In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Description:
OUTSIDE simulates the public network: interface IP:200.200.200.200/24,lo0:8.8.8.8/32,lo10:114.114.114.114/32: eBank 0
INSIDE simulates the intranet: vlan 10 VLANs 10.10.10.1 Universe 24 ASA 20 VLANs 20 VLANs 10.10.20.1 VLANs 20 VLANs 10.10.20.1 Plaza 24; the default route points to VLANs firewall-10.10.10.2.
The ASA firewall default route points to OUTSIDE-200.200.200.200,10.0.0.0/8 and the next hop points to INSIDE-10.10.10.1.
Requirement: INSIDE-10.10.10.0/24 needs to access the public network (8.8.8.8)
Method 1: dynamic NAT
1. Create a new network object
two。 Do NAT under object (use public network interface address for translation)
Object network INSIDE-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) dynamic interface
Exit
Access-list OUT-TO-INSIDE extended permit ip any 10.10.10.0 255.255.255.0 / / Simulator requires this policy, but real equipment does not need it.
This strategy is required for access-group OUT-TO-INSIDE in interface outside / / simulators, but not for real devices.
test
INSIDE#ping 8.8.8.8 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!
Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-1-2 ms
View the NAT translation of ASA Firewall:
ASA (config) # show xlate
1 in use, 3 most used
Flags: d-DNS, e-extended, I-identity, I-dynamic, r-portmap
S-static, T-twice, N-net-to-net
ICMP PAT from inside:10.10.10.1/22 to outside:200.200.200.1/22 flags ri idle 0:00:01 timeout 0:00:30
Method 2: dynamic NAT
1. Create a new network object
two。 Do NAT under object (use a separate public network IP for conversion)
Object network INSIDE-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Nat (inside,outside) dynamic 200.200.200.10
Exit
Access-list OUT-TO-INSIDE extended permit ip any 10.10.10.0 255.255.255.0 / / Simulator requires this policy, but real equipment does not need it.
This strategy is required for access-group OUT-TO-INSIDE in interface outside / / simulators, but not for real devices.
Test:
INSIDE#ping 8.8.8.8 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!
Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-4-7 ms
ASA# show xlate
1 in use, 4 most used
Flags: d-DNS, e-extended, I-identity, I-dynamic, r-portmap
S-static, T-twice, N-net-to-net
ICMP PAT from inside:10.10.10.1/27 to outside:200.200.200.10/27 flags ri idle 0:00:00 timeout 0:00:30
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
