Shulou(Shulou.com)06/01 Report--

The basic principle of NAT on ASA fireproof wall is the same as on a router, except that you only need to define the intranet address and the translated address, and you don't need to enter the interface and apply it again. Basically, a NAT configuration can be completed with two commands. There are four types of NAT on ASA: dynamic NAT, dynamic PAT, static NAT and static Pat.

1. The configuration steps of dynamic NAT (one-to-one, but not static, generally do not use dynamic NAT) are as follows:

Convert the private network 10.0.0.0amp8 to 170.16.1.100,172.16.1.200 by NAT:

Ciscoasa (config) # nat (inside) 1 10.0.0.0 255.0.0.0 # define the private network address ciscoasa (config) # global (outside) 1 172.16.1.100-172.16.1.200 # define the global address pool, OK. Ciscoasa (config) # show xlate detail # after the first communication, you can use this command to view NAT conversion information

The 1 in the above configuration is nat-id, and when defining a NAT transformation, a nat-id match is required before the conversion can be carried out.

If you want to implement dynamic NAT for all network segments in the inside area, the configuration command is as follows:

Ciscoasa (config) # nat (inside) 1 0 0 # 0 0 indicates any network segment

2. The configuration steps of dynamic PAT (many-to-one, saving public network IP) are as follows:

Dynamic PAT is the same as PAT on the router, that is, multiple private network addresses can be translated into a public network address, or the outside interface can be used directly. The configuration is as follows:

Convert the 20.0.0.0and8 network segment to 172.17.10.10 using dynamic PAT

Ciscoasa (config) # nat (inside) 2 20.0.0.0 255.0.0.0 # define the private network address ciscoasa (config) # global (outside) 2 172.17.10.10 # define the global address, OK

You can also directly use the IP address of the outside interface to translate the network segment 20.0.0.0amp8. The configuration command is as follows:

Ciscoasa (config) # global (outside) 2 interface

3. The configuration steps for static NAT (one-to-one, commonly used to implement this kind of NAT on servers in the DMZ zone) are as follows:

Ciscoasa (config) # static (dmz,outside) 172.16.1.201 192.168.1.1 # when 192.168.1.1 in the DMZ area communicates with outside, the address used is 172.16.1.201, that is, if you want to access services on the 192.168.1.1 server on the external network, 172.16.1.201 is needed as the destination address.

It is important to note that when doing NAT translation, not only do you need to configure address translation, but ACL also affects whether you can communicate successfully.

Let's configure ACL so that the public network can successfully access the service of 192.168.1.1.

Ciscoasa (config) # access-list out_to_dmz permit ip any host 172.16.1.201 # allows all hosts to access the mapped address 172.16.1.201ciscoasa (config) # access-group out_to_dmz in int outside # to apply to the outside interface

In the course of the experiment, when the access is unsuccessful after the above ACL configuration, you can continue to configure a real IP that allows all hosts to access the server. The two ACL names are the same, and also apply to the outside interface.

4. Configure static PAT (similar to the port mapping on the router), as follows:

When ciscoasa (config) # static (dmz,outside) tcp 172.16.1.201 http 192.168.1.1 server port 80 in the http#DMZ area communicates with outside, use the HTTP port ciscoasa (config) # static (dmz,outside) tcp 172.16.1.201 23 192.168.1.10 2 in the DMZ area to communicate with the external network Port 23 ciscoasa (config) # access-list out_to_dmz permit ip any host 172.16.1.201 # with 172.16.1.201 address is used to configure ACL. If the security requirements are relatively high, since the above two services use TCP protocol, the ip command word in the ACL rule can be changed to tcp. Ciscoasa (config) # access-group out_to_dmz in int outside

Static PAT has been configured, now external network users in different software platforms, using 172.16.1.201 as the destination, can access different services. (similarly, if the access is not successful, add another ACL: allow all hosts to access the real IP of the server, and the two ACL names are the same and apply to the outside interface. )

As can be seen from the above configuration, we need to pay attention to the syntax of the configuration, and there is some change in the order. Moreover, when configuring static PAT, you can specify the service name or directly specify the port number. It is more reasonable to specify the port number directly.

5. NAT Control and NAT exemption

ASA has provided a NAT control switch, the nat-control command, since version 7. 0, but NAT control (no nat-control) is disabled by default. If you execute the command nat-control in global mode, it means that NAT control is enabled. The function of enabling nat control is probably to allow only addresses that have undergone nat translation to send messages through the firewall. If there is no configuration of NAT translation, it is not allowed to pass through the firewall. Personal feeling is not very practical, so write it down and take notes.

Then when NAT control is enabled, no address configured with NAT wants to pass through the firewall, so you can also configure NAT exemption.

The general meaning of NAT exemption is that exempted addresses can communicate through a firewall without having to go through nat address translation.

Take a chestnut:

When NAT control is enabled in ASA, there is a 192.168.1.0 network segment in the DMZ area. When the 10.0.0.0 network segment in the inside area is not configured with nat, and you need to communicate with 192.168.1.0 in the DMZ area, you need to use the NAT exemption. The configuration command is as follows:

Ciscoasa (config) # access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0ciscoasa (config) # nat (inside) 0 access-list nonat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.