Shulou(Shulou.com)06/02 Report--

Foreword:

Many people confuse the concept of firewall. In fact, NAT is NAT, which is responsible for IP address mapping. A firewall is a firewall, which is responsible for filtering data packets. But why are there so many people who can't tell the difference? The reason is simple, because the functionality of NAT has changed. Why change it? Because NAT has a problem. Why did NAT run into problems? Because.

According to the NAT above. Suppose that when C sends data to B, another port 100 of C also wants to send a packet to B, what does A do when the packet arrives at A? Yes or no? If so, have packets from another IP to A been allowed? Obviously, at a time when network security is increasingly threatened, it is dangerous to let these packets through. So NAT decided not to let these packets pass, which means that NAT has packet filtering. So:

Firewall:NAT, packet filtering is my business. What do you care? Whether I have nuclear weapons or not is my business. Can you care? )

NAT: it's not safe to let these packets pass, so I have to filter them (Iran has nuclear weapons, it's a threat, and I have to kill it).

Firewall: so are you NAT or are you a firewall? What about your sovereignty, human rights, peace and freedom? )

NAT: (clenched teeth) I'm a NAT with partial firewall functions. What about you? Can you do whatever I want? )

Firewall:. (what is it, the whole bastard, it's still beautiful)

(in fact, conceptually, you can't say that, but it's easy to understand, and there's no need to delve into it, so that's it.)

Through this short conversation, I believe you have a simple understanding of the relationship between NAT and firewall, and then I will bring you a small experiment on configuring NAT on the firewall.

Related knowledge points:

Type of NAT on ASA:

-dynamic NAT

-dynamic PAT

-static NAT

-static PAT

Lab Topology:

As shown in the figure:

Experimental requirements: use a single mapped address to provide HTTP and FTP services 1. Convert private address to public network address 2.client2 can access WEB server server33.client2 can access FTP server server5 address plan:

As shown in the figure:

Experimental ideas and steps:

Configure the IP address and mask of the device

1. Configure end Devic

Server2:

Client2:

Server3:

Server5:

Client3:

two。 Configure the ASA interface IP address

The command is as follows:

Asa# conf te / / enter the global view asa (config) # int g1ax / enter the logical interface g1asa (config-if) # nameif outside / / name the logical interface asa (config-if) # security-level 0max / configure the security level to 0asa (config-if) # ip address 200.8.3 255.255.255.248max / configure IP address asa (config-if) # no shutdown// enable interface asa (config-if) # exit/ / exit asa (config) # int g2ax / enter the logical interface g2asa (config-if) # nameif DMZ// name the logical interface "demilitarized zone" asa (config-if) # security-level 50max / configure the security level to 50asa (config-if) # ip address 192.168.3.254 255.255.255.0 / configure IP address asa (config-if) # no shutdown// enable interface asa (config-if) # exit// exit 3. Configure the http service for server3

The operation is shown in the figure:

4. Configure the ftp service for server5

The operation is shown in the figure:

Configure static PAT port mapping to translate private network addresses into public network addresses to provide services for the public network

The command is as follows:

Asa (config) # object network ob-out / / asa (config-network-object) # host 200.8.8.1-asa (config) # object network dmz01 asa (config-network-object) # host 192.168.3.100 asa (config-network-object) # nat (dmz,outside) static ob-out service tcp 80 80-asa (config) # object network dmz02 asa (config-network-object) # host 192.168.3.101 asa (config-network-object) # nat (dmz) Outside) static ob-out service tcp 21 21

Configure ACL to allow client2 to access server3 and server5

Analysis: because client2 is located in the outside zone and the security level is lower than that in the DMZ zone, by default, areas with low security levels are not allowed to access areas with high feminist levels, so if you want to access server3 and server5 located in the DMZ zone, you must configure ACL to allow client2 traffic to pass through.

The command is as follows: asa (config) # access-list out_to_dmz permit tcp host 200.8.8.5 object dmz01 eq httpasa (config) # access-list out_to_dmz permit tcp host 200.8.8.5 object dmz02 eq ftp asa (config) # access-group out_to_dmz in interface outside authentication:

1.client2 accesses Server3's http service

2.client2 accesses Server5's ftp service

3. View the xlat table through the show xlat command

From this figure, we can see that port 80 of the internal network address 192.168.3.100 has been translated into the public network address 200.8.8.1, realizing the purpose of providing hHTTP services for access to the public network, and port 21 of the internal network address 192.168.3.101 has also been translated into the public network address 200.8.8.1, achieving the purpose of providing FTP services for access to the public network.

The above is the static PAT port mapping, it can achieve the purpose of using a single mapped address to provide http and ftp, of course, there are three other nat also have different application environments, here to introduce this one, shortcomings, please give us a lot of advice, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.