Experimental topology
Software version GN3 0.8.6 ASA image 8.0 (2)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/76/D9/wKioL1ZdmSGAvspoAABLsjqDXwk949.png "title=" 9qzzvef@]278 ' U@5uoyg) 0m.png "alt=" Wkiol1zdmsgavspoaablsjqdxwk949.png "/>
Experimental environment
R1 and R2 Simulation company intranet, R3 analog Internet equipment. ASA as a company export, implementing NAT address translation
Experimental requirements
Doing dynamic NAT on the ASA to convert the address of the R1 loopback 0 Network segment
Make dynamic pat on ASA implement address translation for R1 loopback 1 segment
Do a static NAT implementation on the ASA to the R2 loopback 0 address by line conversion
the static PAT implementation on the ASA maps the 23 port of the R2 f0/0 to the 23 port of the 218.1.1.1 address
Address planning
R1 Loopback 0 IP:192.168.10.1/24
R1 Loopback 1 ip:172.16.1.1/24
R1 f0/0 ip:11.0.0.2/24
R2 Loopback 0 IP:192.168.20.1/24
R2 f0/0 ip:12.0.0.2/24
R3 f0/0 ip:13.0.0.3/24
The configuration is as follows:
Some basic configuration of routers there's no explanation here.
R1 configuration:
R1 (config) #int f0/0
R1 (config-if) #ip add 11.0.0.2 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #int Loo 0
R1 (config-if) #ip add 192.168.10.1 255.255.255.0
R1 (config-if) #int Loo 1
R1 (config-if) #ip add 172.16.1.1 255.255.255.0
R1 (config-if) #exit
R1 (config) #ip Route 0.0.0.0 0.0.0.0 11.0.0.1
R2 configuration:
R2 (config) #line vty 0 4
R2 (config-line) #password abc123
R2 (Config-line) #login
R2 (Config-line) #exit
R2 (config) #ip Route 0.0.0.0 0.0.0.0 12.0.0.1
R2 (config-if) #ip add 12.0.0.2 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #int Loo 0
R2 (config-if) #ip add 192.168.20.1 255.255.255.0
R3 configuration:
R3 (config) #int f0/0
R3 (config-if) #ip add 13.0.0.3 255.255.255.0
R3 (config-if) #no shut
Dynamic NAT for R1 's loopback 0 interface
ASA1 configuration:
ASA1 (config) # int e0/0
ASA1 (config-if) # Nameif inside //define Interface name
Info:security level for ' intside ' set to ' default '.
ASA1 (config-if) # IP Add 11.0.0.1 255.255.255.0
ASA1 (config-if) # no shut
ASA1 (config-if) # exit
ASA1 (config) # int E0/1
ASA1 (config-if) # Nameif DMZ
Info:security level for ' DMZ ' set to 0 by default.
ASA1 (config-if) # IP Add 12.0.0.1 255.255.255.0
ASA1 (config-if) # Security-level //Configure interface Security level
ASA1 (config-if) # no shut
ASA1 (config-if) # int E0/2
ASA1 (config-if) # Nameif outside
Error:name "Outside" have been assigned to interface ethernet0/0
ASA1 (config-if) # IP Add 13.0.0.1 255.255.255.0
ASA1 (config-if) # no shut
ASA1 (config-if) # exit
ASA1 (config) # route inside 192.168.10.0 255.255.255.0 11.0.0.2
ASA1 (config) # route inside 172.16.1.0 255.255.255.0 11.0.0.2 //Configure static routes to the loopback port
ASA1 (config) # route DMZ 192.168.20.0 255.255.255.0 12.0.0.2
ASA1 (config) # nat (inside) 1 192.168.10.0 255.255.255.0 //define list 1,inside port to convert address
ASA1 (config) # Global (outside) 1 200.1.1.10-200.1.1.20 netmask 255.255.255.0
Configure the public address pool range
ASA1 (config) # access-list permit ICMP Any any//This allows all ICMP in order to be lazy
Add a backhaul route to the R3 and turn on debug
R3#debug IP ICMP
R3#conf T
R3 (config) #ip Route 200.1.1.0 255.255.255.0 13.0.0.1
R1 Loopback 0 Ping R3 test
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/76/DB/wKiom1Zdp-zyRBF2AABBtWTvULQ158.png "title=" Og{yt ( (g4x$5mdlbc]7b@2q.png "alt=" Wkiom1zdp-zyrbf2aabbtwtvulq158.png "/>
From the debug information of R3, we can see that the NAT conversion succeeded.
