cisco asa 8.2与8.4的nat区别
1.NAT(nat-control,8.2有这条命令,开了的话没有nat是不通的)
1.8.2(PAT转换)
global (outside) 10 201.100.1.100
nat (inside) 10 10.1.1.0 255.255.255.0
ASA/pri/act(config)# show xlate
1 in use, 1 most used
PAT Global 201.100.1.100(1024) Local 10.1.1.1(11298)
8.4
object network nat
subnet 10.1.1.0 255.255.255.0
object network nat
nat (inside,outside) dynamic 201.100.1.100
ASA8-4# show xlate
1 in use,
2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.1/53851 to outside:201.100.1.100/5810 flags ri idle 0:00:04 timeout 0:00:30
2.8.2(动态的一对一转换)
nat (inside) 10 10.1.1.0 255.255.255.0
global (outside) 10 201.100.1.110-201.100.1.120 netmask 255.255.255.0
ASA/pri/act# show xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.110 flags i
NAT from inside:10.1.1.2 to outside:201.100.1.111 flags i
8.4
object network nat
subnet 10.1.1.0 255.255.255.0
object network outside-nat
range 201.100.1.110 201.100.1.120
object network nat
nat (inside,outside) dynamic outside-nat
ASA8-4# show xlate
1 in use,
2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:201.100.1.115 flags i idle 0:01:13 timeout 3:00:00 3.8.2(转换成接口地址)
nat (inside) 10 10.1.1.0 255.255.255.0
global (outside) 10 interface
ASA/pri/act# show xlate detail
1 in use,
2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:10.1.1.1/61971 to outside:201.100.1.10/1024 flags ri
8.4
object network nat
subnet 10.1.1.0 255.255.255.0
object network nat
nat (inside,outside) dynamic interface
ASA8-4(config)# show xlate
1 in use,
2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.1/35322 to outside:201.100.1.10/52970 flags ri idle 0:00:03
timeout 0:00:30
4. 8.2(不同的内部地址转换成不同的外部地址)
nat (inside) 9 1.1.1.0 255.255.255.0
nat (inside) 10 10.1.1.0 255.255.255.0
//排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小的在前面,在实际作用的时候也是按照这个面序来的。
global (outside) 10 interface
global (outside) 9 201.100.1.111
ASA/pri/act# show xlate detail
2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:1.1.1.1/51343 to outside:201.100.1.111/1026 flags ri
TCP PAT from inside:10.1.1.1/13938 to outside:201.100.1.10/1028 flags ri
8.4
ASA8-4# show running-config object
object network inside1
subnet 10.1.1.0 255.255.255.0
object network inside2
subnet 1.1.1.0 255.255.255.0
object network ouside-inside2
host 201.100.1.110
ASA8-4# show running-config nat
!
object network inside1
nat (inside,outside) dynamic interface
object network inside2
nat (inside,outside) dynamic ouside-inside2
ASA8-4# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:1.1.1.1/59611 to outside:201.100.1.110/34338 flags ri idle 0:00:08 timeout 0:00:30
TCP PAT from inside:10.1.1.1/22181 to outside:201.100.1.10/53371 flags ri idle 0:00:19 timeout
0:00:30
5.8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换)
ASA/pri/act# show running-config nat
nat (inside) 10 10.1.1.0 255.255.255.0
ASA/pri/act# show running-config global
global (outside) 10 201.100.1.110-201.100.1.112
global (outside) 10 201.100.1.116
ASA/pri/act# show xlate detail
4 in use,
5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.110 flags i
NAT from inside:10.1.1.3 to outside:201.100.1.112 flags i
TCP PAT from inside:10.1.1.6/19799 to outside:201.100.1.116/1025 flags ri
NAT from inside:10.1.1.2 to outside:201.100.1.111 flags i
8.4
object network outside
range 201.100.1.110 201.100.1.112
object network inside
subnet 10.1.1.0 255.255.255.0
object network inside
nat (inside,outside) dynamic outside interface
ASA8-4# show xlate
4 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:10.1.1.4/49994 to outside:201.100.1.10/52626 flags ri idle 0:00:04 timeout 0:00:30
NAT from inside:10.1.1.1 to outside:201.100.1.111 flags i idle 0:01:31 timeout 3:00:00
NAT from inside:10.1.1.3 to outside:201.100.1.110 flags i idle 0:00:16 timeout 3:00:00
NAT from inside:10.1.1.2 to outside:201.100.1.112 flags i idle 0:00:33 timeout 3:00:006.
