cisco 8.2与8.4的nat区别
1. NAT(nat-control,8.2有这条命令,开了的话没有nat是不通的)1. 8.2(PAT转换) global(outside) 10 201.100.1.100nat (inside) 10 10.1.1.0 255.255.255.0ASA/pri/act(config)# show xlate 1 in use, 1 most usedPAT Global 201.100.1.100(1024) Local 10.1.1.1(11298)8.4object network nat subnet 10.1.1.0 255.255.255.0object network nat nat (inside,outside) dynamic201.100.1.100ASA8-4# show xlate 1 in use, 2 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twiceTCP PAT from inside:10.1.1.1/53851 to outside:201.100.1.100/5810flags ri idle 0:00:04 timeout 0:00:302. 8.2(动态的一对一转换)nat (inside) 10 10.1.1.0 255.255.255.0global (outside) 10 201.100.1.110-201.100.1.120 netmask255.255.255.0ASA/pri/act#show xlatedetail 2 in use,2 most usedFlags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticNAT frominside:10.1.1.1 to outside:201.100.1.110 flags iNAT from inside:10.1.1.2 to outside:201.100.1.111 flags i8.4objectnetwork nat subnet 10.1.1.0 255.255.255.0objectnetwork outside-nat range 201.100.1.110 201.100.1.120object network nat nat (inside,outside) dynamic outside-natASA8-4# showxlate 1 in use, 2most usedFlags: D - DNS,i - dynamic, r - portmap, s - static, I - identity, T - twiceNAT frominside:10.1.1.1 to outside:201.100.1.115 flags i idle 0:01:13 timeout 3:00:003. 8.2(转换成接口地址)nat (inside) 1010.1.1.0 255.255.255.0global (outside) 10interfaceASA/pri/act#show xlatedetail 1 in use,2 most usedFlags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticTCP PAT from inside:10.1.1.1/61971 tooutside:201.100.1.10/1024 flags ri8.4objectnetwork nat subnet 10.1.1.0 255.255.255.0objectnetwork nat nat (inside,outside) dynamic interfaceASA8-4(config)#show xlate 1 in use,2 most usedFlags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PAT frominside:10.1.1.1/35322 to outside:201.100.1.10/52970 flags ri idle 0:00:03timeout 0:00:304. 8.2(不同的内部地址转换成不同的外部地址) nat (inside) 9 1.1.1.0 255.255.255.0nat (inside) 1010.1.1.0 255.255.255.0//排列标准,先看明细,越明细的越在前面,明细相同看IP地址,IP址址小的在前面,在实际作用的时候也是按照这个面序来的。global (outside)10 interfaceglobal (outside)9 201.100.1.111ASA/pri/act#show xlate detail 2 in use, 2 mostusedFlags: D - DNS,d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticTCP PAT frominside:1.1.1.1/51343 to outside:201.100.1.111/1026 flags riTCP PAT frominside:10.1.1.1/13938 to outside:201.100.1.10/1028 flags ri 8.4ASA8-4# show running-config objectobject network inside1 subnet 10.1.1.0 255.255.255.0object network inside2 subnet 1.1.1.0 255.255.255.0object network ouside-inside2 host201.100.1.110ASA8-4# show running-config nat !object network inside1 nat(inside,outside) dynamic interfaceobject network inside2 nat(inside,outside) dynamic ouside-inside2ASA8-4# show xlate 2 in use, 2 most usedFlags: D - DNS, i - dynamic, r - portmap, s- static, I - identity, T - twiceTCP PAT from inside:1.1.1.1/59611 tooutside:201.100.1.110/34338 flags ri idle 0:00:08 timeout 0:00:30TCP PAT from inside:10.1.1.1/22181 tooutside:201.100.1.10/53371 flags ri idle 0:00:19 timeout 0:00:305. 