ASA防火墙DynamicNAT配置-创新互联
说明:
OUTSIDE模拟外网:e/0接口IP:200.200.200.200/24,lo0:8.8.8.8/32,lo10:114.114.114.114/32
INSIDE模拟内网:vlan 10:10.10.10.1/24,vlan 20:10.10.20.1/24,vlan 30:10.10.30.1/24;默认路由指向ASA防火墙-10.10.10.2。
ASA防火墙默认路由指向OUTSIDE-200.200.200.200,10.0.0.0/8下一跳指向INSIDE-10.10.10.1。
需求:INSIDE-10.10.10.0/24需要访问外网(8.8.8.8)
方法一:动态NAT
1.新建network object
2.在object下做NAT(使用外网接口地址做转换)
object network INSIDE-10.10.10.0
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface
exit
access-list OUT-TO-INSIDE extended permit ip any 10.10.10.0 255.255.255.0 //模拟器需要作此策略,真实设备不需要
access-group OUT-TO-INSIDE in interface outside //模拟器需要作此策略,真实设备不需要
测试
INSIDE#ping 8.8.8.8 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
查看ASA防火墙的NAT转换:
ASA(config)# show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from inside:10.10.10.1/22 to outside:200.200.200.1/22 flags ri idle 0:00:01 timeout 0:00:30
方法二:动态NAT
1.新建network object
2.在object下做NAT(使用单独的外网IP做转换)
object network INSIDE-10.10.10.0
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic 200.200.200.10
exit
access-list OUT-TO-INSIDE extended permit ip any 10.10.10.0 255.255.255.0 //模拟器需要作此策略,真实设备不需要
access-group OUT-TO-INSIDE in interface outside //模拟器需要作此策略,真实设备不需要
测试:
INSIDE#ping 8.8.8.8 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/7 ms
ASA# show xlate
1 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
ICMP PAT from inside:10.10.10.1/27 to outside:200.200.200.10/27 flags ri idle 0:00:00 timeout 0:00:30
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
分享标题:ASA防火墙DynamicNAT配置-创新互联
当前链接:http://cdiso.cn/article/igsss.html