1.Dynamic NAT(动态NAT,动态一对一)

实例一:

传统配置方法:

nat (Inside) 1 10.1.1.0 255.255.255.0

global (Outside) 1 202.100.1.100-202.100.1.200

新配置方法(Network Object NAT)

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Inside-Network

nat (Inside,Outside) dynamic Outside-Nat-Pool

实例二:

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Outside-PAT-Address

host 202.100.1.201

object-group network Outside-Address

network-object object Outside-Nat-Pool

network-object object Outside-PAT-Address

object network Inside-Network        //先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)

nat (Inside,Outside) dynamic Outside-Address interface

教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0 + acl来旁路)

2.Dynamic PAT (Hide)(动态PAT,动态多对一)

传统配置方式:

nat (Inside) 1 10.1.1.0 255.255.255.0

global(outside) 1 202.100.1.101

新配置方法(Network Object NAT)

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Outside-PAT-Address

host 202.100.1.101

object network Inside-Network

nat (Inside,Outside) dynamic Outside-PAT-Address

or

nat (Inside,Outside) dynamic 202.100.1.102

3.Static NAT or Static NAT with Port Translation(静态一对一转换,静态端口转换)

实例一:(静态一对一转换)

传统配置方式:

static (Inside,outside) 10.1.1.1 202.100.1.101

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address

or

nat (Inside,Outside) static 202.100.1.102

实例二:(静态端口转换)

传统配置方式:

static (inside,outside) tcp 202.100.1.102 2388 10.1.1.1 23

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2388

or

nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2388

4.Identity NAT

传统配置方式:

nat (inside) 0 10.1.1.1 255.255.255.255

新配置方法(Network Object NAT)

object network Inside-Address

host 10.1.1.1

object network Inside-Address

nat (Inside,Outside) static Inside-Address

or

nat (Inside,Outside) static 10.1.1.1

5.Twice NAT(类似于Policy NAT

实例一:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202

实例二:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

static (outside,inside) 10.1.1.101 1.1.1.1

static (outside,inside) 10.1.1.102 202.100.1.1

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network map-dst-1

host 10.1.1.101

object network map-dst-202

host 10.1.1.102

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202

实例三:

传统配置:

access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 1 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object service telnet23

service tcp destination eq telnet

object service telnet3032

service tcp destination eq 3032

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main Differences Between Network Object NAT and Twice NAT

Network Object NATTwice NAT的主要区别)

How you define the real address.(从如何定义真实地址的角度来比较)

– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.

– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.

<为真实和映射后地址定义network object或者network object group。在twice nat中,NAT不是network object的一个参数,network object或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twice nat的可扩展性。 >

How source and destination NAT is implemented.(源和目的nat被运用)

– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.

<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>

– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twice nat的目的地址选项,一个数据包也只能匹配一个twice nat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>

We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).

<我们推荐使用network object NAT,除非你明确需要twice nat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>

NAT Rule Order排序实例:

192.168.1.1/32 (static)

10.1.1.0/24 (static)

192.168.1.0/24 (static)

172.16.1.0/24 (dynamic) (object abc)

172.16.1.0/24 (dynamic) (object def)

192.168.1.0/24 (dynamic)

查看NAT顺序的命令:

ASA(config)# sh run nat

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

object network Inside-Network

nat (Inside,Outside) dynamic 202.100.1.105

!

nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23


ASA(config)# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0

如何调整和插入NAT

nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

Network Object NAT配置介绍的更多相关文章

  1. 分配IP地址的好东西 DHCP以及NAT简单介绍

    主机配置协议DHCP 1.DHCP应用场景 2.DHCP基础原理 3.NAT简单介绍 4.配置命令 1.手工配置IP地址,工作量比较大而且不好管理,如果用户自己修改参数,可能会导致ip地址冲突,这个时 ...

  2. 什么是blob,mysql blob大小配置介绍

    什么是blob,mysql blob大小配置介绍 作者: 字体:[增加 减小] 类型:转载   BLOB (binary large object),二进制大对象,是一个可以存储二进制文件的容器.在计 ...

  3. Window VNC远程控制LINUX:VNC详细配置介绍

    Window VNC远程控制LINUX:VNC详细配置介绍 //---------------------------------------vnc linux下的详细配置 1.VNC的启动/停止/重 ...

  4. 【Ubuntu】NAT配置

    1.简介 2.配置 1.简介 NAT(Network Address Translation,网络地址转换)是将IP 数据包头中的IP 地址转换为另一个IP 地址的过程.在实际应用中,NAT 主要用于 ...

