首页 > 代码库 > Cisco ASA站点间穿越nat互相访问的实验
Cisco ASA站点间穿越nat互相访问的实验
1、 实验拓扑图:
1、 实验说明:
R1作为A公司的站点1,内部有台1.1.1.1/32的服务器需要A公司站点2的管理员实行远程telnet的设备管理;
R5作为A公司的站点2,内部有台2.2.2.2/32的服务器需要A公司站点1的管理员实行远程telnet的设备管理;
设备之间都有ASA防火墙的安全保护,R2作为互联网的一台路由器;
2、 实验配置:
R1#show run
usernamecisco password 0 cisco
!
interfaceLoopback0 //站点2管理员通过该地址进行R1设备的管理
ip address 1.1.1.1 255.255.255.0
!
interfaceLoopback1 //正常通过NAT上网的用户地址段
ip address 10.10.10.10 255.255.255.0
!
interfaceFastEthernet0/0
ip address 172.16.255.1 255.255.255.192
duplex auto
speed auto
!
interfaceFastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
routerospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 1
network 10.10.10.0 0.0.0.255 area 1
network 172.16.255.0 0.0.0.63 area 1
!
ipforward-protocol nd
!
no iphttp server
no iphttp secure-server
!
control-plane
!
line con0
exec-timeout 0 0
logging synchronous
line aux0
line vty0 4
password cisco
login local
transport input telnet
ASA1#show run
interfaceEthernet0/0
nameif Inside
security-level 100
ip address 172.16.255.2 255.255.255.192
!
interfaceEthernet0/1
nameif Outside
security-level 0
ip address 202.16.1.2 255.255.255.248
!
access-listoutside extended permit ip 10.10.10.0 255.255.255.0 any
access-listout extended permit icmp any any
access-listout extended permit tcp host 202.16.1.12 host 202.16.1.5 eq telnet
nat-control
global(Outside) 1 interface
nat(Inside) 1 access-list outside
static(Inside,Outside) 202.16.1.5 1.1.1.1 netmask 255.255.255.255
access-groupout in interface Outside
!
routerospf 1
network 172.16.255.0 255.255.255.192 area 1
log-adj-changes
default-information originate always
!
routeOutside 0.0.0.0 0.0.0.0 202.16.1.1 1
R2#show run
interfaceFastEthernet0/0
ip address 202.16.1.1 255.255.255.248
duplex auto
speed auto
!
interfaceFastEthernet0/1
ip address 202.16.1.9 255.255.255.248
duplex auto
speed auto
ASA2#show run
interfaceEthernet0/0
nameif Inside
security-level 100
ip address 172.16.255.130 255.255.255.192
!
interfaceEthernet0/1
nameif Outside
security-level 0
ip address 202.16.1.10 255.255.255.248
!
access-listout extended permit icmp any any
access-listout extended permit tcp host 202.16.1.5 host 202.16.1.12 eq telnet
access-listinside_nat1_outside extended permit ip 10.10.20.0 255.255.255.0 any
global(Outside) 1 interface
nat(Inside) 1 access-list inside_nat1_outside
static(Inside,Outside) 202.16.1.12 2.2.2.2 netmask 255.255.255.255
access-groupout in interface Outside
!
routerospf 10
network 172.16.255.128 255.255.255.192 area 0
log-adj-changes
default-information originate always
!
routeOutside 0.0.0.0 0.0.0.0 202.16.1.9 1
R3#show run
usernamecisco password 0 cisco
!
interfaceLoopback0 //站点2路由器需要通过该地址被管理
ip address 2.2.2.2 255.255.255.0
!
interfaceLoopback1 //用户上网地址
ip address 10.10.20.10 255.255.255.0
!
interfaceFastEthernet0/0
ip address 172.16.255.129 255.255.255.192
duplex auto
speed auto
!
routerospf 10
log-adjacency-changes
network 2.2.2.0 0.0.0.255 area 0
network 10.10.20.0 0.0.0.255 area 0
network 172.16.255.128 0.0.0.63 area 0
!
line vty0 4
password cisco
login local
transport input telnet
3、 站点间的互访测试:
R1#ping 202.16.1.9 source 10.10.10.10 //用户访问互联网
Typeescape sequence to abort.
Sending5, 100-byte ICMP Echos to 202.16.1.9, timeout is 2 seconds:
Packetsent with a source address of 10.10.10.10
!!!!!
Successrate is 100 percent (5/5), round-trip min/avg/max = 16/27/40 ms
Ciscoasa1# show xlate
2 in use,3 most used
PAT Global 202.16.1.2(2) Local10.10.10.10 ICMP id 23 //执行了正常的PAT转换
R1#telnet 202.16.1.12 /source-interfaceloopback 0 //正常的管理站点2设备
Trying 202.16.1.12 ... Open
!
User Access Verification
!
Username: cisco
Password:
R3>en
Password:
Password:
R3#
Ciscoasa1#show xlate //原因在于防火墙中有这条静态映射条目
1 in use, 3 most used
Global 202.16.1.5 Local 1.1.1.1
反之从R3– R1的测试结果是一样的,就由各位IT自己测试了。
本文出自 “我的技术博客” 博客,谢绝转载!
Cisco ASA站点间穿越nat互相访问的实验