1. NAT(nat-control,8.2有这条命令,开了的话没有nat是不通的) 1. 8.2(PAT转换)
global (outside) 10 201.100.1.100
nat (inside) 10 10.1.1.0 255.255.255.0 ASA/pri/act(config)# show xlate 1 in use, 1 most used
PAT Global 201.100.1.100(1024) Local 10.1.1.1(11298) 8.4
object network nat
subnet 10.1.1.0 255.255.255.0 object network nat
nat (inside,outside) dynamic 201.100.1.100 ASA8-4# show xlate 1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.1/53851 to outside:201.100.1.100/5810 flags ri idle 0:00:04 timeout 0:00:30 2. 8.2(动态的一对一转换)
nat (inside) 10 10.1.1.0 255.255.255.0
global (outside) 10 201.100.1.110-201.100.1.120 netmask 255.255.255.0
ASA/pri/act# show xlate detail 2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.110 flags i NAT from inside:10.1.1.2 to outside:201.100.1.111 flags i 8.4
object network nat
subnet 10.1.1.0 255.255.255.0 object network outside-nat
range 201.100.1.110 201.100.1.120 object network nat
nat (inside,outside) dynamic outside-nat ASA8-4# show xlate 1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:201.100.1.115 flags i idle 0:01:13 timeout 3:00:00
3. 8.2(转换成接口地址)
nat (inside) 10 10.1.1.0 255.255.255.0 global (outside) 10 interface
ASA/pri/act# show xlate detail 1 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
TCP PAT from inside:10.1.1.1/61971 to outside:201.100.1.10/1024 flags ri 8.4
object network nat
subnet 10.1.1.0 255.255.255.0
object network nat
nat (inside,outside) dynamic interface
ASA8-4(config)# show xlate 1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.1/35322 to outside:201.100.1.10/52970 flags ri idle 0:00:03 timeout 0:00:30
4. 8.2(不同的内部地址转换成不同的外部地址)
nat (inside) 9 1.1.1.0 255.255.255.0
nat (inside) 10 10.1.1.0 255.255.255.0 //排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小
的在前面,在实际作用的时候也是按照这个面序来的。
global (outside) 10 interface global (outside) 9 201.100.1.111 ASA/pri/act# show xlate detail 2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
TCP PAT from inside:1.1.1.1/51343 to outside:201.100.1.111/1026 flags ri TCP PAT from inside:10.1.1.1/13938 to outside:201.100.1.10/1028 flags ri
8.4
ASA8-4# show running-config object object network inside1
subnet 10.1.1.0 255.255.255.0 object network inside2
subnet 1.1.1.0 255.255.255.0 object network ouside-inside2 host 201.100.1.110
ASA8-4# show running-config nat !
object network inside1
nat (inside,outside) dynamic interface object network inside2
nat (inside,outside) dynamic ouside-inside2 ASA8-4# show xlate 2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:1.1.1.1/59611 to outside:201.100.1.110/34338 flags ri idle 0:00:08 timeout 0:00:30
TCP PAT from inside:10.1.1.1/22181 to outside:201.100.1.10/53371 flags ri idle 0:00:19 timeout
0:00:30
5. 8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换)
ASA/pri/act# show running-config nat
nat (inside) 10 10.1.1.0 255.255.255.0 ASA/pri/act# show running-config global
global (outside) 10 201.100.1.110-201.100.1.112 global (outside) 10 201.100.1.116
ASA/pri/act# show xlate detail 4 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.110 flags i NAT from inside:10.1.1.3 to outside:201.100.1.112 flags i
TCP PAT from inside:10.1.1.6/19799 to outside:201.100.1.116/1025 flags ri NAT from inside:10.1.1.2 to outside:201.100.1.111 flags i 8.4
object network outside
range 201.100.1.110 201.100.1.112 object network inside
subnet 10.1.1.0 255.255.255.0 object network inside
nat (inside,outside) dynamic outside interface ASA8-4# show xlate 4 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.4/49994 to outside:201.100.1.10/52626 flags ri idle 0:00:04 timeout 0:00:30
