4.NAT配置总结实例

Software Version 7.2(3)

实验拓扑实验拓扑::

具体具体要求要求要求::

1.直连初始化，ASA能够ping通所有设备的直连接口

2.路由

a.In.R2默认路由指向ASA Inside(192.168.1.10)

b.Dmz.R3 默认路由指向ASA DMZ (10.1.1.10)

c.Out.R1 不能设置任何路由

3.打开所有设备(In.R2 Dmz.R3 Out.R1)的Telnet功能

4.把内部网络(192.168.1.0)，转换到外部网络

两种转换方案

a.转换到一个地址池 202.100.1.100 - 202.100.1.200

b.复用外部接口地址

测试方法：In.R2 Telnet Out.R1

a.Telnet到Out.R1后show user能够看到转换后的地址

b.ASA上Show Xlate可以看到转换槽位

c.ASA上show conn 可以看到连接状态表项

d.ASA上show local-host 可以看到每一个内部PC的连接状态

5.让内部用户192.168.1.1能够ping通202.100.1.1

可以通过两种方法来实现

1.通过ACL放行流量

2.通过inspect icmp来实现

6.让内部用户能够正常访问DMZ

测试方法：In.R2 Telnet Dmz.R3

a.Telnet到DMZ后show user能够看到自己真实的地址

b.ASA上show conn 可以看到连接状态表项

c.ASA上show local-host 可以看到每一个内部PC的连接状态

7.把DMZ的服务器(10.1.1.1)转换到外部一个地址(202.100.1.201)，并且允许任何外部用户访问这个地址的telnet

测试方法：Out.R1 Telnet 202.100.1.201

——————————————————————————————————————————————————————————————————————————————

各要求具体配置步骤各要求具体配置步骤：：

1. 初始化配置拓扑中的设备初始化配置拓扑中的设备初始化配置拓扑中的设备，使得使得ASA ASA ASA能够能够能够ping ping ping通所有设备的直连接口通所有设备的直连接口通所有设备的直连接口

实现命令:

配置Out.R1

R1.OUT(config)#int e0/0

R1.OUT(config-if)#ip add 202.100.1.1 255.255.255.0

R1.OUT(config-if)#no sh

配置IN.R2

IN.R2(config)#int e0/0

IN.R2(config-if)#ip add 192.168.1.1 255.255.255.0

IN.R2(config-if)#no sh

配置Dmz.R3

DMZ.R3(config)#int e0/0

DMZ.R3(config-if)#ip add 10.1.1.1 255.255.255.0

DMZ.R3(config-if)#no sh

配置ASA

ciscoasa(config)# host ASA

ASA(config)# int e0/0

ASA(config-if)# no sh

ASA(config-if)# int e0/1

ASA(config-if)# no sh

ASA(config-if)# int e0/2

ASA(config-if)# exit

ASA(config)# interface Ethernet0/0

ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ASA(config-if)# security-level 0

ASA(config-if)# ip address 202.100.1.10 255.255.255.0

ASA(config-if)#

ASA(config-if)# interface Ethernet0/1

ASA(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ASA(config-if)# security-level 100

ASA(config-if)# ip address 192.168.1.10 255.255.255.0

ASA(config-if)#

ASA(config-if)# interface Ethernet0/2

ASA(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ASA(config-if)# security-level 50

ASA(config-if)# ip address 10.1.1.10 255.255.255.0

在ASA上测试直连连通性:

ping 202.100.1.1

ASA# ping 202.100.1.1

ping 202.100.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ping 192.168.1.1

ASA# ping 192.168.1.1

ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ping 10.1.1.1

ASA# ping 10.1.1.1

ping 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms ASA#

路由

2.