  5. Centos 7.3下 Linux For SQL Server安装及配置介绍

    Centos 7.3下 Linux For SQL Server安装及配置介绍 高文龙关注13人评论2828人阅读2017-03-05 21:46:21 Centos 7.3下Linux For SQ ...

  6. centos LB负载均衡集群 三种模式区别 LVS/NAT 配置 LVS/DR 配置 LVS/DR + keepalived配置 nginx ip_hash 实现长连接 LVS是四层LB 注意down掉网卡的方法 nginx效率没有LVS高 ipvsadm命令集 测试LVS方法 第三十三节课

    centos   LB负载均衡集群 三种模式区别 LVS/NAT 配置  LVS/DR 配置  LVS/DR + keepalived配置  nginx ip_hash 实现长连接  LVS是四层LB ...

  7. [原]Redis详细配置介绍

    Redis详细配置介绍 # redis 配置文件示例 # 当你需要为某个配置项指定内存大小的时候,必须要带上单位, # 通常的格式就是 1k 5gb 4m 等酱紫: # # 1k => 1000 ...

  8. NAT配置与管理

    为解决IPv4地址日益枯竭,出现NAT(Network Address Translation,网络地址转换)技术.NAT可以将来自一个网络的IP数据报报头中的IP地址(可以是源IP地址或目的IP地址 ...

  9. ubuntu /etc/network/interfaces 中配置虚拟链路

    ubuntu /etc/network/interfaces 中配置虚拟链路 平常做一些关于网络的测试时,像一些需要在二层上运行的功能,一个网卡不足够的情况下,可使用 ip link 工具加一些虚拟的 ...

随机推荐

  1. poj 1159 (DP LCS)

    滚动数组 + LCS // File Name: 1159.cpp // Author: Missa_Chen // Created Time: 2013年07月08日 星期一 10时07分13秒 # ...

  2. XManager介绍、安装、使用

    简介 Xmanager是一款小巧.便捷的浏览远端X窗口系统的工具.在工作中经常使用Xmanager来登录远端的Linux系统,在X窗口系统上作图形化的操作.Xmanager可以将PC变成X Windo ...

  3. Asp.Net生命周期系列四

    上回我们说的当一个Http请求来到HttpModule这里的时候,Asp.Net内部并未对这个Http请求做出任何的处理,我们可以对这个Http请求添加一些我们需要的信息,以方便我们控制这个Http请 ...

  4. Swift 2.0 : 'enumerate' is unavailable: call the 'enumerate()' method on the sequence

    Swift 2.0 : 'enumerate' is unavailable: call the 'enumerate()' method on the sequence 如下代码: for (ind ...

  5. QCon 2015 阅读笔记 - 其他精选主题

    QCon 2015阅读笔记 QCon 2015 阅读笔记 - 移动开发最佳实践 QCon 2015 阅读笔记 - 团队建设 QCon 2015 阅读笔记 - 其他精选主题 以前分享过两个主题:移动开发 ...

  6. python numpy array 的一些问题

    1 将list转换成array 如果list的嵌套数组是不规整的,如 a = [[1,2], [3,4,5]] 则a = numpy.array(a)之后 a的type是ndarray,但是a中得元素 ...

  7. 剑指offer—算法之位运算(二进制中1的个数)

    位运算: 左移:m<<n将m左移n位,左移后低位补充0: 右移:m>>n将m右移n位,右移后高位补充的是符号位,负数补充1,整数补充0.(正数的边界值为(1,ox7FFFFFF ...

  8. 【原创】搭建Nginx(负载均衡)+Redis(Session共享)+Tomcat集群

    为什么移除首页?哪里不符合要求?倒是回我邮件啊! 一.环境搭建 Linux下Vagrant搭建Tomcat7.Java7 二.Nginx的安装配置与测试 *虚拟机下转至root sudo -i 1)下 ...

  9. POI取消科学计数法

    前台输入手机号13777777777,如果是为Double类型接收,就会自动转为科学计数法 找了下,一般是Double转String,方法一般有两种: 1.利用String.format() sale ...

  10. Linux基本命令(6)线上查询的命令

    线上查询的命令 命令 功能 man 查询和解释一个命令的使用方法,以及这个命令的说明事项 locate 定位文件和目录 whatis 寻找某个命令的含义 6.1 man命令 man命令用来查询和解释一 ...