20-Cisco Firewall: Network static NAT: Networking still NAT

Source: Internet
Author: User

First, the experimental topology:

Second, the experimental requirements:
Essence: Convert a continuous network to another continuous network.
1. Configure network static NAT to convert inside network 10.1.1.0/28 to the DMZ zone 10.1.2.0/28; This is the network segment converted to another network segment;
2. Configure network static NAT to convert the DMZ network 10.1.2.200-10.1.2.210 to the outside zone's address 202.100.1.200-202.100.1.210;
This is a range converted to another range, before and after the conversion may not necessarily correspond to: for example, before the conversion can be: 10.1.2.200, after the conversion may be 202.100.1.203, but does not affect the normal communication;

Third, command deployment:
Experiment One: Network segment conversion
1. Clear the object configuration from the previous experiment and review the validation:
ASA (config) # clear Configure Object
ASA (config) # show Run Object
ASA (config) # show run NAT

2, change the original 10.1.1.0/24 to 10.1.1.0/28
R2 (config) #int f0/0
R2 (config-if) #ip add 10.1.1.2 255.255.255.240

3. Configure network static NAT to convert inside network 10.1.1.0/28 to the DMZ zone 10.1.2.0/28
ASA (config) # object Network IN-DMZ
ASA (config-network-object) # subnet 10.1.2.0 255.255.255.240

ASA (config) # object Network In-yuan
ASA (config-network-object) # subnet 10.1.1.0 255.255.255.240
ASA (Config-network-object) # nat (INSIDE,DMZ) static IN-DMZ
Verify:
R2#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Username:cc
Password:
R3>

asa# Show Xlate
1 in use, 3 most used
Flags:d-DNS, I-dynamic, R-portmap, S-static, i-identity, T-twice
NAT from Inside:10.1.1.0/28 to Dmz:10.1.2.0/28
Flags s idle 0:01:05 timeout 0:00:00

R3#show Users
Line User Host (s) Idle location

    • 0 Con 0 Idle 00:00:00
      vty 0 cc Idle 00:00:31 10.1.2.2

Clear off the connection: include Xlate and ARP
asa# Clear Xlate
info:0 xlate deleted
asa# Clear ARP Inside

4. R2 change the IP address to 10.1.1.3/28
R2 (config) #int f0/0
R2 (config-if) #ip add 10.1.1.3 255.255.255.240
Verify:
R2#telnet 10.1.2.3
Trying 10.1.2.3 ...
% Connection timed out; Remote Host Not Responding
Conclusion: Teacher's not, mine also not, all kinds of Qing xlate, Arp are not, strange.

Experiment Two: Range conversion
1. Clear the object configuration from the previous experiment and review the validation:
ASA (config) # clear Configure Object
ASA (config) # show Run Object
ASA (config) # show run NAT

2. Configure network static NAT to convert the DMZ network 10.1.2.200-10.1.2.210 to the outside zone 202.100.1.200-202.100.1.210
ASA (config) # object Network Out-pool
ASA (config-network-object) # range 202.100.1.200 202.100.1.210

ASA (config) # object Network Dmz-yuan
ASA (config-network-object) # range 10.1.2.200 10.1.2.210
ASA (Config-network-object) # nat (dmz,outside) static Out-pool

3. Modify the R3 address to 10.1.2.200
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.200 255.255.255.0

Verify:
Sometimes the address can be right on the right, and change the R3 address to see if it can be right on:
First time: Yes.
R3#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Username:aa
Password:
R1>

R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:21 202.100.1.200
Second time: Yes, too.
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.205 255.255.255.0

R3#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Username:aa
Password:
R1>

R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:29 202.100.1.205

Third time: It's on again.
R3 (config) #int f0/0
R3 (config-if) #ip add 10.1.2.209 255.255.255.0

R1#show Users
Line User Host (s) Idle location
vty 0 AA Idle 00:00:02 202.100.1.209
ASA simulator a little bit of a problem, the effect can not all come out!!

20-Cisco Firewall: Network static NAT: Networking still NAT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.