1.Dynamic NAT(动态NAT,动态一对一)

实例一:

传统配置方法:

nat (Inside) 1 10.1.1.0 255.255.255.0

global (Outside) 1 202.100.1.100-202.100.1.200

新配置方法(Network Object NAT)

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Inside-Network

nat (Inside,Outside) dynamic Outside-Nat-Pool

实例二:

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Outside-PAT-Address

host 202.100.1.201

object-group network Outside-Address

network-object object Outside-Nat-Pool

network-object object Outside-PAT-Address

object network Inside-Network        //先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)

nat (Inside,Outside) dynamic Outside-Address interface

教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0 + acl来旁路)

2.Dynamic PAT (Hide)(动态PAT,动态多对一)

传统配置方式:

nat (Inside) 1 10.1.1.0 255.255.255.0

global(outside) 1 202.100.1.101

新配置方法(Network Object NAT)

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Outside-PAT-Address

host 202.100.1.101

object network Inside-Network

nat (Inside,Outside) dynamic Outside-PAT-Address

or

nat (Inside,Outside) dynamic 202.100.1.102

3.Static NAT or Static NAT with Port Translation(静态一对一转换,静态端口转换)

实例一:(静态一对一转换)

传统配置方式:

static (Inside,outside) 10.1.1.1 202.100.1.101

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address

or

nat (Inside,Outside) static 202.100.1.102

实例二:(静态端口转换)

传统配置方式:

static (inside,outside) tcp 202.100.1.102 2388 10.1.1.1 23

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2388

or

nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2388

4.Identity NAT

传统配置方式:

nat (inside) 0 10.1.1.1 255.255.255.255

新配置方法(Network Object NAT)

object network Inside-Address

host 10.1.1.1

object network Inside-Address

nat (Inside,Outside) static Inside-Address

or

nat (Inside,Outside) static 10.1.1.1

5.Twice NAT(类似于Policy NAT

实例一:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202

实例二:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

static (outside,inside) 10.1.1.101 1.1.1.1

static (outside,inside) 10.1.1.102 202.100.1.1

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network map-dst-1

host 10.1.1.101

object network map-dst-202

host 10.1.1.102

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202

实例三:

传统配置:

access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 1 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object service telnet23

service tcp destination eq telnet

object service telnet3032

service tcp destination eq 3032

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main Differences Between Network Object NAT and Twice NAT

Network Object NATTwice NAT的主要区别)

How you define the real address.(从如何定义真实地址的角度来比较)

– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.

– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.

<为真实和映射后地址定义network object或者network object group。在twice nat中,NAT不是network object的一个参数,network object或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twice nat的可扩展性。 >

How source and destination NAT is implemented.(源和目的nat被运用)

– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.

<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>

– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twice nat的目的地址选项,一个数据包也只能匹配一个twice nat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>

We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).

<我们推荐使用network object NAT,除非你明确需要twice nat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>

NAT Rule Order排序实例:

192.168.1.1/32 (static)

10.1.1.0/24 (static)

192.168.1.0/24 (static)

172.16.1.0/24 (dynamic) (object abc)

172.16.1.0/24 (dynamic) (object def)

192.168.1.0/24 (dynamic)

查看NAT顺序的命令:

ASA(config)# sh run nat

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

object network Inside-Network

nat (Inside,Outside) dynamic 202.100.1.105

!

nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23


ASA(config)# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0

如何调整和插入NAT

nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

Network Object NAT配置介绍的更多相关文章

  1. 分配IP地址的好东西 DHCP以及NAT简单介绍

    主机配置协议DHCP 1.DHCP应用场景 2.DHCP基础原理 3.NAT简单介绍 4.配置命令 1.手工配置IP地址,工作量比较大而且不好管理,如果用户自己修改参数,可能会导致ip地址冲突,这个时 ...

  2. 什么是blob,mysql blob大小配置介绍

    什么是blob,mysql blob大小配置介绍 作者: 字体:[增加 减小] 类型:转载   BLOB (binary large object),二进制大对象,是一个可以存储二进制文件的容器.在计 ...

  3. Window VNC远程控制LINUX:VNC详细配置介绍

    Window VNC远程控制LINUX:VNC详细配置介绍 //---------------------------------------vnc linux下的详细配置 1.VNC的启动/停止/重 ...