8.2(先做一对一转换,当且仅点地址都用完了,在做PAT转换)ASA/pri/act#show running-config natnat (inside) 1010.1.1.0 255.255.255.0ASA/pri/act# show running-config global global(outside) 10 201.100.1.110-201.100.1.112global(outside) 10 201.100.1.116ASA/pri/act# show xlate detail 4 in use, 5 most usedFlags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - staticNAT from inside:10.1.1.1 tooutside:201.100.1.110 flags iNAT from inside:10.1.1.3 tooutside:201.100.1.112 flags iTCP PAT from inside:10.1.1.6/19799 tooutside:201.100.1.116/1025 flags riNAT from inside:10.1.1.2 tooutside:201.100.1.111 flags i8.4object network outside range 201.100.1.110 201.100.1.112object network inside subnet 10.1.1.0 255.255.255.0object network inside nat(inside,outside) dynamic outside interfaceASA8-4# show xlate4 in use, 4 most usedFlags: D - DNS, i - dynamic, r - portmap, s- static, I - identity, T - twiceTCP PAT from inside:10.1.1.4/49994 tooutside:201.100.1.10/52626 flags ri idle 0:00:04 timeout 0:00:30NAT from inside:10.1.1.1 tooutside:201.100.1.111 flags i idle 0:01:31 timeout 3:00:00NAT from inside:10.1.1.3 tooutside:201.100.1.110 flags i idle 0:00:16 timeout 3:00:00NAT from inside:10.1.1.2 tooutside:201.100.1.112 flags i idle 0:00:33 timeout 3:00:006.6. 8.0 (策略NAT(从inside访问outside不同的端口号转换为不同的外部ip地址))(策略nat永远是优于普通的nat的)access-list pat1 extended permit tcp host 10.1.1.1 host 201.100.1.1eq telnet access-list pat2 extended permit tcp host 10.1.1.1 host201.100.1.1 eq wwwnat (inside) 10 access-list pat1nat (inside) 20 access-list pat2global (outside) 10 201.100.1.100global (outside) 20 201.100.1.200ASA/pri/act#show xlate detaASA/pri/act#show xlate detail 2 in use,5 most usedFlags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticTCP PAT from inside:10.1.1.1/30449 tooutside(pat2):201.100.1.200/1024 flags riTCP PAT from inside:10.1.1.1/43167 tooutside(pat1):201.100.1.100/1024 flags ri8.42新版本(Twice NAT) ,这个是两次NAT,一般加入了基于目的的元素,而之前的network object 只是基于源的,通常情况下使用object 就能解决问题了,这个只是在特殊情况下使用。一般我们把object 叫做Auto NAT ,而Twice NAT 叫做manual NATobjectnetwork outside1 host 201.100.1.100objectnetwork outside2 host 201.100.1.200objectnetwork inside subnet 10.1.1.0 255.255.255.0objectnetwork outside host 201.100.1.1objectservice telnet service tcp destination eq telnet objectservice http service tcpdestination eq wwwnat (inside,outside) source dynamic inside outside1destination static outside outside service telnet telnetnat (inside,outside) source dynamic inside outside2destination static outside outside service http httpASA8-4#show xlate 1 in use,4 most usedFlags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PATfrom outside:201.100.1.1 23-23 to inside:201.100.1.1 80-80flags srIT idle 0:00:37 timeout0:00:00注意T是twice nat就是源地址和目的地址都可以转换的。7.0 (I – identitynat 自已转换成自已多用于remote vpn) 8.0 nat(inside) 0 10.1.1.0 255.255.255.0 (<0-2147483647>The <nat_id> of this group ofhosts/networks. This <nat_id> will be referenced by theglobal command to associate a global pool with the local IPaddress. <nat_id> '0' is used to indicate no address translationfor local IP. The limit is 65535 with access-lists)0表示自已转让换成自已。 ASA/pri/act#show xlatedetail 1 in use, 5 most usedFlags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - staticNAT from inside:10.1.1.1 tooutside:10.1.1.1 flags iI注意这里面的I自已转换成自已。