现任明教教主ASA8.3 Object
2017-02-06 10:26
330 查看
原文地址:现任明教教主ASA8.3 Object NAT/Twice NAT介绍作者:现任明教教主-乾颐堂
最近购买我收费SNAF视频的学员提出要求,说8.3的nat和以前有很大变化,我发现确实如此,所以今天我专门制作了这个文档进行说明,并且我会把这个部分融入我最新的SNAF课程,并且及时的把更新视频发给购买服务的学员!
NetworkObject NAT配置介绍
1.DynamicNAT(动态NAT,动态一对一)
实例一:
传统配置方法:
nat (Inside) 1 10.1.1.0255.255.255.0
global (Outside) 1202.100.1.100-202.100.1.200
新配置方法(Network ObjectNAT)
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkInside-Network
nat (Inside,Outside) dynamic Outside-Nat-Pool
实例二:
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkOutside-PAT-Address
host 202.100.1.201
object-group networkOutside-Address
network-object object Outside-Nat-Pool
network-object object Outside-PAT-Address
object network Inside-Network
(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)
nat(Inside,Outside) dynamic Outside-Address interface
教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0+ acl来旁路)
2.DynamicPAT (Hide)(动态PAT,动态多对一)
传统配置方式:
nat (Inside) 1 10.1.1.0255.255.255.0
global(outside) 1202.100.1.101
新配置方法(Network ObjectNAT)
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkOutside-PAT-Address
host 202.100.1.101
object networkInside-Network
nat (Inside,Outside) dynamic Outside-PAT-Address
or
nat (Inside,Outside) dynamic 202.100.1.102
3.StaticNAT or Static NAT with PortTranslation(静态一对一转换,静态端口转换)
实例一:(静态一对一转换)
传统配置方式:
static (Inside,outside)202.100.1.101 10.1.1.1
新配置方法(Network ObjectNAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object networkStatic-Inside-Address
nat (Inside,Outside) static Static-Outside-Address
or
nat (Inside,Outside) static 202.100.1.102<dns>
实例二:(静态端口转换)
传统配置方式:
static (inside,outside) tcp202.100.1.102 2323 10.1.1.1 23
新配置方法(Network Object NAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address service tcptelnet 2323
or
nat(Inside,Outside) static 202.100.1.101 service tcp telnet 2323
4.IdentityNAT
传统配置方式:
nat (inside) 0 10.1.1.1255.255.255.255
新配置方法(Network Object NAT)
object networkInside-Address
host 10.1.1.1
object networkInside-Address
nat (Inside,Outside) static Inside-Address
or
nat (Inside,Outside) static 10.1.1.1
Twice NAT(类似于PolicyNAT)
实例一:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202
实例二:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
static (outside,inside) 10.1.1.101 1.1.1.1
static (outside,inside) 10.1.1.102 202.100.1.1
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network map-dst-1
host 10.1.1.101
object network map-dst-202
host 10.1.1.102
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static map-dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static map-dst-202 dst-202
实例三:
传统配置:
access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host1.1.1.1 eq 23
access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host202.100.1.1 eq 3032
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 1 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object service telnet23
service tcp destination eq telnet
object service telnet3032
service tcp destination eq 3032
nat (Inside,Outsi
4000
de) source dynamic Inside-Network pat-1destination static dst-1 dst-1 service telnet23 telnet23
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
MainDifferences Between Network Object NAT and Twice NAT(Network ObjectNAT和Twice NAT的主要区别)
How you define the realaddress.(从如何定义真实地址的角度来比较)
– Network object NAT—You define NAT as a parameter for a networkobject; the network object definition itself provides the realaddress. This method lets you easily add NAT to network objects.The objects can also be used in other parts of your configuration,for
example, for access rules or even in twice NAT rules.
<NAT是network object的一个参数,networkobject定义自己为真实地址。这种配置方式,让你轻松的为network object添加nat。这个object能够被用在配置的其它部分,例如:访问控制列表或者twicenat策略。>
– Twice NAT—You identify a network object or network objectgroup for both the real and
mapped addresses. In this case, NAT is not a parameter of thenetwork object; the network object or group is a parameter of theNAT configuration. The ability to use a network object group forthe real address means that twice NAT is more scalable.
<为真实和映射后地址定义network object或者network objectgroup。在twice nat中,NAT不是network object的一个参数,networkobject或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twicenat的可扩展性。 >
How source and destination NAT isimplemented.(源和目的nat被运用)
– Network object NAT— Each rule can apply to either the sourceor destination of a packet. So two rules might be used, one for thesource IP address, and one for the destination IP address. Thesetwo rules cannot be tied together to enforce a specific translationfor
a source/destination combination.
