Shulou(Shulou.com)06/01 Report--

Experimental requirements:

It is divided into inside (internal network), outside (external network) and dmz (server area).

Configure PAT to directly use the ip address of the outside interface for translation

Configure static NAT and publish intranet server

Enable NAT control, configure NAT exemption, and do not perform NAT conversion when the private network accesses hosts in the dmz zone.

R1 configuration:

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1 (config) # host outsite

Outsite (config) # int f0and0

Outsite (config-if) # ip add 12.0.0.2 255.255.255.0

Outsite (config-if) # no shut

Outsite (config-if) # int f0

00:21:15:% LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

00:21:16:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

Outsite (config-if) # int f0bin1

Outsite (config-if) # ip add 13.0.0.1 255.255.255.0

Outsite (config-if) # no shut

Outsite (config-if) #

00:21:33:% LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

00:21:34:% LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Outsite (config-if) # exit

Outsite (config) # ip route 0.0.0.0 0.0.0.0 f0max 0

Outsite (config) # end

ASA configuration:

Ciscoasa# conf t

Ciscoasa (config) # hostname asa

Asa (config) # int e0Universe 0

Asa (config-if) # nameif inside

INFO: Security level for "inside" set to 100by default.

Asa (config-if) # ip add 192.168.1.1 255.255.255.0

Asa (config-if) # no shut

Asa (config-if) # int e0bin2

Asa (config-if) # nameif outside

INFO: Security level for "outside" set to 0 by default.

Asa (config-if) # ip add 12.0.0.1 255.255.255.0

Asa (config-if) # no shut

Asa (config-if) # int e0bin1

Asa (config-if) # ip add 192.168.10.1 255.255.255.0

Asa (config-if) # no shut

Asa (config-if) # nameif dmz

INFO: Security level for "dmz" set to 0 by default.

Asa (config-if) # sec

Asa (config-if) # security-level 50

Asa (config-if) # no shut

Asa (config-if) # exit

Asa (config) # route outside 0 0 12.0.0.2

Ciscoasa# conf t

Ciscoasa (config) # nat-control

Ciscoasa (config) # nat (inside) 1 192.168.1.0 255.255.255.0

Ciscoasa (config) # gl

Ciscoasa (config) # global (outside) 1 interface

INFO: outside interface address added to PAT pool

Ciscoasa (config) # end

Ciscoasa# show xlate

0 in use, 1 most used

Ciscoasa# show xlate

1 in use, 1 most used

PAT Global 12.0.0.1 (1) Local 192.168.1.2 ICMP id 1

It is obvious that the intranet address has been translated into the extranet address, so that the intranet users can access the Internet.

Ping is blocked because of the firewall. We need some acl release here.

Ciscoasa (config) # access-list 111permit icmp any any

Ciscoasa (config) # acc

Ciscoasa (config) # access-g

Ciscoasa (config) # access-group 111in int

Ciscoasa (config) # access-group 111in interface outside

Ciscoasa (config) # access-list nonat permit ip host 192.168.1.2 host 192.168.10.10 / / exempts nat, that is, the traffic accessed from the private network to the dmz region does not go through the nat, but directly through the private network.

Ciscoasa (config) # nat (inside) 0 access-list nonat

Ok will be tested again.

Since high to low can be accessed by default, there is no need to configure the private network to access the dmz area. The tests are as follows:

Static NAT (the server that publishes the DMZ zone) one-to-one fixed conversion:

Ciscoasa (config) # static (dmz,outside) 12.0.0.3 192.168.10.10

Ciscoasa (config) # access-list out_to_dmz permit tcp any host 12.0.0.3 eq www

Ciscoasa (config) # access-group out_to_dmz in int outside

Ciscoasa (config) # exit

The public network verification is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.