设为首页收藏本站
开启辅助访问

NAT+ACL+ASA 实验全网互通

 您所在的位置:网站首页 acllc码 NAT+ACL+ASA 实验全网互通

NAT+ACL+ASA 实验全网互通

2024-01-20 13:59| 来源: 网络整理| 查看: 265

NAT+ACL+ASA 实验全网互通

一概述:

1,地址转换:

动态NAT:多对多的映射(将一组ip地址转换为指定地址池中的ip地址

动态PAT:一对多的映射(地址转换与接口转换)

静态NAT:一对一的固定ip转换(可用于双向通信)

静态PAT:一对一的端口号转换(与静态NAT类似)

静态PAT语法:{static (dmz,outside) tcp(udp) 外部全局地址 接口(http,smtp等) 内部本地地址 本地端口 netmask}

2,启用NAT控制:

总结:在启用NAT控制时,NAT规则是必需的

     在禁用NAT控制时,NAT规则是并不是必需的

3,NAT豁免:

NAT豁免的应用背景

当启用NAT控制时,每个发起的连接都需要一个相应的NAT规则

在某些应用场合(例如配置×××)需要绕过NAT规则

NAT豁免允许双向通信

NAT豁免的配置步骤

定义一个ACL,用于指定需要绕过NAT规则的流量

配置NAT命令

asa(config)# nat (interface_name) 0  access-list  acl_name

二,实验拓扑图:

NAT+ACL+ASA 实验全网互通_NAT ASA ACL

要求:

1,R1、R2、R3使用acl+NAT豁免ping通FTP

2,R1、R2、R3使用acl+动态NAT转换成公网ping通internet

3,internet与FTP服务器之间acl+静态NAT能互通

4,C1能远程ASA防火墙

三,步骤:

1,各个设备配ip

PC机配置:

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_02

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_03

R1配置:

R1#conf t

R1(config)#int f1/1

R1(config-if)#no switchport

R1(config-if)#ip add 192.168.10.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#int f1/2

R1(config-if)#no switchport

R1(config-if)#ip add 192.168.20.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#int f1/3

R1(config-if)#no switchport

R1(config-if)#ip add 192.168.30.1 255.255.255.0

R1(config-if)#no shut

R1(config-if)#int f0/0

R1(config-if)#ip add 172.16.1.1 255.255.255.252

R1(config-if)#no shut

R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2

ciscoasa配置:

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)# nameif inside

ciscoasa(config-if)# ip add 172.16.1.2 255.255.255.252

ciscoasa(config-if)# no shut

ciscoasa(config-if)# int e0/1

ciscoasa(config-if)# nameif outside

ciscoasa(config-if)# ip add 202.106.1.1 255.255.255.252

ciscoasa(config-if)# no shut

ciscoasa(config-if)# int e0/2

ciscoasa(config-if)# nameif dmz

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# ip add 172.16.2.1 255.255.255.252

ciscoasa(config-if)# no shut

Internet配置:

Internet(config)#int f0/0

Internet(config-if)#ip add 202.106.1.2 255.255.255.252

Internet(config-if)#no shut

FTP配置:

FTP#conf t

FTP(config)#int f0/0

FTP(config-if)#ip add 172.16.2.2 255.255.255.252

FTP(config-if)#no shut

FTP(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1

2,acl+NAT豁免配置:

ciscoasa配置:

ciscoasa(config)# nat-control

ciscoasa(config)# nat (inside) 1 0 0 //为Inside区域内的所有网段拿地址,进行地址转换

ciscoasa(config)# global (dmz) 1 202.106.2.1-202.106.2.100 netmask 255.255.255.0//为dmz区域定义全局地址池

ciscoasa(config)# access-list nonat extended permit ip any 172.16.2.0 255.255.255.252//允许公司内部(192.168.0.0/24)访问FTP服务器(172.16.2.0/30)

ciscoasa(config)# nat (inside) 0 access-list nonat //公司内部(192.168.0.0/24)访问FTP服务器(172.16.2.0/30)不进行NAT转换,也叫NAT豁免

ciscoasa(config)# access-list 10 extended permit icmp any any

ciscoasa(config)# access-group 10 in interface dmz

ciscoasa(config)# route inside 0 0 172.16.1.1//从inside口路由到任何地

FTP配置:

FTP(config)#ip route 202.106.2.0 255.255.255.0 172.16.2.1

验证:

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_04

FTP#

*Mar  1 01:58:47.223: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.20.10

*Mar  1 01:58:48.279: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.20.10

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_05

FTP#

*Mar  1 01:58:13.219: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.30.10

*Mar  1 01:58:14.275: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.30.10

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_06

FTP#

*Mar  1 02:00:50.139: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.10.10

*Mar  1 02:00:51.139: ICMP: echo reply sent, src 172.16.2.2, dst 192.168.10.10

(acl+NAT豁免完成)

3,acl+动态NAT转换成公网配置:

ciscoasa配置:

ciscoasa(config)# global (outside) 1 202.106.3.1-202.106.3.100 netmask 255.255.255.0

ciscoasa(config)# access-group 10 in interface outside

Internet配置:

Internet(config)#ip route 202.106.3.0 255.255.255.0 202.106.1.1

验证:

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_07

Internet#

*Mar  1 00:31:53.055: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.1

*Mar  1 00:31:54.091: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.1

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_08

Internet#

*Mar  1 00:32:56.379: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.2

*Mar  1 00:32:57.427: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.2

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_09

Internet#

*Mar  1 00:33:57.091: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.3

*Mar  1 00:33:58.095: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.3

(acl+动态NAT转换成公网完成)

4,internet与FTP服务器之间acl+静态NAT配置:

ciscoasa配置:

ciscoasa(config)# static (dmz,outside) 202.106.3.10 172.16.2.2 //FTP服务器172.16.2.2地址转换成公网地址202.106.3.10

验证:

FTP#ping 202.106.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.106.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/72 ms

Internet(config)#

*Mar  1 01:41:16.823: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.10

*Mar  1 01:41:16.879: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.10

*Mar  1 01:41:16.907: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.10

*Mar  1 01:41:16.927: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.10

*Mar  1 01:41:16.947: ICMP: echo reply sent, src 202.106.1.2, dst 202.106.3.10

Internet#ping 202.106.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.106.2.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/84 ms

FTP#

*Mar  1 01:41:50.951: ICMP: echo reply sent, src 172.16.2.2, dst 202.106.1.2

*Mar  1 01:41:51.039: ICMP: echo reply sent, src 172.16.2.2, dst 202.106.1.2

*Mar  1 01:41:51.083: ICMP: echo reply sent, src 172.16.2.2, dst 202.106.1.2

*Mar  1 01:41:51.111: ICMP: echo reply sent, src 172.16.2.2, dst 202.106.1.2

*Mar  1 01:41:51.131: ICMP: echo reply sent, src 172.16.2.2, dst 202.106.1.2

(internet与FTP服务器之间acl+静态NAT能互通)

5,ssh远程ASA防火墙配置:

ciscoasa配置:

ciscoasa(config)# hostname ASA //更改名字

ASA(config)# enable password abc//用户模式进入特权模式的密码

ASA(config)# domain-name benet.com//更改密码

ASA(config)# crypto key generate rsa modulus 1024//根据防火墙名字与域名生成RSA密钥对

ASA(config)# username asa802 password abc123 privilege 15//更改用户名与密码,用户名默认为pix,并设置优先级为15

ASA(config)# aaa authentication ssh console LOCAL//控制端认证ssh远程服务

ASA(config)# ssh 192.168.10.0 255.255.255.0 inside//内网允许远程的主机

ASA(config)# ssh 0 0 outside //允许所有到外网

ASA(config)#  ssh timeout 30//空闲超时时间

ASA(config)# ssh version 2//ssh支持的版本

验证:

NAT+ACL+ASA 实验全网互通_NAT ASA ACL_10

(C1使用ssh远程ASA防火墙)

ASA(config)# show xlate detail //查看xlate表,能看见NAT转换条目

7 in use, 7 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

      r - portmap, s - static

NAT from dmz:172.16.2.2 to outside:202.106.3.10 flags s

NAT from inside:192.168.10.10 to outside:202.106.3.3 flags i

NAT from inside:192.168.10.10 to dmz:202.106.2.3 flags i

NAT from inside:192.168.30.10 to outside:202.106.3.2 flags i

NAT from inside:192.168.30.10 to dmz:202.106.2.1 flags i

NAT from inside:192.168.20.10 to outside:202.106.3.1 flags i

NAT from inside:192.168.20.10 to dmz:202.106.2.2 flags i



【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3