1. 程式人生 > >19-思科防火墻:ASA靜態NAT

19-思科防火墻:ASA靜態NAT

思科防火墻 net 51cto flag 遠程管理 extend show user roc face

一、實驗拓撲:
技術分享圖片
二、實驗要求:
前提:R1、R2、R3分別有默認路由指向ASA對應的接口地址
1、R1直接Telnet R3轉化後的地址,就可以成功進入R3界面;
2、這時候流量放行是不需要放行R3轉換後的流量的,因為已經放行了主機R1訪問真實主機R3地址的流量;
3、部署好以後即使幹掉R1到ASA的默認路由,R1依然可以Telnet到R3
三、命令部署:
1、清除上個實驗的Object並查看:
ASA(config)# clear configure object
ASA(config)# show run object
2、ACL抓取流量放行R1到R3的Telnet流量,並在Outside接口應用:
ASA(config)# access-list nameout extended permit tcp host 202.100.1.1 host 10.1.2.3 eq 23
ASA(config)# access-group nameout in interface outside
驗證:
R1#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Username: cc
Password:
R3>

ASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list nameout; 1 elements; name hash: 0xb3be6588

access-list nameout line 1 extended permit tcp host 202.100.1.1 host 10.1.2.3 eq telnet (hitcnt=1) 0x96543a58 //可以看到是有匹配ACL的,匹配數目為1

ASA(config)# show xlate //目前沒有NAT轉換信息
0 in use, 3 most used

R3#show users //R1用的真實地址來遠程管理R3
Line User Host(s) Idle Location

  • 0 con 0 idle 00:00:00
    130 vty 0 cc idle 00:02:36 202.100.1.1

3、用靜態NAT將DMZ區域地址轉換到Outside地址:202.101.1.101
ASA(config)# object network dmzquyu
ASA(config-network-object)# host 10.1.2.3
ASA(config-network-object)# nat (dmz,outside) static 202.100.1.101
驗證:
ASA# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:10.1.2.3 to outside:202.100.1.101
flags s idle 0:00:31 timeout 0:00:00 //該槽位是永久存在的,所以沒有超時時間 。

遇到問題:R1沒法Telnet R3轉換後地址:202.100.1.101,GNS3中右鍵reload R3、R1,兩個都重啟下可以了,但是仍然Ping不通。
R1#ping 10.1.2.10 //老師這個地方可以Ping通的
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2 seconds:.....
Success rate is 0 percent (0/5)

R1#telnet 202.100.1.101
Trying 202.100.1.101 ... Open
User Access Verification
Username: cc
Password:
R3>
4、幹掉R1的默認路由以後:
R1(config)#no ip route 0.0.0.0 0.0.0.0 202.100.1.10
驗證:
R1#telnet 202.100.1.101
Trying 202.100.1.101 ... Open
User Access Verification
Username: cc
Password:
R3>//成功了,即使沒有默認路由,R1一樣可以遠程到R3。

19-思科防火墻:ASA靜態NAT