6.8.0 (策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略
nat永远是优于普通的nat的)
access-list pat1 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq telnet
access-list pat2 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq www
nat (inside) 10 access-list pat1
nat (inside) 20 access-list pat2
global (outside) 10 201.100.1.100
global (outside) 20 201.100.1.200
ASA/pri/act# show xlate deta
ASA/pri/act# show xlate detail
2 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:10.1.1.1/30449 to outside(pat2):201.100.1.200/1024 flags ri
TCP PAT from inside:10.1.1.1/43167 to outside(pat1):201.100.1.100/1024 flags ri
8.42
新版本(Twice NAT) ,这个是两次NAT,一般加入了基于目的的元素,而之前的network object 只是基于源的,通常情
况下使用object 就能解决问题了,这个只是在特殊情况下使用。一般我们把object 叫做Auto NAT ,而Twice NAT 叫
做manual NAT
object network outside1
host 201.100.1.100
object network outside2
host 201.100.1.200
object network inside
subnet 10.1.1.0 255.255.255.0
object network outside
host 201.100.1.1
object service telnet
service tcp destination eq telnet
object service http
service tcp destination eq www
nat (inside,outside) source dynamic inside outside1 destination static outside outside service telnet telnet
nat (inside,outside) source dynamic inside outside2 destination static outside outside service http http
ASA8-4# show xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from outside:201.100.1.1 23-23 to inside:201.100.1.1 80-80
flags srIT idle 0:00:37 timeout 0:00:00
注意T是twice nat就是源地址和目的地址都可以转换的。
7.0 (I – identity nat 自已转换成自已多用于remote vpn)
8.0
nat (inside) 0 10.1.1.0 255.255.255.0 (<0-2147483647> The
will be referenced by the global command to associate a
global pool with the local IP address.
to indicate no address translation for local IP. The limit is
65535 with access-lists)0表示自已转让换成自已。
ASA/pri/act# show xlate detail
1 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.1 to outside:10.1.1.1 flags iI注意这里面的I自已转换成自已。(这种情况下外部是不是访问内部的)
8.4
object network iden-nat
subnet 10.1.1.0 255.255.255.0
object network iden-nat
nat (inside,outside) static iden-nat
ASA8-4# show xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.0/24 to outside:10.1.1.0/24
flags sI idle 0:00:07 timeout 0:00:00
上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。
8.8.02(静态nat转换,从outside到inside静态的一对一转换)
ASA/pri/act# show running-config static
static (inside,outside) 201.100.1.100 10.1.1.1 netmask 255.255.255.255
访问列表放行的是转换后的地址
access-list out line 1 extended permit tcp host 201.100.1.1 host 201.100.1.100 (hitcnt=9) 0x4a668fb0
ASA/pri/act# show xlate detail
1 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.1 to outside:201.100.1.100 flags s
8.42
ASA8-4# show running-config object
object network nat
host 10.1.1.1
ASA8-4# show running-config nat
!
object network nat
nat (inside,outside) static 201.100.1.100
ASA8-4# show xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:201.100.1.100
flags s idle 0:00:52 timeout 0:00:00
access-list out line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 (hitcnt=1) 0xe8e098f5
列表放行的是内部主机真实的IP地址。
9. 8.0static pat(PORT redirection )只有一个公网地址,将访问公网地址不同的端口号,转换
到不同的服务器上去。
ASA/pri/act# show running-config static
static (inside,outside) tcp 201.100.1.100 telnet 10.1.1.1 www netmask 255.255.255.255
static (inside,outside) tcp 201.100.1.100 www 10.1.1.2 telnet netmask 255.255.255.255
ASA/pri/act# show xlate detail
2 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
TCP PAT from inside:10.1.1.1/80 to outside:201.100.1.100/23 flags sr
TCP PAT from inside:10.1.1.2/23 to outside:201.100.1.100/80 flags sr
access-list out line 1 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq telnet (hitcnt=1) 0x57c792d9
access-list out line 2 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq www (hitcnt=0) 0x463b6a3b
列表放行的也是转换后的地址及端口号。
8.4
新版本(Twice NAT)
object network inside1
host 10.1.1.1
object network inside2
host 10.1.1.2
object network outside
host 201.100.1.100
object service telnet
service tcp destination eq telnet
object service http
service tcp destination eq www
object network outside-des
host 201.100.1.1
ASA8-4(config)# show running-config nat
nat (outside,inside) source static outside-des outside-des destination static outside inside1 service http telnet
access-list out line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 eq telnet (hitcnt=1) 0x213cb7ce
R5-outside8.4#telnet 201.100.1.100 80
Trying 201.100.1.100, 80 ... Open
R4-inside1-8.4>
10.8.2 static-Identity转换,将内部地址自已转换成自已,并且外部可以访问。
外面可以访部内的static-Identity转换。
ASA/pri/act# show running-config static
static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255