(这种情况下外部是不是访问内部的) 8.4 objectnetwork iden-nat subnet 10.1.1.0 255.255.255.0object network iden-nat nat (inside,outside) staticiden-natASA8-4# show xlate 1 in use, 4 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twiceNAT from inside:10.1.1.0/24 to outside:10.1.1.0/24 flags sI idle 0:00:07 timeout 0:00:00上面全部都是其于source的nat转换,下面我们来探论基于static的nat转换。 8.8.02(静态nat转换,从outside到inside静态的一对一转换) ASA/pri/act# show running-config static static (inside,outside) 201.100.1.100 10.1.1.1 netmask255.255.255.255访问列表放行的是转换后的地址access-list out line 1 extended permit tcp host 201.100.1.1 host201.100.1.100 (hitcnt=9) 0x4a668fb0 ASA/pri/act# show xlatedetail 1 in use,5 most usedFlags: D- DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticNAT frominside:10.1.1.1 to outside:201.100.1.100 flags s 8.42 ASA8-4#show running-config objectobject network nat host 10.1.1.1 ASA8-4# show running-config nat !object network nat nat (inside,outside) static 201.100.1.100 ASA8-4#show xlate 1 in use, 4 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity,T - twiceNAT from inside:10.1.1.1 to outside:201.100.1.100 flags sidle 0:00:52 timeout 0:00:00 access-listout line 1 extended permit tcp host 201.100.1.1 host 10.1.1.1 (hitcnt=1)0xe8e098f5 列表放行的是内部主机真实的IP地址。9. 8.0static pat(PORT redirection )只有一个公网地址,将访问公网地址不同的端口号,转换到不同的服务器上去。 ASA/pri/act#show running-config static static(inside,outside) tcp 201.100.1.100 telnet 10.1.1.1 www netmask 255.255.255.255 static(inside,outside) tcp 201.100.1.100 www 10.1.1.2 telnet netmask 255.255.255.255ASA/pri/act#show xlatedetail 2 in use, 5most usedFlags: D -DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - staticTCP PAT frominside:10.1.1.1/80 to outside:201.100.1.100/23 flags srTCP PAT frominside:10.1.1.2/23 to outside:201.100.1.100/80 flags sraccess-listout line 1 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq telnet(hitcnt=1) 0x57c792d9 access-listout line 2 extended permit tcp host 201.100.1.1 host 201.100.1.100 eq www(hitcnt=0) 0x463b6a3b列表放行的也是转换后的地址及端口号。8.4新版本(Twice NAT)object network inside1 host10.1.1.1object network inside2 host10.1.1.2object network outside host201.100.1.100object service telnet service tcp destination eq telnet object service http service tcp destination eq www object network outside-des host201.100.1.1ASA8-4(config)# show running-config nat nat (outside,inside) source staticoutside-des outside-des destination static outside inside1 service http telnetaccess-list out line 1 extended permit tcphost 201.100.1.1 host 10.1.1.1 eq telnet (hitcnt=1) 0x213cb7ceR5-outside8.4#telnet 201.100.1.10080Trying 201.100.1.100, 80 ... Open R4-inside1-8.4>10.8.2 static-Identity转换,将内部地址自已转换成自已,并且外部可以访问。外面可以访部内的static-Identity转换。ASA/pri/act# show running-config static static (inside,outside) 10.1.1.1 10.1.1.1netmask 255.255.255.255ASA/pri/act# show xlatedetail 1 in use, 5 most usedFlags: D - DNS, d - dump, I - identity, i -dynamic, n - no random, r - portmap, s - staticNAT from inside:10.1.1.1 tooutside:10.1.1.1 flags saccess-list out line 1 extended permit tcphost 201.100.1.1 host 10.1.1.1 (hitcnt=1) 0xe8e098f5R2-outside#telnet 10.1.1.1Trying 10.1.1.1 ... Open R1-inside>R1-inside>show userR1-inside>show users Line User Host(s) Idle Location 0con 0 idle 00:00:08 *130 vty 0 idle 00:00:00 201.100.1.1 Interface User Mode Idle Peer Address8.4 ASA8-4# show running-config objectobject network iden-nat host10.1.1.1object network iden-nat nat(inside,outside) static 10.1.1.1ASA8-4# show xlate 1 in use, 4 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I- identity, T - twiceNAT from inside:10.1.1.1 to outside:10.1.1.1 flags sI idle0:00:07 timeout 0:00:00R5-outside8.4#telR5-outside8.4#telnet 10.1.1.1Trying 10.1.1.1 ... Open11.