Nat and pat address translation for the ASA configuration instance (2)

ASA firewall configuration Experiment

 

Experiment topology:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/9A/wKiom1RA11DBIRUbAAD3_HHGsI8477.jpg "Title =" empty "alt =" wkiom1ra11dbirubaad3_hhgsi8477.jpg "/>

Basic configuration command:

 

ASA

Conf t

Hostname ASA

Int E0/0

Nameif inside

Security-Level 100

IP add 192.168.1.5 255.255.255.0

No sh

Int E0/1

Nameif DMZ

Security-level 50

IP add 192.168.2.5 255.255.255.0

No sh

Int E0/2

Nameif outside

Security-level 0

IP add 200.0.0.5 255.255.255.0

No sh

Exit

Route outside 0.0.0.0 0.0.0.0 200.0.0.2

 

Router:

 

En

Conf t

Int F1/1

No SW

IP add 200.0.0.2 255.255.255.0

No sh

Int F1/2

No SW

IP add 100.0.0.1 255.255.255.0

No sh

IP Route 123.0.0.0 255.255.255.255.248 200.0.0.5

 

 

Because pC1 and DMZ web2 are directly connected, and the security level of ASA firewall inside is higher than that of DMZ, pC1 can access DMZ Web.

 

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/9A/wKioL1RA1ovA5eerAAEakTcTi6M717.jpg "Title =" image 2.png "alt =" wkiol1ra1ova5eeraaeaktcti6m717.jpg "/>

 

1. Dynamic NAT: converts a local IP address to an Internet address pool. N Intranet addresses correspond to N Intranet addresses. Intranet pC1 accesses the Internet out Web through dynamic Nat.

NAT (inside) 1 192.168.1.0 255.255.255.0

Global (outside) 1 123.0.0.0-123.0.0.6

Global (DMZ) 1 192.168.2.10-192.168.2.200 # In order for pC1 to continue accessing DMZ Web, a NAT request is required to point to DMZ.

 

 

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/9A/wKiom1RA1lWStwzCAAFIuPvvb5I435.jpg "Title =" image 3.png "alt =" wkiom1ra1lwstwzcaafiupvvb5i435.jpg "/>

 

 

 

 

 

Dynamic PAT: Use the IP address and source port number to create a unique session. Multiple Intranet addresses correspond to one public address.

ASA (config) # NAT (inside) 1 192.168.1.0 255.255.255.0

ASA (config) # global (outside) 1 Interface

Or

ASA (config) # global (outside) 1 123.0.0.1

 

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/4C/9B/wKioL1RA1ouQHQkgAACSmIGti3U872.jpg "Title =" image 4.png "alt =" wkiol1ra1ouqhqkgaacsmigti3u872.jpg "/>

 

 

 

Static Nat

Static (DMZ, outside) 123.0.0.1 192.168.2.10

Access-list out-to-DMZ permit IP any host 123.0.0.1

Access-group out-to-DMZ in int outside

 

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/9B/wKioL1RA1ozxFhekAACM_ahggD8451.jpg "Title =" image 6.png "alt =" wkiol1ra1ozxfhekaacm_ahggd8451.jpg "/>

 

Static PAT: static Pat is similar to static Nat, but static Pat allows specifying TCP or UDP ports for real and ing addresses.

Static (DMZ, outside) TCP 123.0.0.1 80 192.168.2.11 80

Static (DMZ, outside) TCP 123.0.0.1 81 192.168.2.12 80

Access-list out-to-DMZ permit IP any host 123.0.0.1

Access-group out-to-DMZ in int outside

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4C/9A/wKiom1RA1lWgIE1VAACfvIExM84582.jpg "Title =" image 7.png "alt =" wkiom1ra1lwgie1vaacfviexm84582.jpg "/>

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/9B/wKioL1RA1oySZC4FAAFUY1gVIeI031.jpg "Title =" image 8.png "alt =" wkiol1ra1oyszc4faafuy1gviei031.jpg "/>

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4C/9A/wKiom1RA1lXzcSynAAFLVB7UOCM983.jpg "Title =" image 9.png "alt =" wkiom1ra1lxzcsynaaflvb7uocm983.jpg "/>

 

 

This article from the "Dragon love Xueqi" blog, please be sure to keep this source http://dragon123.blog.51cto.com/9152073/1565215

Nat and pat address translation for the ASA configuration instance (2)