Shulou(Shulou.com)06/01 Report--

For switch0 and switch2, if it is a layer 3 switch, it needs to write a route, and if it is a layer 2 switch, it needs to write a gateway.

Static NAT address translation

Object network waiwang

Host 192.168.1.2

Nat (inside,outside) static 10.99.121.141 is understood as: from inside to outside, the source address 192.168.1.2 is translated to the address 10.99.121.141.

Static NAT address translation features:

1. Packets entering inside from outside, that is, access from low priority to high priority, should be spared in the access control list.

2. If host really exists,

3. First consider the initiator of the session and determine whether it is one-way or two-way access.

Static (inside,outside) 10.99.216.202 192.168.0.2

Object network yelian

Host 10.99.216.205

Nat (outside,inside) static 192.168.1.2

1. Packets enter outside from inside, that is, access from high priority to low priority, and then return from outside to inside. Theoretically, there is session on the firewall, and packets can return normally from outside to inside. However, during the test, it was not possible to ping 192.168.1.2 Jing FTP access normally. The firewall has an inspect mechanism, the configuration command: inspcet icmp. Or ignore icmp in the access control list in the direction of in on the outsideside.

Official documents:

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.

Summary of the experiment:

1. If you configure default-route on the firewall outside interface, the number of hosts on other interfaces will be limited.

two。 When default-route is configured on the firewall inside interface, the number of hosts on other interfaces is also limited. Versions below 8.2 (1) are relatively confusing. (considered to be a lower version of BUG)

3. If the interface is not configured with a default route, there is no limit to the number of hosts on other interfaces.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.