I. Testing the topology
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/0F/wKioL1Xztm_z5aokAAEJC0duUpE278.jpg "title=" Tupu. JPG "alt=" Wkiol1xztm_z5aokaaejc0duupe278.jpg "/>
Two. Test ideas
Does not consider the rationality of network topology, just to consider whether the network can pass
Extranet access the public address mapped on the firewall by the internal server is not reachable because the default route of the R1 is not the firewall, an asymmetric routing problem occurs, and the TCP connection is inconsistent with the path and the session fails
Asymmetric routing problem does not occur if the source address of the external network access internal server is converted to the firewall intranet interface address
Three. Basic Configuration
Router server:
Interface fastethernet0/0
IP address 192.168.1.8 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 192.168.1.1
-
Router R1:
Interface ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
Interface ETHERNET0/1
ip address 192.168.3.1 255.255.255.0
no shut
Interface ETHERNET0/2
ip address 192.168.1.1 255.255.255.0
no shut!
IP route 0.0.0.0 0.0.0.0 192.168.3.254
-
Router R2:
Interface ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip Nat outside
no shut
Interface ETHERNET0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
no shut
IP route 0.0.0.0 0.0.0.0 202.100.2.2
IP route 192.168.0.0 255.255.0.0 192.168.3.1
IP nat inside source list PAT interface ethernet0/0 overload
IP access-list Extended PAT
permit IP 192.168.0.0 0.0.255.255 any
Firewall ASA842:
Interface GigabitEthernet0
Nameif Outside
Security-level 0
IP address 202.100.1.1 255.255.255.0
Interface GigabitEthernet1
Nameif Inside
Security-level 100
IP address 192.168.2.254 255.255.255.0
Route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
Route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
Router Internet:
Interface Loopback0
IP address 61.1.1.1 255.255.255.0
Interface fastethernet0/0
IP address 202.100.1.2 255.255.255.0
No shut
Interface FASTETHERNET0/1
IP address 202.100.2.2 255.255.255.0
No shut
Four. Firewall Twice-nat related configuration
To define an intranet server object:
Object Network Serverreal
Host 192.168.1.8
Define the public IP objects after the intranet server mapping:
Object Network Servermap
Host 202.100.1.8
Configuration Twice-nat:
Before conversion-----Source address: Any Destination Address: Intranet server map after the public network IP
After conversion-----Source address: Firewall inside port address Destination Address: Intranet server Actual
IP Nat (Outside,inside) source dynamic any interface destination static Servermap Serverreal
Define the firewall external gateway policy:
Access-list Outside Extended Permit ip any object serverreal
---Note that these are the actual addresses of the servers, not the mapped addresses
Apply firewall external Gateway policy:
Access-group Outside in Interface Outside
Test:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show User
% ambiguous command: "Show user"
Server>show Users
Line User Host (s) Idle location
0 Con 0 Idle 00:05:42
* 2 vty 0 Idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
internet#
-----Firewall from the public network has been converted to source address
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is percent (5/5), round-trip Min/avg/max = 44/80/144 ms
server#
Internet#debug IP ICMP
ICMP packet Debugging is on
internet#
*aug 13:02:57.787:icmp:echo reply sent, src 61.1.1.1, DST 202.100.2.1
*aug 13:02:57.967:icmp:echo reply sent, src 61.1.1.1, DST 202.100.2.1
*aug 13:02:58.067:icmp:echo reply sent, src 61.1.1.1, DST 202.100.2.1
*aug 13:02:58.123:icmp:echo reply sent, src 61.1.1.1, DST 202.100.2.1
*aug 13:02:58.127:icmp:echo reply sent, src 61.1.1.1, DST 202.100.2.1
internet#
------server can be normal from R2 router pat on public network
This article is from the "Httpyuntianjxxll.spac.." Blog, make sure to keep this source http://333234.blog.51cto.com/323234/1694064
Twice-nat of the ASA translates the source address of the Internet access to the Intranet interface address test