2.路由

路由

a.In.R2默认路由指向ASA Inside(192.168.1.10)

实现命令:

IN.R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.10

b.Dmz.R3默认路由指向ASA Dmz (10.1.1.10)

实现命令:

DMZ.R3(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10

c.Out.R1 不能设置任何路由

d.ASA 默认路由指向202.100.1.1

实现命令:

ASA(config)# route outside 0.0.0.0 0.0.0.0 202.100.1.1

3.3.打开打开打开In In In.R2 , Dmz.R3 ,.R2 , Dmz.R3 ,.R2 , Dmz.R3 , Out Out Out.R1.R1.R1的的 Telnet Telnet功能功能功能

实现命令:

IN.R2(config)#line vty 0 15

IN.R2(config-line)#no login

DMZ.R3(config)#line vty 0 15

DMZ.R3(config-line)#no login

R1.OUT(config)#line vty 0 15

R1.OUT(config-line)#no login

4.4.把内部网络把内部网络把内部网络(192.168.1.0)(192.168.1.0)(192.168.1.0)，转换到外部网络转换到外部网络

a.转换到一个地址池 202.100.1.100 - 202.100.1.200

实现命令: ASA(config)# nat (inside) 1 192.168.1.0 255.255.255.0

ASA(config)# global (outside) 1 202.100.1.100-202.100.1.200

测试方法：

a.Telnet到Outside后show user能够看到转换后的地址

实现命令:

IN.R2#telnet 202.100.1.1

Trying 202.100.1.1 ... Open

R1.OUT>

R1.OUT>show user

Line User Host(s) Idle Location

0 con 0 idle 00:00:55

* 66 vty 0 idle 00:00:00 202.100.1.100202.100.1.100

Interface User Mode Idle Peer Address

b.ASA上Show Xlate可以看到转换槽位

实现命令:

ASA(config)# show xlate

1 in use, 7 most used

Global 202.100.1.10Global 202.100.1.1000 Local 192.168. Local 192.168.1.11.11.1

c.ASA上show conn 可以看到连接状态表项

实现命令:

ASA(config)# show conn

1 in use, 3 most used

TCP out 202.100.1.1:23 in 192.168.1.1:11029 idle 0:00:06 bytes 66 flags UIO TCP out 202.100.1.1:23 in 192.168.1.1:11029 idle 0:00:06 bytes 66 flags UIO

d.ASA上show local-host 可以看到每一个内部PC的连接状态

实现命令: ASA(config)# show local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied local host: <192.168.1.1>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Xlate:

Global 202.100.1.100 Local 192.168.1.1

Conn:

TCP out 202.100.1.1:23 in 192.168.1.1:11029 idle 0:00:38 bytes 66 flags UIO Interface outside: 1 active, 1 maximum active, 0 denied

local host: <202.100.1.1>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Conn:

TCP out 202.100.1.1:23 in 192.168.1.1:11029 idle 0:00:38 bytes 66 flags UIO

b.复用外部接口地址

先清除步骤a的配置:

实现命令:

ASA(config)# clear configure nat

ASA(config)# clear configure global

ASA(config)# clear xlate

复用外部接口地址, 实现命令:

ASA(config)# nat (inside) 1 192.168.1.0 255.255.255.0

ASA(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

测试方法：

a.Telnet到Outside后show user能够看到转换后的地址

实现命令:

IN.R2#telnet 202.100.1.1

Trying 202.100.1.1 ... Open

R1.OUT>show user

Line User Host(s) Idle Location

0 con 0 idle 00:00:06

202.100.1.10 转换后的地址* 66 vty 0 idle 00:00:00 202.100.1.10

Interface User Mode Idle Peer Address

R1.OUT>

b.ASA上Show Xlate可以看到转换槽位

实现命令:

ASA(config)# show xlate

1 in use, 7 most used

PAT Global 202.100.1.10(1027) Local 192.168.1.1(11031)

d.ASA上show local-host 可以看到每一个内部PC的连接状态

实现命令:

ASA(config)# show local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.1.1>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited

Xlate:

PAT Global 202.100.1.10(1027) Local 192.168.1.1(11031)

Conn:

TCP out 202.100.1.1:23 in 192.168.1.1:11031 idle 0:00:29 bytes 367 flags UIO Interface outside: 1 active, 1 maximum active, 0 denied local host: <202.100.1.1>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited

Conn:

TCP out 202.100.1.1:23 in 192.168.1.1:11031 idle 0:00:29 bytes 367 flags UIO

c.ASA上show conn 可以看到连接状态表项

实现命令:

ASA(config)# show conn

1 in use, 3 most used

TCP out 202.100.1.1:23 in 192.168.1.1:11031 idle 0:00:25 bytes 367 flags UIO

5.5.让内部用户让内部用户让内部用户192.168.1.1192.168.1.1192.168.1.1能够能够能够ping ping ping通通202.100.1.1202.100.1.1

1.通过ACL放行流量

实现命令:

ASA(config)# access-list out permit icmp any any

ASA(config)# access-group out in interface outside

测试ping

IN.R2#ping 202.100.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

IN.R2#

2.通过inspect icmp来实现

先清除步骤1的ACL

ASA(config)# clear configure access-list

ASA(config)# clear configure access-group

配置inspect icmp

实现命令:

ASA(config)# policy-map global_policy

ASA(config-pmap)# class inspection_default

ASA(config-pmap-c)# inspect icmp inspect icmp

测试ping

IN.R2#ping 202.100.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

IN.R2#

6.6.让内部用户能够正常访问让内部用户能够正常访问让内部用户能够正常访问DMZ DMZ DMZ

a.Telnet到DMZ后show user能够看到自己真实的地址(NAT 0)(NAT 0)

(NAT 0)

实现命令：

ASA(config)# access-list nonat permit ip 192.168.1.0 255.255.255.0 host 10.1.1$ ASA(config)# nat (inside) 0 access-list nonat

IN.R2#telnet 10.1.1.1

Trying 10.1.1.1 ... Open

DMZ.R3>show user

Line User Host(s) Idle Location

0 con 0 idle 00:00:42

* 66 vty 0 idle 00:00:00 192.168.1.1 (In.R2的地址) Interface User Mode Idle Peer Address

DMZ.R3>

b.ASA上show conn 可以看到连接状态表项

实现命令:

ASA(config)# show conn

1 in use, 10 most used

TCP out 10.1.1.1:23 in 192.168.1.1:11034 idle 0:00:25 bytes 373 flags UIO

c.ASA上show local-host 可以看到每一个内部PC的连接状态

实现命令： ASA(config)# show local-host

Interface dmz: 1 active, 1 maximum active, 0 denied

local host: <10.1.1.1>,

TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Conn:

TCP out 10.1.1.1:23 in 192.168.1.1:11034 idle 0:00:28 bytes 373 flags UIO Interface inside: 1 active, 1 maximum active, 0 denied

local host: <192.168.1.1>, TCP flow count/limit = 1/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 0/unlimited

Conn:

TCP out 10.1.1.1:23 in 192.168.1.1:11034 idle 0:00:28 bytes 373 flags UIO Interface outside: 0 active, 1 maximum active, 0 denied

ASA(config)#

7.7.把把DMZ DMZ的服务器的服务器的服务器(10.1.1.1)(10.1.1.1)(10.1.1.1)转换到外部一个地址转换到外部一个地址转换到外部一个地址(202.100.1.201)(202.100.1.201)(202.100.1.201)，并且允许任何外部用户访问这个地址的户访问这个地址的telnet telnet telnet

实验命令：

ASA(config)# static (dmz,outside) 202.100.1.201 10.1.1.1

ASA(config)# access-list out permit tcp any host 202.100.1.201 eq telnet ASA(config)# access-group out in interface outside

测试方法：Out.R1 Telnet 202.100.1.201

R1.OUT#telnet 202.100.1.201

Trying 202.100.1.201 ... Open

DMZ.R3>show user

Line User Host(s) Idle Location

0 con 0 idle 00:00:04

* 66 vty 0 idle 00:00:00 202.100.1.1