做NAT;並僅冗許內網一主機到外網一主機icmp的流量的NAT
access-list nat permit tcp any anyeq telnet
access-list nat permit icmp host 192.168.10.10 host 172.16.0.10
nat (inside) 1 access-list nat
glob (outside) 1 interface
NAT 4
靜態端口映射
將內網192.168.10.10 的23端口靜態映射到外網僅供172.16.0.10使用
static (inside,outside) 172.16.0.155 192.168.10.10
access-list in extended permit tcp host 172.16.0.10 host 172.16.0.155 eq telnet
access-group in in interface outside
5.nonat
希望在穿越PIX的時候不想轉換數據包的源地址(就像正常數據包穿越路由器一樣)
有兩種類型的nonat技術
1. identity 會創建xlate表項,只有在內部發起出去以後才能從外邊主動發起。
2. bypass 不會創建xlate表項,外部能夠主動發起向裏邊進行連接。
topology :
R1-e0-1.1.1.124-1.1.1.125-outside-PIX-inside-1.2.3.125-1.2.3.124-e0/0-R2
Nonat(Identity)
nat (inside) 0 1.2.3.0 255.255.255.0
1.nat 0 1.2.3.0 will be identity translated for outbound
2.把內部網絡 1.2.3.0 255.255.255.0 作nat 0的轉換不轉換數據報的源地址
3.會產生xlate表項
Global 1.2.3.124 Local 1.2.3.124
Nonat(bypass)
access-list nonat permit ip 1.2.3.0 255.255.255.0 1.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
1.匹配訪問控制列表nonat的數據包的源地址不做轉換
2.不會產生xlate表項
3.外邊可以主動發起向裏邊進行連接(如果訪問控制列表放行)
6.nat的比較
topology :
OUT-e0-1.1.1.1-1.1.1.254-outside-PIX-inside-2.2.2.254-2.2.2.2-e0-IN
Access-list 的配置
access-list nat-host per ip host 2.2.2.2 host 1.1.1.1
access-list nat-network line 1 permit ip host 2.2.2.2 any
access-list static-host per ip host 2.2.2.2 host 1.1.1.1
access-list static-network line 1 permit ip host 2.2.2.2 any
access-list nonat-host per ip host 2.2.2.2 host 1.1.1.1
access-list nonat-network line 1 permit ip host 2.2.2.2 any
nat的排列順序
1.nat (inside) 0 access-l nonat-host
2.nat (inside) 0 access-l nonat-network
3.static (inside,outside) 1.1.1.2 access-list static-host
4.static (inside,outside) 1.1.1.3 access-list static-network 0 0
5.static (inside,outside) 1.1.1.4 2.2.2.2
6.nat (inside) 1 access-list nat-host
7.nat (inside) 1 access-list nat-network
8.nat (inside) 0 2.2.2.2 255.255.255.255
9.nat (inside) 1 2.2.2.0 255.255.255.0 0 0
10.global (outside) 1 interface
總結:
1. 首先是nat 0 加訪問控制列表
2. 然後是static加訪問控制列表
3. 然後是點對點的static轉換
4. 然後是非nat 0 (>0)加訪問控制列表
5. 然後是nat (包括 0 和>0) 加網段地址
6. 最後是PAT
7. 如果處於同一級別就需要比較訪問控制列表的明細程度和網絡地址的明細程度
本文出自 “彥天天的學習路” 博客,謝絕轉載!
asa的nat配置,所有的情況都在這裏了