標籤:asa twice-nat
一.測試拓撲
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/73/0F/wKioL1Xztm_z5aokAAEJC0duUpE278.jpg" title="tupu.JPG" alt="wKioL1Xztm_z5aokAAEJC0duUpE278.jpg" />
二.測試思路
不考慮網路拓撲的合理性,只是考慮網路是否可通
外網訪問內部伺服器在防火牆上映射的公網地址不通是因為R1的預設路由指向的不是防火牆,出現了非對稱路由問題,導致TCP串連來迴路徑不一致而會話失敗
如果把外網訪問內部伺服器的源地址轉換為防火牆內網介面地址,則不會出現非對稱路由問題
三.基本配置
路由器Server:
interface FastEthernet0/0
ip address 192.168.1.8 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
路由器R1:
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
no shut
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254
路由器R2:
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shut
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1
ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
permit ip 192.168.0.0 0.0.255.255 any
防火牆ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.254 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
路由器Internet:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
四.防火牆twice-nat相關配置
定義內網伺服器對象:
object network ServerReal
host 192.168.1.8
定義內網伺服器映射後的公網IP對象:
object network ServerMap
host 202.100.1.8
配置twice-nat:
轉換前-----源地址:any 目標地址:內網伺服器映射後的公網IP
轉換後-----源地址:防火牆inside口地址 目標地址:內網伺服器實際
IP nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
定義防火牆外網口策略:
access-list Outside extended permit ip any object ServerReal
---注意這些是伺服器的實際地址,而不是映射後的地址
應用防火牆外網口策略:
access-group Outside in interface Outside
測試:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
Line User Host(s) Idle Location
0 con 0 idle 00:05:42
* 2 vty 0 idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
Internet#
-----從公網來的防火牆已經作了源地址轉換
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 ms
Server#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
Internet#
------Server可以正常從R2路由器PAT上公網
本文出自 “httpyuntianjxxll.spac..” 部落格,請務必保留此出處http://333234.blog.51cto.com/323234/1694064
ASA的twice-nat將互連網訪問的源地址轉換為內網介面地址測試
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
