1.Dynamic NAT(动态NAT,动态一对一)

实例一:

传统配置方法:

nat (Inside) 1 10.1.1.0 255.255.255.0

global (Outside) 1 202.100.1.100-202.100.1.200

新配置方法(Network Object NAT)

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Inside-Network

nat (Inside,Outside) dynamic Outside-Nat-Pool

实例二:

object network Outside-Nat-Pool

range 202.100.1.100 202.100.1.200

object network Outside-PAT-Address

host 202.100.1.201

object-group network Outside-Address

network-object object Outside-Nat-Pool

network-object object Outside-PAT-Address

object network Inside-Network        //先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)

nat (Inside,Outside) dynamic Outside-Address interface

教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0 + acl来旁路)

2.Dynamic PAT (Hide)(动态PAT,动态多对一)

传统配置方式:

nat (Inside) 1 10.1.1.0 255.255.255.0

global(outside) 1 202.100.1.101

新配置方法(Network Object NAT)

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network Outside-PAT-Address

host 202.100.1.101

object network Inside-Network

nat (Inside,Outside) dynamic Outside-PAT-Address

or

nat (Inside,Outside) dynamic 202.100.1.102

3.Static NAT or Static NAT with Port Translation(静态一对一转换,静态端口转换)

实例一:(静态一对一转换)

传统配置方式:

static (Inside,outside) 10.1.1.1 202.100.1.101

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address

or

nat (Inside,Outside) static 202.100.1.102

实例二:(静态端口转换)

传统配置方式:

static (inside,outside) tcp 202.100.1.102 2388 10.1.1.1 23

新配置方法(Network Object NAT)

object network Static-Outside-Address

host 202.100.1.101

object network Static-Inside-Address

host 10.1.1.1

object network Static-Inside-Address

nat (Inside,Outside) static Static-Outside-Address service tcp telnet 2388

or

nat (Inside,Outside) static 202.100.1.101 service tcp telnet 2388

4.Identity NAT

传统配置方式:

nat (inside) 0 10.1.1.1 255.255.255.255

新配置方法(Network Object NAT)

object network Inside-Address

host 10.1.1.1

object network Inside-Address

nat (Inside,Outside) static Inside-Address

or

nat (Inside,Outside) static 10.1.1.1

5.Twice NAT(类似于Policy NAT

实例一:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202

实例二:

传统配置:

access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1

access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 2 202.100.1.102

static (outside,inside) 10.1.1.101 1.1.1.1

static (outside,inside) 10.1.1.102 202.100.1.1

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object network map-dst-1

host 10.1.1.101

object network map-dst-202

host 10.1.1.102

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202

实例三:

传统配置:

access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

nat (inside) 1 access-list inside-to-1

nat (inside) 2 access-list inside-to-202

global(outside) 1 202.100.1.101

global(outside) 1 202.100.1.102

新配置方法(Twice NAT):

object network dst-1

host 1.1.1.1

object network dst-202

host 202.100.1.1

object network pat-1

host 202.100.1.101

object network pat-2

host 202.100.1.102

object network Inside-Network

subnet 10.1.1.0 255.255.255.0

object service telnet23

service tcp destination eq telnet

object service telnet3032

service tcp destination eq 3032

nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main Differences Between Network Object NAT and Twice NAT

Network Object NATTwice NAT的主要区别)

How you define the real address.(从如何定义真实地址的角度来比较)

– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.

– Twice NAT—You identify a network object or network object group for both the real and

mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.

<为真实和映射后地址定义network object或者network object group。在twice nat中,NAT不是network object的一个参数,network object或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twice nat的可扩展性。 >

How source and destination NAT is implemented.(源和目的nat被运用)

– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.

<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>

– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twice nat的目的地址选项,一个数据包也只能匹配一个twice nat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>

We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).

<我们推荐使用network object NAT,除非你明确需要twice nat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>

NAT Rule Order排序实例:

192.168.1.1/32 (static)

10.1.1.0/24 (static)

192.168.1.0/24 (static)

172.16.1.0/24 (dynamic) (object abc)

172.16.1.0/24 (dynamic) (object def)

192.168.1.0/24 (dynamic)

查看NAT顺序的命令:

ASA(config)# sh run nat

nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

object network Inside-Network

nat (Inside,Outside) dynamic 202.100.1.105

!

nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23


ASA(config)# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0

如何调整和插入NAT

nat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

Network Object NAT配置介绍的更多相关文章

  1. 分配IP地址的好东西 DHCP以及NAT简单介绍

    主机配置协议DHCP 1.DHCP应用场景 2.DHCP基础原理 3.NAT简单介绍 4.配置命令 1.手工配置IP地址,工作量比较大而且不好管理,如果用户自己修改参数,可能会导致ip地址冲突,这个时 ...

