ASA8.4(2)-NAT配置
如下是实验拓扑:1. R2远程telnet访问R1的外网口10.10.10.3,配置nat:
ASA:
objetnetwork outside_static //映射的外网地址对象名称
host10.10.10.4 //映射的外网地址是10.10.10.4
objectnetwork inside_static//定义内网地址对象名称
host172.16.1.3 //需要映射的内网地址是172.16.1.3
nat(inside,outside) static outside_static//将内网地址对象转换成外网地址
通过如下命令查看nat的状态:
showxlate
ASA842(config-if)#show xlate
1 in use, 1 mostused
Flags: D - DNS,i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT frominside:172.16.1.3 to outside:10.10.10.4
flags s idle0:14:10 timeout 0:00:00
show nat detail
ASA842(config-if)#show nat detail
Auto NATPolicies (Section 2)
1 (inside) to(outside) source static inside_static outside_static
translate_hits = 15, untranslate_hits = 33
Source - Origin: 172.16.1.3/32, Translated:10.10.10.4/32
在R2上telnet10.10.10.3:
R2#telnet10.10.10.3
Trying10.10.10.3 ... Open
User AccessVerification
Username: ccie
Password:
R1>en
Password:
R1#show users
Line User Host(s) Idle Location
0 con 0 idle 00:13:58
* 98 vty 0 ccie idle 00:00:00 10.10.10.4
2. R2上的loopback0访问外网时,转换成10.10.10.100这个地址:
ASA:
object network outside_internet //定义公网对象名称
host 10.10.10.200 //定义映射后的公网地址
object network inside_client //定义内网段名称
subnet2.2.2.0255.255.255.0 //定义需要被转换的内网段
nat (inside,outside) dynamic outside_internet //从inside到outside这个方向的地址访问时按照动态地址转换成outside_internet地址
在R2上telnetR110.10.10.3:
R2#telnet10.10.10.3 /source-interface loo0
Trying10.10.10.3 ... Open
UserAccess Verification
Username:ccie
Password:
R1>en
Password:
R1#showusers
Line User Host(s) Idle Location
0 con 0 idle 00:05:24
* 98 vty 0 ccie idle 00:00:00 10.10.10.200
Interface User Mode Idle Peer Address
3. R2的loo0地址段访问外网时,转换成10.10.10.50-10.10.10.60地址池中的一个地址
ASA:
object network pat-pool //定义地址池名称
range 10.10.10.50 10.10.10.60 //定义映射后的地址池范围
object network inside_client//定义内网子网段名称
sunet 2.2.2.0 255.255.255.0 //定义内网子网段
nat (inside,outside) dynamic pat_pool pat-pool round-robin//按照地址池转换成地址池对象中的地址
在R2上telnetR1的地址10.10.10.3:
R2#telnet10.10.10.3 /source-interface loo0
Trying10.10.10.3 ... Open
UserAccess Verification
Username:ccie
Password:
R1>en
Password:
R1#showusers
Line User Host(s) Idle Location
0 con 0 idle 00:34:38
* 98 vty0 ccie idle 00:00:00 10.10.10.60
Interface User Mode Idle Peer Address
在ASA上查看:
ASA842(config)#show xlate
1 in use,6 most used
Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:2.2.2.2/11038 tooutside:10.10.10.60/11038 flags ri idle 0:04:40 timeout 0:00:30
ASA842(config)#show nat detail
Auto NATPolicies (Section 2)
1 (inside) to (outside) source dynamic inside_subnet pat-poolpat-pool round-robin
translate_hits =26, untranslate_hits = 1
Source - Origin: 2.2.2.0/24, Translated (PAT):10.10.10.50-10.10.10.60
在ASA上开启logging功能,查看有这么一条记录:
%ASA-6-302013: Built outbound TCP connection 236for outside:10.10.10.3/23 (10.10.10.3/23) to inside:2.2.2.2/11041(10.10.10.52/11041)//这条记录说明pat转换时,轮询功能起了作用
4. R2上的172.16.1.3地址访问外网时,转换成ASA的出接口地址:
ASA:
object network inside_client
host 172.16.1.3
nat (inside,outside) dynamic interface
在R2上telnetR1的10.10.10.3:
R2#telnet10.10.10.3
Trying10.10.10.3 ... Open
User AccessVerification
Username:ccie
Password:
R1>en
Password:
R1#showuse
R1#showusers
Line User Host(s) Idle Location
0 con 0 idle 00:00:38
* 98 vty0 ccie idle 00:00:00 10.10.10.2
Interface User Mode Idle Peer Address
在ASA上查看NAT状态:
ASA842(config-network-object)#show nat detail
Auto NATPolicies (Section 2)
1(inside) to (outside) source dynamic inside_client interface
translate_hits = 1, untranslate_hits = 0
Source - Origin: 172.16.1.3/32, Translated: 10.10.10.2/24
ASA842(config-network-object)#show xlate
1 in use,6 most used
Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:172.16.1.3/11043 to outside:10.10.10.2/53962flags ri idle 0:08:26 timeout 0:00:30
版权声明:本文为博主原创文章,未经博主允许不得转载。
页:
[1]