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/DB/wKiom1ZdqHPxz65SAABQUX_CElI012.png "title=" HETYC} YTHPXJ (%xv@b0$r2r.png "alt=" Wkiom1zdqhpxz65saabqux_celi012.png "/>
Pat on the ASA for the R1 Loopback 1 interface
ASA1 (config) # nat (inside) 2 172.16.1.0 255.255.255.0
ASA1 (config) # Global (outside) 2 interface
Ping R3 test with R1 's loopback 1
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/76/DC/wKiom1ZdqoDTv9xdAAA_zqj56jg789.png "title=" (mg${b %5%%tjku5m7k3 ' $41.png "alt=" Wkiom1zdqodtv9xdaaa_zqj56jg789.png "/>
View the debug information on the R3 and discover that the conversion succeeded to an external gateway address
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/DB/wKioL1Zdq0Ky6TMMAABKc6Lt9UM991.png "title=" UD78RXGUDVM ' 6qj$ (X} (6ot.png "alt=" Wkiol1zdq0ky6tmmaabkc6lt9um991.png "/>
Loopback 0 Doing the R2 on the ASA makes a static NAT, converted to 222.222.222.222
ASA1 (config) # static (dmz,outside) 222.222.222.222 192.168.20.1 //configuration will 192.168.20.1 this
Address is converted to 222.222.222.222, note that the public address is written in front
Make a backhaul route on the R3
R3 (config) #ip Route 222.222.222.222 255.255.255.255 13.0.0.1
Ping the 13.0.0.3 test on R2
650) this.width=650, "src=" Http://s4.51cto.com/wyfs02/M00/76/DB/wKioL1ZdrDnhuGzXAABDIatzSug738.png "title=") 2X ' Rk6dmsyln7wf4i ' [fx4.png ' alt= ' wkiol1zdrdnhugzxaabdiatzsug738.png '/>
View debug information on R3 and find the conversion successful
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/DB/wKioL1ZdrIrBP1t_AABPB9rWGqU870.png "title=" A_ 52uo8{tlvko[{a~ww%s49.png "alt=" Wkiol1zdrirbp1t_aabpb9rwgqu870.png "/>
Do a static pat on the ASA, map the port of R2 's f0/0 23 to port 23 of 218.1.1.1
ASA1 (config) # static (dmz,outside) TCP 218.1.1.1 telnet 12.0.0.2 telnet
Configure 12.0.0.2 of the 23 port map to 218.1.1.1 this address of 23 port, the public address to write in front
ASA1 (config) # access-list permit TCP host 13.0.0.3 host 218.1.1.1 eq 23
Defining an ACL allows 13.0.0.3 to telnet to 218.1.1.1, since the previous 110 has been applied here on the interface and omitted
Make a backhaul route on the R3
R3 (config) #ip Route 218.1.1.1 255.255.255.255 13.0.0.1
Telnet 218.1.1.1 on R3 to verify that you can map to R2
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/76/DC/wKiom1Zdrd2SCLZrAAAmdU1IUOg711.png "title=" pmy ( Doni3[ck}2oaw3gx328.png "alt=" Wkiom1zdrd2sclzraaamdu1iuog711.png "/>
Summarize:
Dynamic NAT is many-to-many and defines an address pool. Address pool has a few addresses can have how many addresses on the public network
Dynamic Pat is a one-to-many, so that all private network addresses are reused an address to the public network
Static NAT is a one-to-none, a private network address specifies a public address
Static Pat is a port mapping that maps a port of a public address to an address on a private network
This article is from the "Sunj" blog, make sure to keep this source http://sunjie123.blog.51cto.com/1263687/1718693
Cisco ASA Firewall NAT