  4. 【Ubuntu】NAT配置

    1.简介 2.配置 1.简介 NAT(Network Address Translation,网络地址转换)是将IP 数据包头中的IP 地址转换为另一个IP 地址的过程.在实际应用中,NAT 主要用于 ...

  5. Centos 7.3下 Linux For SQL Server安装及配置介绍

    Centos 7.3下 Linux For SQL Server安装及配置介绍 高文龙关注13人评论2828人阅读2017-03-05 21:46:21 Centos 7.3下Linux For SQ ...

  6. centos LB负载均衡集群 三种模式区别 LVS/NAT 配置 LVS/DR 配置 LVS/DR + keepalived配置 nginx ip_hash 实现长连接 LVS是四层LB 注意down掉网卡的方法 nginx效率没有LVS高 ipvsadm命令集 测试LVS方法 第三十三节课

    centos   LB负载均衡集群 三种模式区别 LVS/NAT 配置  LVS/DR 配置  LVS/DR + keepalived配置  nginx ip_hash 实现长连接  LVS是四层LB ...

  7. [原]Redis详细配置介绍

    Redis详细配置介绍 # redis 配置文件示例 # 当你需要为某个配置项指定内存大小的时候,必须要带上单位, # 通常的格式就是 1k 5gb 4m 等酱紫: # # 1k => 1000 ...

  8. NAT配置与管理

    为解决IPv4地址日益枯竭,出现NAT(Network Address Translation,网络地址转换)技术.NAT可以将来自一个网络的IP数据报报头中的IP地址(可以是源IP地址或目的IP地址 ...

  9. ubuntu /etc/network/interfaces 中配置虚拟链路

    ubuntu /etc/network/interfaces 中配置虚拟链路 平常做一些关于网络的测试时,像一些需要在二层上运行的功能,一个网卡不足够的情况下,可使用 ip link 工具加一些虚拟的 ...

随机推荐

  1. ASP.NET 4的Demo实践:URL路由改进支持

    从.NET框架3.5 SP1开始,微软推出了ASP.NET路由支持,从而实现了特定资源的URL与其对应的Web服务器上的物理文件之间的彻底解耦.借助于ASP.NET路由支持,开发人员可以定义一组路由规 ...

  2. js,正则应用

    //获取URL中的request参数 function getUrlParam(name) { var reg = new RegExp("(^|&)" + name + ...

  3. [反汇编练习] 160个CrackMe之021

    [反汇编练习] 160个CrackMe之021. 本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注 ...

  4. UVA 10061 How many zero's and how many digits ? (m进制,阶乘位数,阶乘后缀0)

    题意: 给出两个数字a和b,求a的阶乘转换成b进制后,输出 (1)后缀中有多少个连续的0? (2)数a的b进制表示法中有多少位? 思路:逐个问题解决. 设a!=k.  k暂时不用直接转成b进制. (1 ...

  5. linux 命令行字符终端terminal下强制清空回收站

    回收站其实就是一个文件夹,存放被删掉的文件. ubuntu 回收站的路径: $HOME/.local/share/Trash/ 强制清空回收站: rm -fr $HOME/.local/share/T ...

  6. struts2拦截器配置;拦截器栈;配置默认拦截器;拦截方法的拦截器MethodFilterInterceptor;完成登录验证

    struts2.xml 内容 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE struts ...

  7. vim 大小写转化命令

    vim中大小写转化的命令是<blockquote>gu或者gU</blockquote>形象一点的解释就是小u意味着转为小写:大U意味着转为大写. 剩下的就是对这两个命令的限定 ...

  8. php 使用phpmailer 发送邮件(附带中文乱码的解决方法)

    下载phpmailer ,在程序里包含class.phpmailer.php 类  ,这里有中文乱码的解决方法 实例代码如下 <html> <head> <title&g ...

  9. 最全的PHP开发Android应用程序

    第一部分是指在Android系统的手机上直接写PHP脚本代码并立即运行: 第二部分则继续讲解如何把写好的PHP脚本代码打包成akp安装文件. 首先,在手机上安装两个apk包. 一个是SL4A(Scri ...

  10. Linux makefile教程之后序十一[转]

    后序 —— 终 于到写结束语的时候了,以上基本上就是GNU make的Makefile的所有细节了.其它的产商的make基本上也就是这样的,无论什么样的make,都是以文件的依赖性为基础的,其基本是都 ...