(完整版)CISCO防火墙ASA8.3nat

1、Network Object NA T 配置介绍1.Dynamic NAT (动态 NAT ，动态一对一)实例一 :传统配置方法：nat (Inside) 1 10.1.1.0 255.255.255.0global (Outside) 1 202.100.1.100-202.100.1.200新配置方法( Network Object NAT )object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Inside-Networksubnet 10.1.1.0 255.255.255.0nat

2、 (Inside,Outside) dynamic Outside-Nat-Pool实例二 :object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Outside-PAT-Addresshost 202.100.1.201object-group network Outside-Addressnetwork-object object Outside-Nat-Poolnetwork-object object Outside-PAT-Addressobject network Inside-

3、Network(先100-200动态一对一，然后 202.100.1.201动态PAT,最后使用接口地址动态PAT)nat (Inside,Outside) dynamic Outside-Address interface教主认为这种配置方式的好处是，新的NAT 命令绑定了源接口和目的接口，所以不会出现传统配置影响 DMZ 的问题(当时需要 nat0 + acl 来旁路)2.Dynamic PAT (Hide)(动态 PAT,动态多对一)传统配置方式：nat (Inside) 1 10.1.1.0 255.255.255.0global(outside) 1 202.100.1.101新配置

4、方法( Network Object NAT )object network Outside-PAT-Addresshost 202.100.1.101object network Inside-Networksubnet 10.1.1.0 255.255.255.0nat (Inside,Outside) dynamic Outside-PAT-Addressornat (Inside,Outside) dynamic 202.100.1.1023.Static NAT or Static NAT with Port Translation (静态一对一转换，静态端口转换) 实例一：(静态一

5、对一转换)传统配置方式：static (Inside,outside) 202.100.1.101 10.1.1.1新配置方法( Network Object NAT )object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Address host 10.1.1.1nat (Inside,Outside) static Static-Outside-Addressornat (Inside,Outside) static 202.100.1.102 实例二：(静态端口转换)传统配置

6、方式：static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23新配置方法( Network Object NAT )object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Addresshost 10.1.1.1nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323 ornat (Inside,Outside) static 202

7、.100.1.101 service tcp telnet 23234.Identity NAT =no nat传统配置方式：nat (inside) 0 10.1.1.1 255.255.255.255新配置方法( Network Object NAT )object network Inside-Addresshost 10.1.1.1nat (Inside,Outside) static Inside-Addressornat (Inside,Outside) static 10.1.1.1Twice NAT (类似于 Policy NA T )实例一：传统配置 :access-list

8、 inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202 global(outside) 1 202.100.1.101 global(outside) 2 202.100.1.102新配置方法( Twice NAT ) :objec

9、t network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1nat (Inside,Ou

10、tside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202实例二：传统配置 :access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1 access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1 nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list in

11、side-to-202 global(outside) 1 202.100.1.101 global(outside) 2 202.100.1.102static (outside,inside) 10.1.1.101 1.1.1.1static (outside,inside) 10.1.1.102 202.100.1.1新配置方法( Twice NAT ) :object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object ne

12、twork pat-2 host 202.100.1.102 object network Inside-Network subnet 10.1.1.0 255.255.255.0 object network map-dst-1 host 10.1.1.101 object network map-dst-202 host 10.1.1.102nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1 nat (Inside,Outside) source dynami

13、c Inside-Network pat-2 destination static map-dst-202 dst-202实例三：传统配置 :access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032 nat (inside) 1 access-list inside-to-1 nat (inside) 2 access-list in

14、side-to-202 global(outside) 1 202.100.1.101 global(outside) 1 202.100.1.102新配置方法( Twice NAT ) :object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1 object network pat-1 host 202.100.1.101 object network pat-2 host 202.100.1.102 object network Inside-Network subnet 10.1.1.0 255.255.

15、255.0 object service telnet23 service tcp destination eq telnet object service telnet3032 service tcp destination eq 3032nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23nat (Inside,Outside) source dynamic Inside-Network pat-2 destinati

16、on static dst-202 dst-202 service telnet3032 telnet3032Main Differences Between Network Object NAT and Twice NAT ( Network Object NA T 和 TwiceNAT 的主要区别）How you define the real address. （从如何定义真实地址的角度来比较）-Network object NA TYou define NAT as a parameter for a network object; the network object definit

17、ion itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.-Twice NAT You identify a network object or network object group for both the real

18、 and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.How source and destination NAT is implemented.（

19、 源和目的 nat 被运用 ）-Network object NA T Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destinati

20、on combination.-Twice NAT A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NA T, a matching packet still only matches one twice NAT rule. T

21、he source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.We recommend using network object NAT unless you need the extra feature

22、s that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP （VoIP）.NAT Rule OrderTablie SectionRule TypeOrder of Rules withen the SectionSection 1Twice MAT人卩plied on a tlirc match hasis. in the nrder they appear in The confi

23、guration. Uy default, tlue 气AT rilles arc addeJ to section LNote If you configure VPN. the client dynamically adds invisible X.AT nites iu the end of this seclion. Be sure (hat you do nol congure a Ewice NAT rule tn thi5 section that might match your PN iraffic. tnsiaJ of UKilchin th亡 inxisible rule

24、. If VPN Joes not vork due to NAT failure, consider adding twice NAT rules to tection 3 instead.Section 2Network object XATSaction 2 rales are apptied in the following order, as auconutKally dccrinind the adupthe security appliaiKC:1. Static rules.2. Dynamic nr les.Within eitch rule lype. the follow

25、 me ordenng uidclme re used:礼 QuantiLy of real IP addresses一From mallest lu largest. For example, an object with one address will be Eisseed before an object 応10 uddiusso.h. Him quantilthe same, then the IP address number is use-d. froiri lowest tscstd before calMinanSection 3Twice NATSection. 3 rul

26、es are applied on a first nu忧h basis, in the order they appear in ihe configuration. You can specify whethei to add a仙w nat ieto zi。忖功护貓红囲郴拼恢酎吃排序实例：192.168.1.1/32 (static)10.1.1.0/24 (static)192.168.1.0/24 (static)172.16.1.0/24 (dynamic) (object abc)172.16.1.0/24 (dynamic) (object def)192.168.1.0/24 (dyn amic)查看NAT顺序的命令：ASA(co nfig)# sh run natnat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service