1, the experimental topology diagram :
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/59/49/wKioL1TPCfbgwIOLAACCEDU0i5M014.jpg "title=" Untitled. jpg "alt=" wkiol1tpcfbgwiolaaccedu0i5m014.jpg "/>
1. Experiment Description :
R1 as a company's site 1, the internal 1.1.1.1/32 Server needs a company site 2 of the administrator to implement remote telnet of equipment management;
R5 as a company's site 2, the internal 2.2.2.2/32 Server needs a company site 1 of the administrator to implement remote Telnet device management;
between the devices are Security of the ASA firewall,R2 as a router for the Internet;
2. Experiment configuration :
R1#show Run
Usernamecisco Password 0 Cisco
!
InterfaceLoopback0// site 2 administrators manage R1 devices through this address
IP Address 1.1.1.1 255.255.255.0
!
InterfaceLoopback1// user address segment for normal NAT Internet access
IP address 10.10.10.10 255.255.255.0
!
interfacefastethernet0/0
IP address 172.16.255.1 255.255.255.192
Duplex Auto
Speed auto
!
Interfacefastethernet0/1
No IP address
Shutdown
Duplex Auto
Speed auto
!
ROUTEROSPF 1
Log-adjacency-changes
Network 1.1.1.0 0.0.0.255 Area 1
Network 10.10.10.0 0.0.0.255 Area 1
Network 172.16.255.0 0.0.0.63 Area 1
!
Ipforward-protocol nd
!
No iphttp server
No iphttp secure-server
!
Control-plane
!
Line Con0
Exec-timeout 0 0
Logging synchronous
Line aux0
Line Vty0 4
Password Cisco
Login Local
Transport input Telnet
Asa1#show Run
interfaceethernet0/0
Nameif Inside
Security-level 100
IP address 172.16.255.2 255.255.255.192
!
Interfaceethernet0/1
Nameif Outside
Security-level 0
IP address 202.16.1.2 255.255.255.248
!
Access-listoutside Extended Permit IP 10.10.10.0 255.255.255.0 any
Access-listout Extended permit ICMP any any
Access-listout Extended Permit TCP host 202.16.1.12 host 202.16.1.5 eq telnet
Nat-control
Global (Outside) 1 interface
Nat (Inside) 1 access-list outside
Static (Inside,outside) 202.16.1.5 1.1.1.1 netmask 255.255.255.255
Access-groupout in Interface Outside
!
ROUTEROSPF 1
Network 172.16.255.0 255.255.255.192 Area 1
Log-adj-changes
Default-information originate always
!
Routeoutside 0.0.0.0 0.0.0.0 202.16.1.1 1
R2#show Run
interfacefastethernet0/0
IP address 202.16.1.1 255.255.255.248
Duplex Auto
Speed Auto
!
Interfacefastethernet0/1
IP address 202.16.1.9 255.255.255.248
Duplex Auto
Speed auto
Asa2#show Run
interfaceethernet0/0
Nameif Inside
Security-level 100
IP address 172.16.255.130 255.255.255.192
!
Interfaceethernet0/1
Nameif Outside
Security-level 0
IP address 202.16.1.10 255.255.255.248
!
Access-listout Extended permit ICMP any any
Access-listout Extended Permit TCP host 202.16.1.5 host 202.16.1.12 eq telnet
Access-listinside_nat1_outside Extended Permit IP 10.10.20.0 255.255.255.0 any
Global (Outside) 1 interface
Nat (Inside) 1 access-list inside_nat1_outside
Static (Inside,outside) 202.16.1.12 2.2.2.2 netmask 255.255.255.255
Access-groupout in Interface Outside
!
ROUTEROSPF 10
Network 172.16.255.128 255.255.255.192 Area 0
Log-adj-changes
Default-information originate always
!
Routeoutside 0.0.0.0 0.0.0.0 202.16.1.9 1
R3#show Run
Usernamecisco Password 0 Cisco
!
InterfaceLoopback0// site 2 routers need to be managed through this address
IP address 2.2.2.2 255.255.255.0
!
INTERFACELOOPBACK1// user's Internet address
IP address 10.10.20.10 255.255.255.0
!
interfacefastethernet0/0
IP address 172.16.255.129 255.255.255.192
Duplex Auto
Speed auto
!
ROUTEROSPF 10
Log-adjacency-changes
Network 2.2.2.0 0.0.0.255 Area 0
Network 10.10.20.0 0.0.0.255 Area 0
Network 172.16.255.128 0.0.0.63 Area 0
!
Line Vty0 4
Password Cisco
Login Local
Transport input Telnet
3, The exchange of visits between the site test :
r1#ping 202.16.1.9 Source 10.10.10.10// user Access to the Internet
Typeescape sequence to abort.
Sending5, 100-byte ICMP Echos to 202.16.1.9, timeout is 2 seconds:
Packetsent with a source address of 10.10.10.10
!!!!!
Successrate is percent (5/5), round-trip Min/avg/max = 16/27/40 ms
ciscoasa1# Show Xlate
2 in use,3 most used
PAT Global 202.16.1.2 (2) Local10.10.10.10 ICMP ID// performed a normal PAT Conversion
R1#telnet 202.16.1.12/source-interfaceloopback 0// normal management site 2 devices
Trying 202.16.1.12 ... Open
!
User Access Verification
!
Username:cisco
Password:
r3>en
Password:
Password:
r3#
ciscoasa1#show xlate// The reason is that there is a static mapping entry in the firewall
1 in use, 3 most used
Global 202.16.1.5 Local 1.1.1.1
conversely from R3–R1 test results are the same, it is up to you to test it yourself.
This article from "My Technology blog" blog, declined reprint!
Experiment of cross-NAT mutual access between Cisco ASA sites