NAT from inside:10.1.1.1 to outside:201.100.1.111 flags i idle 0:01:31 timeout 3:00:00 NAT from inside:10.1.1.3 to outside:201.100.1.110 flags i idle 0:00:16 timeout 3:00:00 NAT from inside:10.1.1.2 to outside:201.100.1.112 flags i idle 0:00:33 timeout 3:00:006. 6. 8.0 (策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略
nat永远是优于普通的nat的)
access-list pat1 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq telnet access-list pat2 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq www nat (inside) 10 access-list pat1 nat (inside) 20 access-list pat2 global (outside) 10 201.100.1.100 global (outside) 20 201.100.1.200
ASA/pri/act# show xlate deta ASA/pri/act# show xlate detail 2 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
TCP PAT from inside:10.1.1.1/30449 to outside(pat2):201.100.1.200/1024 flags ri
TCP PAT from inside:10.1.1.1/43167 to outside(pat1):201.100.1.100/1024 flags ri 8.42
新版本(Twice NAT) ,这个是两次NAT,一般加入了基于目的的元素,而之前的network object 只是基于源的,通常情
况下使用object 就能解决问题了,这个只是在特殊情况下使用。一般我们把object 叫做Auto NAT ,而Twice NAT 叫 做manual NAT
object network outside1 host 201.100.1.100 object network outside2 host 201.100.1.200 object network inside
subnet 10.1.1.0 255.255.255.0 object network outside host 201.100.1.1 object service telnet
service tcp destination eq telnet object service http
service tcp destination eq www
nat (inside,outside) source dynamic inside outside1 destination static outside outside service telnet telnet
nat (inside,outside) source dynamic inside outside2 destination static outside outside service http http
ASA8-4# show xlate 1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice TCP PAT from outside:201.100.1.1 23-23 to inside:201.100.1.1 80-80 flags srIT idle 0:00:37 timeout 0:00:00
注意T是twice nat就是源地址和目的地址都可以转换的。
7.0 (I – identity nat 自已转换成自已多用于remote vpn) 8.0
nat (inside) 0 10.1.1.0 255.255.255.0 ( <0-2147483647> The
will be referenced by the global command to associate a global pool with the local IP address.
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
NAT from inside:10.1.1.1 to outside:10.1.1.1 flags iI注意这里面的I自已转换成自已。(这种情况下外部是不是访问内部的)
8.4
object network iden-nat
subnet 10.1.1.0 255.255.255.0 object network iden-nat
nat (inside,outside) static iden-nat ASA8-4# show xlate 1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.0/24 to outside:10.1.1.0/24 flags sI idle 0:00:07 timeout 0:00:00
上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。
8.8.02(静态nat转换,从outside到inside静态的一对一转换) ASA/pri/act# show running-config static
static (inside,outside) 201.100.1.100 10.1.1.1 netmask 255.255.255.255 访问列表放行的是转换后的地址
access-list out line 1 extended permit tcp host 201.100.1.1 host 201.100.1.100 (hitcnt=9) 0x4a668fb0
ASA/pri/act# show xlate detail 1 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.100 flags s
8.42
ASA8-4# show running-config object
object network nat host 10.1.1.1
ASA8-4# show running-config nat
!
object network nat
nat (inside,outside) static 201.100.1.100 ASA8-4# show xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from inside:10.1.1.1 to outside:201.100.1.100 flags s idle 0:00:52 timeout 0:00:00
access-list out line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 (hitcnt=1)
0xe8e098f5
列表放行的是内部主机真实的IP地址。
9. 8.0static pat(PORT redirection )只有一个公网地址,将访问公网地址不同的端口号,转换到
不同的服务器上去。
ASA/pri/act# show running-config static
static (inside,outside) tcp 201.100.1.100 telnet 10.1.1.1 www netmask 255.255.255.255 static (inside,outside) tcp 201.100.1.100 www 10.1.1.2 telnet netmask 255.255.255.255
(完整版)ciscoasa8.2与8.4的nat区别