静态的网段转换(整个网段一对一转换)8.0static (inside,outside) 201.100.1.0 10.1.1.0 netmask255.255.255.0ASA/pri/act# show xlate detail 1 in use, 5 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n -no random, r -portmap, s - staticNAT from inside:10.1.1.0 to outside:201.100.1.0 flags s access-list out line 1 extended permit tcp 201.100.1.0255.255.255.0 201.100.1.0 255.255.255.0 (hitcnt=1) 0x34f8fd73R2-outside#telnet 201.100.1.2Trying 201.100.1.2 ... Open8.4object network inside subnet 10.1.1.0255.255.255.0object network outside subnet201.100.1.0 255.255.255.0object network inside nat(inside,outside) static outsideASA# show xlate 1 in use, 1 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I- identity, T - twiceNAT from inside:10.1.1.0/24 to outside:201.100.1.0/24 flags s idle0:03:19 timeout 0:00:00access-list out line 1 extended permit tcp host201.100.1.1 host 10.1.1.2 (hitcnt=1) 0x0b722de5R5-outside8.4#telnet 201.100.1.2Trying 201.100.1.2 ... Open R4-inside1-8.4>R4-inside1-8.4>show userR4-inside1-8.4>show users Line User Host(s) Idle Location 0 con 0 idle 00:00:04 *130 vty 0 idle 00:00:00201.100.1.1 Interface User Mode Idle Peer Address 12. 8.0 nat (inside) 0 access-list特殊的nat 称为no-nat或者nat by-pass一般用于vpnVpn的流量不能被nat掉。Nat (inside) 0 access-list(匹配vpn流量),access-list的流量是不会被nat转换的。access-list vpn line 1 extended permit ip host 10.1.1.1host 201.100.1.1 (hitcnt=0) 0x732d93c0nat (inside) 0 access-list vpnnat (inside) 10 10.1.1.0 255.255.255.0匹配的流量没有做nat 没有匹配的流量做了nat转换。R1-inside#show running-config interface eth0/0Building configuration... Current configuration : 77 bytes!interface Ethernet0/0 ip address10.1.1.1 255.255.255.0 half-duplexend R1-inside#R1-inside#telnet 201.100.1.1 Trying 201.100.1.1 ... Open R2-outside>show userR2-outside>show users Line User Host(s) Idle Location 0 con 0 idle 00:04:19 *130 vty 0 idle 00:00:0010.1.1.1 Interface User Mode Idle Peer AddressR1-inside#show running-config interface ethernet 0/0Building configuration... Current configuration : 77 bytes!interface Ethernet0/0 ip address10.1.1.2 255.255.255.0 half-duplexend R1-inside#R1-inside#R1-inside#tleR1-inside#te R1-inside#telR1-inside#telnet 201.100.1.1Trying 201.100.1.1 ... Open R2-outside>show userR2-outside>show users Line User Host(s) Idle Location 0 con 0 idle 00:04:49 *130 vty 0 idle 00:00:00201.100.1.10 Interface User Mode Idle Peer Address R2-outside>8.4要想旁路掉VPN流量,我们用identity nat自已转换成自已。VPN 流量旁路在老版本里面我们用NAT 0 来解决这个问题,而在新版本里面没有NAT 0 这个概念了,它用Twice NAT+Identify 组合的使用8.0access-list 100 permit ip host 1.1.1.1 host2.2.2.2nat (inside) 0 access-list 1008.4object network local-vpn-traffichost 1.1.1.1object netowork remote-vpn-traffichost 2.2.2.2nat (inside,outside) source static local-vpn-trafficlocal-vpn-traffic destination static remote-vpn-trafficremote-vpn-traffic
页:
[1]