First, the experimental topology:
Second, the experimental requirements:
Essence: Convert a continuous network to another continuous network.
1. Configure network static NAT to convert inside network 10.1.1.0/28 to the DMZ zone 10.1.2.0/28; This is the network segment converted to another network segment;
2. Configure network static NAT to convert the DMZ network 10.1.2.200-10.1.2.210 to the outside zone's address 202.100.1.200-202.100.1.210;
This is a range converted to another range, before and after the conversion may not necessarily correspond to: for example, before the conversion can be: 10.1.2.200, after the conversion may be 202.100.1.203, but does not affect the normal communication;
Third, command deployment:
Experiment One: Network segment conversion
1. Clear the object configuration from the previous experiment and review the validation:
ASA (config) # clear Configure Object
ASA (config) # show Run Object
ASA (config) # show run NAT
2, change the original 10.1.1.0/24 to 10.1.1.0/28
R2 (config) #int f0/0
R2 (config-if) #ip add 10.1.1.2 255.255.255.240
3. Configure network static NAT to convert inside network 10.1.1.0/28 to the DMZ zone 10.1.2.0/28
ASA (config) # object Network IN-DMZ
ASA (config-network-object) # subnet 10.1.2.0 255.255.255.240
ASA (config) # object Network In-yuan
ASA (config-network-object) # subnet 10.1.1.0 255.255.255.240
ASA (Config-network-object) # nat (INSIDE,DMZ) static IN-DMZ
Verify:
R2#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Username:cc
Password:
R3>
asa# Show Xlate
1 in use, 3 most used
Flags:d-DNS, I-dynamic, R-portmap, S-static, i-identity, T-twice
NAT from Inside:10.1.1.0/28 to Dmz:10.1.2.0/28
Flags s idle 0:01:05 timeout 0:00:00
R3#show Users
Line User Host (s) Idle location
- 0 Con 0 Idle 00:00:00
vty 0 cc Idle 00:00:31 10.1.2.2
Clear off the connection: include Xlate and ARP
asa# Clear Xlate
info:0 xlate deleted
asa# Clear ARP Inside
4. R2 change the IP address to 10.1.1.3/28
R2 (config) #int f0/0
R2 (config-if) #ip add 10.1.1.3 255.255.255.240
Verify:
R2#telnet 10.1.2.3
Trying 10.1.2.3 ...
% Connection timed out; Remote Host Not Responding
Conclusion: Teacher's not, mine also not, all kinds of Qing xlate, Arp are not, strange.
Experiment Two: Range conversion
1. Clear the object configuration from the previous experiment and review the validation:
ASA (config) # clear Configure Object
ASA (config) # show Run Object
ASA (config) # show run NAT
2. Configure network static NAT to convert the DMZ network 10.1.2.200-10.1.2.210 to the outside zone 202.100.1.200-202.100.1.210
ASA (config) # object Network Out-pool
ASA (config-network-object) # range 202.100.1.200 202.100.1.210
ASA (config) # object Network Dmz-yuan
ASA (config-network-object) # range 10.1.2.200 10.1.2.210
ASA (Config-network-object) # nat (dmz,outside) static Out-pool
3. Modify the R3 address to 10.1.2.200
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.200 255.255.255.0
Verify:
Sometimes the address can be right on the right, and change the R3 address to see if it can be right on:
First time: Yes.
R3#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Username:aa
Password:
R1>
R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:21 202.100.1.200
Second time: Yes, too.
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.205 255.255.255.0
R3#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Username:aa
Password:
R1>
R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:29 202.100.1.205
Third time: It's on again.
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.209 255.255.255.0
R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:02 202.100.1.209
ASA simulator a little bit of a problem, the effect can not all come out!!
20-Cisco Firewall: Network static NAT: Networking still NAT