ASA/pri/act# show xlate detail
1 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.1 to outside:10.1.1.1 flags s
access-list out line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 (hitcnt=1) 0xe8e098f5
R2-outside#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
R1-inside>
R1-inside>show user
R1-inside>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:08
*130 vty 0 idle 00:00:00 201.100.1.1
Interface User Mode Idle Peer Address
8.4
ASA8-4# show running-config object
object network iden-nat
host 10.1.1.1
object network iden-nat
nat (inside,outside) static 10.1.1.1
ASA8-4# show xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.1 to outside:10.1.1.1
flags sI idle 0:00:07 timeout 0:00:00
R5-outside8.4#tel
R5-outside8.4#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
11.静态的网段转换(整个网段一对一转换)
8.0
static (inside,outside) 201.100.1.0 10.1.1.0 netmask 255.255.255.0
ASA/pri/act# show xlate detail
1 in use, 5 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
r - portmap, s - static
NAT from inside:10.1.1.0 to outside:201.100.1.0 flags s
access-list out line 1 extended permit tcp 201.100.1.0 255.255.255.0 201.100.1.0 255.255.255.0 (hitcnt=1) 0x34f8fd73
R2-outside#telnet 201.100.1.2
Trying 201.100.1.2 ... Open
8.4
object network inside
subnet 10.1.1.0 255.255.255.0
object network outside
subnet 201.100.1.0 255.255.255.0
object network inside
nat (inside,outside) static outside
ASA# show xlate
1 in use, 1 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.0/24 to outside:201.100.1.0/24
flags s idle 0:03:19 timeout 0:00:00
access-list out line 1 extended permit tcp host 201.100.1.1 host 10.1.1.2 (hitcnt=1) 0x0b722de5 R5-outside8.4#telnet 201.100.1.2
Trying 201.100.1.2 ... Open
R4-inside1-8.4>
R4-inside1-8.4>show user
R4-inside1-8.4>show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:04
*130 vty 0 idle 00:00:00 201.100.1.1
Interface User Mode Idle Peer Address
12. 8.0 nat (inside) 0 access-list特殊的nat 称为no-nat或者nat by-pass一般用于vpn
Vpn的流量不能被nat掉。
Nat (inside) 0 access-list(匹配vpn流量),access-list的流量是不会被nat转换的。
access-list vpn line 1 extended permit ip host 10.1.1.1 host 201.100.1.1 (hitcnt=0) 0x732d93c0 nat (inside) 0 access-list vpn
nat (inside) 10 10.1.1.0 255.255.255.0
匹配的流量没有做nat 没有匹配的流量做了nat转换。
R1-inside#show running-config interface eth0/0
Building configuration...
Current configuration : 77 bytes
!
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
half-duplex
end
R1-inside#
R1-inside#telnet 201.100.1.1
Trying 201.100.1.1 ... Open
R2-outside>show user
R2-outside>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:19
*130 vty 0 idle 00:00:00 10.1.1.1
Interface User Mode Idle Peer Address
R1-inside#show running-config interface ethernet 0/0
Building configuration...
Current configuration : 77 bytes
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
half-duplex
end
R1-inside#
R1-inside#
R1-inside#tle
R1-inside#te
R1-inside#tel
R1-inside#telnet 201.100.1.1
Trying 201.100.1.1 ... Open
R2-outside>show user
R2-outside>show users
Line User Host(s) Idle Location
0 con 0 idle 00:04:49
*130 vty 0 idle 00:00:00 201.100.1.10
Interface User Mode Idle Peer Address
R2-outside>
8.4要想旁路掉VPN流量,我们用identity nat自已转换成自已。
VPN 流量旁路
在老版本里面我们用NAT 0 来解决这个问题,而在新版本里面没有NAT 0 这个概念了,它用Twice NAT+Identify 组
合的使用
8.0
access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
nat (inside) 0 access-list 100
8.4
object network local-vpn-traffic
host 1.1.1.1
object netowork remote-vpn-traffic
host 2.2.2.2
nat (inside,outside) source static local-vpn-traffic local-vpn-traffic destination static remote-vpn-
traffic
remote-vpn-traffic
做nat一定要用扩展列表:
防火墙旁路掉vpn流量。
nat (inside) 1 1.1.1.0 255.255.255.0
nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 201.100.1.100
nat (inside) 0 access-list l2l
access-list l2l line 1 extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
路由器做nat之后也会出现同样的问题。
路由器旁路掉vpn流量。
interface Ethernet0/0
ip address 201.100.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex
crypto map l2l
end
interface Loopback0
ip address 2.2.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
end
ip nat inside source list 110 interface Ethernet0/0 overload
Extended IP access list 100
10 permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 (25 matches)
Extended IP access list 110
10 deny ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 (10 matches)(在nat的列表中首先deny掉vpn流量,因此做nat一定要用扩展的访问列表)
20 permit ip 2.2.2.0 0.0.0.255 any (2 matches)
防火啬旁路掉VPN流量用identiy nat自已转换成自已。而路由器旁路掉vpn流量,则是在nat 的access-list列表中deny掉vpn流量。写nat 的访问控制列表一定要用扩展的访问控制列表。