  2. 什么是blob,mysql blob大小配置介绍

    什么是blob,mysql blob大小配置介绍 作者: 字体:[增加 减小] 类型:转载   BLOB (binary large object),二进制大对象,是一个可以存储二进制文件的容器.在计 ...

  3. Window VNC远程控制LINUX:VNC详细配置介绍

    Window VNC远程控制LINUX:VNC详细配置介绍 //---------------------------------------vnc linux下的详细配置 1.VNC的启动/停止/重 ...

  4. 【Ubuntu】NAT配置

    1.简介 2.配置 1.简介 NAT(Network Address Translation,网络地址转换)是将IP 数据包头中的IP 地址转换为另一个IP 地址的过程.在实际应用中,NAT 主要用于 ...

  5. Centos 7.3下 Linux For SQL Server安装及配置介绍

    Centos 7.3下 Linux For SQL Server安装及配置介绍 高文龙关注13人评论2828人阅读2017-03-05 21:46:21 Centos 7.3下Linux For SQ ...

  6. centos LB负载均衡集群 三种模式区别 LVS/NAT 配置 LVS/DR 配置 LVS/DR + keepalived配置 nginx ip_hash 实现长连接 LVS是四层LB 注意down掉网卡的方法 nginx效率没有LVS高 ipvsadm命令集 测试LVS方法 第三十三节课

    centos   LB负载均衡集群 三种模式区别 LVS/NAT 配置  LVS/DR 配置  LVS/DR + keepalived配置  nginx ip_hash 实现长连接  LVS是四层LB ...

  7. [原]Redis详细配置介绍

    Redis详细配置介绍 # redis 配置文件示例 # 当你需要为某个配置项指定内存大小的时候,必须要带上单位, # 通常的格式就是 1k 5gb 4m 等酱紫: # # 1k => 1000 ...

  8. NAT配置与管理

    为解决IPv4地址日益枯竭,出现NAT(Network Address Translation,网络地址转换)技术.NAT可以将来自一个网络的IP数据报报头中的IP地址(可以是源IP地址或目的IP地址 ...

  9. ubuntu /etc/network/interfaces 中配置虚拟链路

    ubuntu /etc/network/interfaces 中配置虚拟链路 平常做一些关于网络的测试时,像一些需要在二层上运行的功能,一个网卡不足够的情况下,可使用 ip link 工具加一些虚拟的 ...

随机推荐

  1. iOS富文本(三)深入使用Text Kit

    在上一篇中介绍了Text Kit的三种基本组件的关系并且简单的实现了怎么使用这三种基本组件,本片将深入的去使用这三种基本组件. NSTextStorage NSTextStorage是NSMutabl ...

  2. HDU (线段树 单点更新) 敌兵布阵

    哎,又切了一天的水题. 线段树果然必须自己写出来才能叫真正的会了,之前一直在套模板确实不好. 这个题目是单点更新 之 单点增减,= ̄ω ̄= #include <cstdio> <&l ...

  3. IE6,7下li标签的间隙

    1.在IE6,7下li本身没浮动,但是li内容有浮动的时候,li下边就会产生3px的间隙. 解决办法: 1.给li加浮动 2.给li加vertical-align:top; eg: <!DOCT ...

  4. ubuntu 11.04 源 更新不了,全显示ign、404

    原文地址:http://blog.csdn.net/enjio/article/details/11603373   ubuntu 11.04 源 更新不了 分类: 开发相关2013-09-12 14 ...

  5. linux sed 命令

    转载:http://www.cnblogs.com/dong008259/archive/2011/12/07/2279897.html sed是一个很好的文件处理工具,本身是一个管道命令,主要是以行 ...

  6. dom4j创建格式化的xml文件

    import java.io.File;import java.io.FileInputStream;import java.io.FileNotFoundException;import java. ...

  7. Java 碰撞的球 MovingBall (整理)

    package demo; /** * Java 碰撞的球 MovingBall (整理) * 声明: * 这份源代码没有注释,已经忘记了为什么要写他了,基本上应该是因为当时觉得好玩吧. * 有时候想 ...

  8. SkinPP for VC

    1.下载文件:SkinPPWTL.h,SkinPPWTL.dll,SkinPPWTL.lib以及Skin++皮肤库: 2.新建一个工程,如:基于多文档的工程,名为:MySkin: 3.将下载的Skin ...

  9. MySQL基础之第14章 存储过程和函数

    避免编写重复的语句 安全性可控 执行效率高 14.1.创建存储过程和函数 14.1.1.创建存储过程 CREATE PROCEDUREsp_name ([proc_parameter[,...]]) ...

  10. UIScrollView 不能滚动的问题

    uiscrollview是开发sdk自带的控件, 在使用的时候,发现滚动不了, 最常山见的原因是 contentSize 这个属性,比uiscrollview的frame要小...所以无需滚动,自然就 ...