cisco asa 82与84的nat区别.docx
《cisco asa 82与84的nat区别.docx》由会员分享,可在线阅读,更多相关《cisco asa 82与84的nat区别.docx(17页珍藏版)》请在冰豆网上搜索。
ciscoasa82与84的nat区别
1.NAT(nat-control,8.2有这条命令,开了的话没有nat是不通的)
1.8.2(PAT转换)
global(outside)10201.100.1.100
nat(inside)1010.1.1.0255.255.255.0
ASA/pri/act(config)#showxlate
1inuse,1mostused
PATGlobal201.100.1.100(1024)Local10.1.1.1(11298)
8.4
objectnetworknat
subnet10.1.1.0255.255.255.0
objectnetworknat
nat(inside,outside)dynamic201.100.1.100
ASA8-4#showxlate
1inuse,2mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
TCPPATfrominside:
10.1.1.1/53851tooutside:
201.100.1.100/5810flagsriidle0:
00:
04timeout0:
00:
30
2.8.2(动态的一对一转换)
nat(inside)1010.1.1.0255.255.255.0
global(outside)10201.100.1.110-201.100.1.120netmask255.255.255.0
ASA/pri/act#showxlatedetail
2inuse,2mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
NATfrominside:
10.1.1.1tooutside:
201.100.1.110flagsi
NATfrominside:
10.1.1.2tooutside:
201.100.1.111flagsi
8.4
objectnetworknat
subnet10.1.1.0255.255.255.0
objectnetworkoutside-nat
range201.100.1.110201.100.1.120
objectnetworknat
nat(inside,outside)dynamicoutside-nat
ASA8-4#showxlate
1inuse,2mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
NATfrominside:
10.1.1.1tooutside:
201.100.1.115flagsiidle0:
01:
13timeout3:
00:
00
3.8.2(转换成接口地址)
nat(inside)1010.1.1.0255.255.255.0
global(outside)10interface
ASA/pri/act#showxlatedetail
1inuse,2mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
TCPPATfrominside:
10.1.1.1/61971tooutside:
201.100.1.10/1024flagsri
8.4
objectnetworknat
subnet10.1.1.0255.255.255.0
objectnetworknat
nat(inside,outside)dynamicinterface
ASA8-4(config)#showxlate
1inuse,2mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
TCPPATfrominside:
10.1.1.1/35322tooutside:
201.100.1.10/52970flagsriidle0:
00:
03timeout0:
00:
30
4.8.2(不同的内部地址转换成不同的外部地址)
nat(inside)91.1.1.0255.255.255.0
nat(inside)1010.1.1.0255.255.255.0
//排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小的在前面,在实际作用的时候也是按照这个面序来的。
global(outside)10interface
global(outside)9201.100.1.111
ASA/pri/act#showxlatedetail
2inuse,2mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
TCPPATfrominside:
1.1.1.1/51343tooutside:
201.100.1.111/1026flagsri
TCPPATfrominside:
10.1.1.1/13938tooutside:
201.100.1.10/1028flagsri
8.4
ASA8-4#showrunning-configobject
objectnetworkinside1
subnet10.1.1.0255.255.255.0
objectnetworkinside2
subnet1.1.1.0255.255.255.0
objectnetworkouside-inside2
host201.100.1.110
ASA8-4#showrunning-confignat
!
objectnetworkinside1
nat(inside,outside)dynamicinterface
objectnetworkinside2
nat(inside,outside)dynamicouside-inside2
ASA8-4#showxlate
2inuse,2mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
TCPPATfrominside:
1.1.1.1/59611tooutside:
201.100.1.110/34338flagsriidle0:
00:
08timeout0:
00:
30
TCPPATfrominside:
10.1.1.1/22181tooutside:
201.100.1.10/53371flagsriidle0:
00:
19timeout0:
00:
30
5.8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换)
ASA/pri/act#showrunning-confignat
nat(inside)1010.1.1.0255.255.255.0
ASA/pri/act#showrunning-configglobal
global(outside)10201.100.1.110-201.100.1.112
global(outside)10201.100.1.116
ASA/pri/act#showxlatedetail
4inuse,5mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
NATfrominside:
10.1.1.1tooutside:
201.100.1.110flagsi
NATfrominside:
10.1.1.3tooutside:
201.100.1.112flagsi
TCPPATfrominside:
10.1.1.6/19799tooutside:
201.100.1.116/1025flagsri
NATfrominside:
10.1.1.2tooutside:
201.100.1.111flagsi
8.4
objectnetworkoutside
range201.100.1.110201.100.1.112
objectnetworkinside
subnet10.1.1.0255.255.255.0
objectnetworkinside
nat(inside,outside)dynamicoutsideinterface
ASA8-4#showxlate
4inuse,4mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
TCPPATfrominside:
10.1.1.4/49994tooutside:
201.100.1.10/52626flagsriidle0:
00:
04timeout0:
00:
30
NATfrominside:
10.1.1.1tooutside:
201.100.1.111flagsiidle0:
01:
31timeout3:
00:
00
NATfrominside:
10.1.1.3tooutside:
201.100.1.110flagsiidle0:
00:
16timeout3:
00:
00
NATfrominside:
10.1.1.2tooutside:
201.100.1.112flagsiidle0:
00:
33timeout3:
00:
006.
