首页 > 代码库 > asa的nat配置,所有的情况都在这里了

asa的nat配置,所有的情况都在这里了

NAT 1

将内部所有地址段转化为外部地址段的某一段IP

nat (inside) 1 0 0

glob (outside) 1 172.16.0.150-172.16.0.160

shxlate查看NAT转换项

sh conn 查看不同区域的IP连接项

sh glob 

(sh running-config global) 查看glob地址池配置

clear nat清除NAT配置

clear glob 清除lob地址池配置

clear xlate清除现有NAT转换项

NAT 2

将内部网段转化为外部接口地址

nat (inside) 1 192.168.10.0 255.255.255.0

glob (outside) 1 interface 

INFO:outside interface address added to PAT pool

也可以把以上两项结合起来:关联两个glob

nat (inside) 1 0 0

glob (outside) 1 172.16.0.150-172.16.0.160

glob (outside) 1 interface


访问控制列表:放行内部icmp流量

access-list out per icmp any any echo-reply

access-group out in interface outside


NAT 3

针对协议的NAT转换:

只容许TELNET协议做NAT;并仅冗许内网一主机到外网一主机icmp的流量的NAT

access-list nat permit tcp any anyeq telnet

access-list nat permit icmp host 192.168.10.10 host 172.16.0.10

nat (inside) 1 access-list nat

glob (outside) 1 interface


NAT 4

静态端口映射

将内网192.168.10.10 的23端口静态映射到外网仅供172.16.0.10使用

static (inside,outside) 172.16.0.155 192.168.10.10

access-list in extended permit tcp host 172.16.0.10 host 172.16.0.155 eq telnet

access-group in in interface outside


5.nonat

希望在穿越PIX的时候不想转换数据包的源地址(就像正常数据包穿越路由器一样)

有两种类型的nonat技术

1. identity 会创建xlate表项,只有在内部发起出去以后才能从外边主动发起。

2. bypass 不会创建xlate表项,外部能够主动发起向里边进行连接。


topology :

R1-e0-1.1.1.124-1.1.1.125-outside-PIX-inside-1.2.3.125-1.2.3.124-e0/0-R2

Nonat(Identity)

nat (inside) 0 1.2.3.0 255.255.255.0

1.nat 0 1.2.3.0 will be identity translated for outbound 

2.把内部网络 1.2.3.0 255.255.255.0 作nat 0的转换不转换数据报的源地址

3.会产生xlate表项

Global 1.2.3.124 Local 1.2.3.124 

Nonat(bypass)

access-list nonat permit ip 1.2.3.0 255.255.255.0 1.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

1.匹配访问控制列表nonat的数据包的源地址不做转换

2.不会产生xlate表项

3.外边可以主动发起向里边进行连接(如果访问控制列表放行)


6.nat的比较


topology : 

OUT-e0-1.1.1.1-1.1.1.254-outside-PIX-inside-2.2.2.254-2.2.2.2-e0-IN 

Access-list 的配置

access-list nat-host per ip host 2.2.2.2 host 1.1.1.1

access-list nat-network line 1 permit ip host 2.2.2.2 any

access-list static-host per ip host 2.2.2.2 host 1.1.1.1 

access-list static-network line 1 permit ip host 2.2.2.2 any

access-list nonat-host per ip host 2.2.2.2 host 1.1.1.1 

access-list nonat-network line 1 permit ip host 2.2.2.2 any

nat的排列顺序

1.nat (inside) 0 access-l nonat-host

2.nat (inside) 0 access-l nonat-network

3.static (inside,outside) 1.1.1.2 access-list static-host

4.static (inside,outside) 1.1.1.3 access-list static-network 0 0

5.static (inside,outside) 1.1.1.4 2.2.2.2

6.nat (inside) 1 access-list nat-host

7.nat (inside) 1 access-list nat-network

8.nat (inside) 0 2.2.2.2 255.255.255.255

9.nat (inside) 1 2.2.2.0 255.255.255.0 0 0

10.global (outside) 1 interface

总结:

1. 首先是nat 0 加访问控制列表

2. 然后是static加访问控制列表

3. 然后是点对点的static转换

4. 然后是非nat 0 (>0)加访问控制列表

5. 然后是nat (包括 0 和>0) 加网段地址

6. 最后是PAT

7. 如果处于同一级别就需要比较访问控制列表的明细程度和网络地址的明细程度


本文出自 “彦天天的学习路” 博客,谢绝转载!

asa的nat配置,所有的情况都在这里了