本轮实验使用GNS3模拟器进行
实验要求:实现全网互通,分别使用动态NAT,PAT,静态NAT进行实验
拓扑:
IP地址分配:
IOU1 | e0/0:200.1.1.1/24 | loo0:201.25.64.1/24 |
IOU2 | e0/0:172.16.1.1/24 | loo0:172.16.10.1/24 |
IOU3 | e0/0:192.168.1.1/24 | loo0:192.168.10.1/24 |
ASA | g0:200.1.1.2/24 | g1:192.168.1.2/24 |
g2:172.16.1.2 /24 |
配置步骤:
IP地址配置:略
路由配置:略
动态NAT配置:
ciscoasa(config)# object network out-pool
ciscoasa(config-network-object)# range 200.1.1.10 200.1.1.20
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network in-jie
ciscoasa(config-network-object)# subnet 172.16.1.0 255.255.255.0
ciscoasa(config)# object network in-loo
ciscoasa(config-network-object)# subnet 172.16.10.0 255.255.255.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# object network dmz-jie
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# ex
ciscoasa(config)# object network dmz-loo
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
ciscoasa(config-network-object)# ex
ciscoasa(config)#object-group network in-lan
ciscoasa(config-network-object-group)# network-object ob
ciscoasa(config-network-object-group)# network-object object in-jie
ciscoasa(config-network-object-group)# network-object object in-loo
ciscoasa(config-network-object-group)# ex
ciscoasa(config)# object-group network dmz-lan
ciscoasa(config-network-object-group)# network-object object dmz-jie
ciscoasa(config-network-object-group)# network-object object dmz-loo
ciscoasa(config-network-object-group)# ex
ciscoasa(config)# nat (inside,outside) source dynamic in-lan out-pool
ciscoasa(config)# nat (dmz,outside) source dynamic dmz-lan out-pool
测试:
图示:ASA的动态NAT实验完成
PAT配置(多内网架构,多个网段,多个zone,直接使用外网接口):
NO掉
ciscoasa(config)# nat (inside,outside) source dynamic in-lan interface
ciscoasa(config)# nat (dmz,outside) source dynamic dmz-lan interface
测试:
PAT配置(多内网架构使用一个指定外网IP):
ciscoasa(config)# object network out-po1
ciscoasa(config-network-object)# host 200.1.1.3
ciscoasa(config-network-object)# ex
ciscoasa(config)# object network out-po2
ciscoasa(config-network-object)# hos
ciscoasa(config-network-object)# host 200.1.1.4
ciscoasa(config-network-object)# ex
ciscoasa(config)# nat (inside,outside) source dynamic in-jie pat-pool out-po1
ciscoasa(config)# nat (dmz,outside) source dynamic dmz-jie pat-pool out-po2
ciscoasa(config)# end
先配置动态NAT。最后用指定IP做PAT:
ciscoasa(config)# object-group network out-nat
ciscoasa(config-network-object-group)# network-object object out-po1
ciscoasa(config-network-object-group)# network-object object out-pool
ciscoasa(config-network-object-group)# ex
ciscoasa(config)# nat (inside,outside) source dynamic in-lan out-nat
因拓扑中上网数量不多,无法达到用完地址池中的地址后使用指定IP
静态NAT(一对一):
ciscoasa(config)# object network web
ciscoasa(config-network-object)# host 200.1.1.21
ciscoasa(config-network-object)# ex
ciscoasa(config)# object network dmz-web
ciscoasa(config-network-object)# host 192.168.10.1
ciscoasa(config-network-object)# ex
ciscoasa(config)# access-list web extended permit tcp any host 192.168.10.1
ciscoasa(config)# access-group web in interface outside
ciscoasa(config)# nat (dmz,outside) source static dmz-web web
需要配置静态路由去往loopback地址
ciscoasa(config)# route dmz 192.168.10.0 255.255.255.0 192.168.1.1
ciscoasa(config)# route inside 172.16.10.0 255.255.255.0 172.16.1.1
测试:
端口一对一
ciscoasa(config)# object network teldmz
ciscoasa(config-network-object)# host 200.1.1.22
ciscoasa(config-network-object)# ex
ciscoasa(config)# object service telnet
ciscoasa(config-service-object)# service tcp source eq telnet
ciscoasa(config-service-object)# ex
ciscoasa(config)# object network dmz-web
ciscoasa(config-network-object)# host 192.168.10.1
ciscoasa(config-network-object)# exit
ciscoasa(config)# nat (dmz,outside) source static dmz-web teldmz service telnet telnet
测试外网访问内网的外网IP
实验结束
谢谢观看