6.8.0(策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略nat永远是优于普通的nat的)
access-listpat1extendedpermittcphost10.1.1.1host201.100.1.1eqtelnet
access-listpat2extendedpermittcphost10.1.1.1host201.100.1.1eqwww
nat(inside)10access-listpat1
nat(inside)20access-listpat2
global(outside)10201.100.1.100
global(outside)20201.100.1.200
ASA/pri/act#showxlatedeta
ASA/pri/act#showxlatedetail
2inuse,5mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
TCPPATfrominside:
10.1.1.1/30449tooutside(pat2):
201.100.1.200/1024flagsri
TCPPATfrominside:
10.1.1.1/43167tooutside(pat1):
201.100.1.100/1024flagsri
8.42
新版本(TwiceNAT),这个是两次NAT,一般加入了基于目的的元素,而之前的networkobject只是基于源的,通常情
况下使用object就能解决问题了,这个只是在特殊情况下使用。
一般我们把object叫做AutoNAT,而TwiceNAT叫
做manualNAT
objectnetworkoutside1
host201.100.1.100
objectnetworkoutside2
host201.100.1.200
objectnetworkinside
subnet10.1.1.0255.255.255.0
objectnetworkoutside
host201.100.1.1
objectservicetelnet
servicetcpdestinationeqtelnet
objectservicehttp
servicetcpdestinationeqwww
nat(inside,outside)sourcedynamicinsideoutside1destinationstaticoutsideoutsideservicetelnettelnet
nat(inside,outside)sourcedynamicinsideoutside2destinationstaticoutsideoutsideservicehttphttp
ASA8-4#showxlate
1inuse,4mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
TCPPATfromoutside:
201.100.1.123-23toinside:
201.100.1.180-80
flagssrITidle0:
00:
37timeout0:
00:
00
注意T是twicenat就是源地址和目的地址都可以转换的。
7.0(I–identitynat自已转换成自已多用于remotevpn)
8.0
nat(inside)010.1.1.0255.255.255.0(<0-2147483647>Theofthisgroupofhosts/networks.This
willbereferencedbytheglobalcommandtoassociatea
globalpoolwiththelocalIPaddress.'0'isused
toindicatenoaddresstranslationforlocalIP.Thelimitis
65535withaccess-lists)0表示自已转让换成自已。
ASA/pri/act#showxlatedetail
1inuse,5mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
NATfrominside:
10.1.1.1tooutside:
10.1.1.1flagsiI注意这里面的I自已转换成自已。
(这种情况下外部是不是访问内部的)
8.4
objectnetworkiden-nat
subnet10.1.1.0255.255.255.0
objectnetworkiden-nat
nat(inside,outside)staticiden-nat
ASA8-4#showxlate
1inuse,4mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
NATfrominside:
10.1.1.0/24tooutside:
10.1.1.0/24
flagssIidle0:
00:
07timeout0:
00:
00
上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。
8.8.02(静态nat转换,从outside到inside静态的一对一转换)
ASA/pri/act#showrunning-configstatic
static(inside,outside)201.100.1.10010.1.1.1netmask255.255.255.255
访问列表放行的是转换后的地址
access-listoutline1extendedpermittcphost201.100.1.1host201.100.1.100(hitcnt=9)0x4a668fb0
ASA/pri/act#showxlatedetail
1inuse,5mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
NATfrominside:
10.1.1.1tooutside:
201.100.1.100flagss
8.42
ASA8-4#showrunning-configobject
objectnetworknat
host10.1.1.1
ASA8-4#showrunning-confignat
!
objectnetworknat
nat(inside,outside)static201.100.1.100
ASA8-4#showxlate
1inuse,4mostused
Flags:
D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twice
NATfrominside:
10.1.1.1tooutside:
201.100.1.100
flagssidle0:
00:
52timeout0:
00:
00
access-listoutline1extendedpermittcphost201.100.1.1host10.1.1.1(hitcnt=1)0xe8e098f5
列表放行的是内部主机真实的IP地址。
9.8.0staticpat(PORTredirection)只有一个公网地址,将访问公网地址不同的端口号,转换到不同的服务器上去。
ASA/pri/act#showrunning-configstatic
static(inside,outside)tcp201.100.1.100telnet10.1.1.1wwwnetmask255.255.255.255
static(inside,outside)tcp201.100.1.100www10.1.1.2telnetnetmask255.255.255.255
ASA/pri/act#showxlatedetail
2inuse,5mostused
Flags:
D-DNS,d-dump,I-identity,i-dynamic,n-norandom,
r-portmap,s-static
TCPPATfrominside:
10.1.1.1/80tooutside:
201.100.1.100/23flagssr
TCPPATfrominside:
10.1.1.2/23tooutside:
201.100.1.100/80flagssr
access-listoutline1extendedpermittcphost201.100.1.1host201.100.1.100eqtelnet(hitcnt=1)0x57c792d9
access-listoutline2extendedpermittcphost201.100.1.1host201.100.1.100eqwww(hitcnt=0)0x463b6a3b
列表放行的也是转换后的地址及端口号。
8.4
新版本(TwiceNAT)
objectnetworkinside1
host10.1.1.1
objectnetworkinside2
host10.1.1.2
objectnetworkoutside
host201.100.1.100
objectservicetelnet
servicetcpdestinationeqtelnet
objectservicehttp
servicetcpdestinationeqwww
objectnetworkoutside-des
host201.100.1.1
ASA8-4(config)#showrunning-confignat
nat(outside,inside)sourcestaticoutside-desoutside-desdestinationstaticoutsideinside1servicehttptelnet
access-listoutline1extendedpermittcphost201.100.1.1host10.1.1.1eqtelnet(hitcnt=1)0x213cb7ce
R5-outside8.4#telnet201.100.1.10080
Trying201.100.1.100,80...Open
R4-inside1-8.4>
10.8.2static-Identity转换,将内部地址自已转换成自已,并且外部可以访问。
外面可以访部内的static-Identity转换。
ASA/pri/act#showrunning-configstatic
static(inside,outside)10.1.1.110.1.1.1netmask255.255.255.255
AS