Shulou(Shulou.com)06/01 Report--

The principles of network address translation (NAT) and router-based configuration have been introduced above. NAT configuration on ASA should be copied to some extent relative to router. NAT on ASA includes dynamic NAT, dynamic PAT, static NAT and static PAT. The following link is the NAT principle I wrote before, the command to configure NAT on the router yangshufan.blog.51cto.com/13004230/1959448

dynamic Nat

Dynamic NAT converts a group of IP addresses into IP addresses in a specified address pool, which is a dynamic one-to-one polling relationship; suitable for environments with multiple public IP addresses and multiple intranet PCs to access the Internet (unidirectional)

The configuration commands are as follows:

1. Specify the intranet segments that require address translation

asa(config)# nat (interface_name) nat-id local-ip maskasa(config)# nat (inside) 1 0 0 //means to convert all intranet addresses

where nat-id here must be greater than or equal to 1

2. Define global address pool

asa(config)# global (interface_name) nat-id [global-ip]-[global-ip]

3. Use the command to view the NAT translation table

asa# show xlate detail

Case: There are two network segments in the inside area. Dynamic NAT is required to implement the network segment 192.168.1.0. When accessing the Internet, address translation is performed. The NAT address pool is 202.106.2.100-202.106.2.200.

asa(config)# nat (inside) 1 192.168.1.0 255.255.255.0asa(config)# global (outside) 1 202.106.2.100-202.106.2.200

dynamic Pat

Dynamic PAT uses IP and source port number to create a unique session, which is a dynamic many-to-one relationship; suitable for environments where there is only one public IP and multiple intranet PCs want to access the Internet (unidirectional). The only difference from dynamic NAT is that there is only one global address.

In the case above, if dynamic PAT is to be configured and the IP address used for translation is 202.106.2.200, the configuration commands are as follows:

asa(config)# nat (inside) 1 192.168.1.0 255.255.255.0asa(config)# global (outside) 1 202.106.2.200

If the IP address of the outside interface is directly used for translation when configuring dynamic PAT, the configuration command is as follows:

asa(config)# nat (inside) 1 192.168.1.0 255.255.255.0asa(config)# global (outside) 1 interface

static Nat

Static NAT creates a fixed one-to-one translation from real addresses to mapped addresses, which can be used for bidirectional communication; suitable for environments with multiple public IP addresses and multiple intranet servers to publish (bidirectional)

Case: In the case shown in the above figure, the servers in the DMZ can access the Internet by default, but in the actual environment, all addresses are allowed to access the intranet server 192.168.3.1, and static NAT needs to be configured. The configuration commands are as follows:

asa(config)# static (dmz,outside) 202.106.2.111 192.168.3.1 //configure static NATasa(config)# access-list out_to_dmz permit ip any host 202.106.2.111asa(config)# access-group out_to_dmz in int outside //configure ACL

Note: The destination address in the ACL should be configured to map address 202.106.2.111, not the actual address 192.168.3.1

static Pat

Static PAT allows TCP or UDP port numbers to be specified for real and mapped addresses; suitable for environments with only one public IP and multiple intranet servers to be published (bidirectional)

The command syntax for static PAT is as follows:

asa(config)# static (local_if_name,global_if_name) {tcp |udp} {global-ip | interface} global-port local-ip local-port [netmask mask]

Case: DMZ has two servers and requires a single mapping address of 202.106.2.111 to provide different services, as shown in the following figure

The configuration commands are as follows:

asa(config)# static (dmz,outside) tcp 202.106.2.111 http 192.168.3.1 http //configure static PATasa(config)# static (dmz,outside) tcp 202.106.2.111 smtp 192.168.3.2 smtpasa(config)# access-list out_to_dmz permit ip any host 202.106.2.111asa(config)# access-group out_to_dmz in int outside //configure ACL

Nat control

We know that the default high security level allows access to low security levels, that is, PC1 can access the Internet even if we do not do NAT; in real environments, when PC1 accesses the Internet, it can send request packets with its own IP address through ASA, but it will not receive response packets, because private network addresses are illegal on the Internet, so we still need to do NAT, mapping private network addresses to public network addresses to access the Internet or be accessed by the Internet.

ASA provides a NAT-controlled switch since 7.0, i.e. nat-control command. When NAT is enabled, PC1 can no longer access the Internet in a simple configuration. NAT translation must be performed to access it.

By default, NAT control is disabled (no nat-control), but in practice, we generally enable NAT control for easy management; when NAT control is enabled, NAT rules are required; that is, each connection initiated requires a corresponding NAT rule.

NAT control disabled: no nat-control

This is the default case, and NAT rules are not required when NAT control is disabled: they allow address translation traffic on segments that match NAT rules; they also allow traffic on segments that do not match NAT rules, but without address translation

Enabling NAT control: nat-control

If NAT control is enabled, NAT rules are required: they allow address translation traffic on segments that match NAT rules; they prohibit traffic on segments that do not match NAT rules

NAT exemption

When NAT control is enabled, a NAT rule is required for each connection initiated, but in some applications (such as configuring ×××) NAT rules need to be bypassed. There are many ways to bypass NAT rules, one of which is NAT exemption, which allows two-way communication

To configure NAT exemption, you first need to define an ACL to specify the traffic that needs to bypass NAT rules, and then configure it. The configuration command is as follows:

asa(config)# nat (interface_name) 0 access-list acl_name

Case: As shown in the figure below, NAT control is enabled on ASA. Dynamic PAT is required for segment 192.168.1.0, mapping address is outside interface address, NAT exemption is configured for segment 192.168.2.0.

The configuration commands are as follows:

asa(config)# nat-control //enable NAT control asa(config)# nat (inside) 1 192.168.1.0 255.255.255.0 //configure dynamic PATasa(config)# global (outside) 1 interfaceasa(config)# access-list nonat extended permit ip 192.168.2.0 202.106.2.0 255.255.0asa (config)# nat (inside) 0 access-list nonat 255.255.255.0 //Enable NAT exemption

Command to view and remove NAT

asa# show xlate //view NAT translation table summary asa#show xlate detail //view NAT translation table details asa#show run nat //view specified NATasa#show run global //view specified global address asa(config)# no global (outside) 1 172.16.1.200 //Delete the specified global address pool and add noasa(config)# clear xlate before defining global commands //clear NAT translation table asa(config)# clear configure stat //delete static NATasa(config)# clear configure nat //delete dynamic NATasa(config)# clear configure global //Empty global address pool

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.