Shulou(Shulou.com)06/01 Report--

Comparison of configuration methods between Cisco ASA Firewall version 8.3 and version 8.4 NAT

Now that the Cisco ASA Firewall has been upgraded to 8.4, many configurations have been subversive since 8.3, especially the NAT configuration is very different, using the new way of object / object-group.

Scenario 1: when the private network traffic accesses the public network, it is converted to the public network address of the interface. This environment is suitable for small offices with only one public network address.

Object network inside_outside

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic interface

The original grammar

Nat (inside) 1 0 global (outside) 1 interface

Scenario 2: when the private network traffic accesses the public network, it is converted to a specific public network address. This environment is suitable for small offices or branch offices.

Object network inside_outside

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic 200.0.0.1

The original grammar

Nat (inside) 1 0 0

Global (outside) 1 200.0.0.1

Scenario 3: for a large number of public network address users, it is often used in the operator or company intranet, dynamic one-to-one conversion

Object network inside-outside-pool

Range 200.0.0.100 200.0.0.200

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) static inside-outside-trans

The original grammar

Nat (inside) 1 0 0

Global (outside) 1 200.0.0.100 200.0.0.200

Scenario 4: for users with a large number of public network addresses, they are often used in operators or corporate intranets. A PAT and interface can be configured to prevent addresses from being used up (recommended)

Object network inside-outside-trans

RRange 10.10.10.100 10.10.10.200

Object network inside-outside-PAT

Host 10.10.10.201

Object-group network nat-pat-grp

Network-object object inside-outside-trans

Network-object object inside-outside-PAT

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic nat-pat-grp interface

The original grammar

Nat (inside) 1 0 0

Global (outside) 1 10.10.10.100 10.10.10.200

Global (outside) 1 interface

Scenario 5: there are mail and Web servers in the intranet to provide access to telecommuting users and static conversion.

Object network server-static

Host 192.168.0.3

Object network inside-server

Host 200.0.0.10

Nat (inside,outside) static server-static

Original grammar

Static (inside,outside) 192.168.0.3 200.0.10 netmask 255.255.255.255

Scenario 6: the needs of users in this environment are complex. Customers have many minicomputers providing business services in low security areas. They need to hide the address of the accessed server and require the access of the public network server to be mapped one-to-one in Static mode.

Objectnetwork obj-ftp / / ftp port mapping

Host 192.168.1.1

Objectnetwork obj-ftp

Nat (dmz,outside) static interface service tcp ftp ftp

Scene 7

For the business traffic passing through the firewall, the source address is not changed, that is, the source address is NAT itself, which we call identity NAT.

Object network inside-nonat

Host192.168.1.2

Nat (inside,outside) static 192.168.1.2

Common troubleshooting commands:

Show run nat

Show run object-network

Show run object-group

Show nat detail

Show xlate

Show conn

Show nat pool

Debug nat 255

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.