<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>
– Twice NAT—A single rule translates both the source anddestination. A matching packet only matches the one rule, andfurther rules are not checked. Even if you do not configure theoptional destination address for twice NAT, a matching packet stillonly matches
one twice NAT rule. The source and destination aretied together, so you can enforce different translations dependingon the source/destination combination. For example,sourceA/destinationA can have a different translation thansourceA/destinationB.
<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twicenat的目的地址选项,一个数据包也只能匹配一个twicenat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>
We recommend using network object NAT unless you need the extrafeatures that twice NAT provides. Network object NAT is easier toconfigure, and might be more reliable for applications such asVoice over IP (VoIP).
<我们推荐使用network object NAT,除非你明确需要twicenat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>
NAT RuleOrder
排序实例:
192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)
172.16.1.0/24 (dynamic) (object abc)
172.16.1.0/24 (dynamic) (object def)
192.168.1.0/24 (dynamic)
查看NAT顺序的命令:
ASA(config)# sh run nat
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
!
object network Inside-Network
nat (Inside,Outside) dynamic 202.100.1.105
!
nat (Inside,Outside) after-auto source dynamicInside-Network pat-1 destination static dst-1 dst-1 servicetelnet23 telnet23
ASA(config)# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
translate_hits = 1, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic Inside-Network202.100.1.105
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (Inside) to (Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1 service telnet23 telnet23
translate_hits = 0, untranslate_hits = 0
如何调整和插入NAT
nat (Inside,Outside) 1 source dynamic Inside-Networkpat-1 destination static dst-1 dst-1 service telnet23 telnet23
最近购买我收费SNAF视频的学员提出要求,说8.3的nat和以前有很大变化,我发现确实如此,所以今天我专门制作了这个文档进行说明,并且我会把这个部分融入我最新的SNAF课程,并且及时的把更新视频发给购买服务的学员!
NetworkObject NAT配置介绍
1.DynamicNAT(动态NAT,动态一对一)
实例一:
传统配置方法:
nat (Inside) 1 10.1.1.0255.255.255.0
global (Outside) 1202.100.1.100-202.100.1.200
新配置方法(Network ObjectNAT)
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkInside-Network
nat (Inside,Outside) dynamic Outside-Nat-Pool
实例二:
object networkOutside-Nat-Pool
range 202.100.1.100 202.100.1.200
object networkOutside-PAT-Address
host 202.100.1.201
object-group networkOutside-Address
network-object object Outside-Nat-Pool
network-object object Outside-PAT-Address
object network Inside-Network
(先100-200动态一对一,然后202.100.1.201动态PAT,最后使用接口地址动态PAT)
nat(Inside,Outside) dynamic Outside-Address interface
教主认为这种配置方式的好处是,新的NAT命令绑定了源接口和目的接口,所以不会出现传统配置影响DMZ的问题(当时需要nat0+ acl来旁路)
2.DynamicPAT (Hide)(动态PAT,动态多对一)
传统配置方式:
nat (Inside) 1 10.1.1.0255.255.255.0
global(outside) 1202.100.1.101
新配置方法(Network ObjectNAT)
object networkInside-Network
subnet 10.1.1.0 255.255.255.0
object networkOutside-PAT-Address
host 202.100.1.101
object networkInside-Network
nat (Inside,Outside) dynamic Outside-PAT-Address
or
nat (Inside,Outside) dynamic 202.100.1.102
3.StaticNAT or Static NAT with PortTranslation(静态一对一转换,静态端口转换)
实例一:(静态一对一转换)
传统配置方式:
static (Inside,outside)202.100.1.101 10.1.1.1
新配置方法(Network ObjectNAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object networkStatic-Inside-Address
nat (Inside,Outside) static Static-Outside-Address
or
nat (Inside,Outside) static 202.100.1.102<dns>
实例二:(静态端口转换)
传统配置方式:
static (inside,outside) tcp202.100.1.102 2323 10.1.1.1 23
新配置方法(Network Object NAT)
object networkStatic-Outside-Address
host 202.100.1.101
object networkStatic-Inside-Address
host 10.1.1.1
object network Static-Inside-Address
nat (Inside,Outside) static Static-Outside-Address service tcptelnet 2323
or
nat(Inside,Outside) static 202.100.1.101 service tcp telnet 2323
4.IdentityNAT
传统配置方式:
nat (inside) 0 10.1.1.1255.255.255.255
新配置方法(Network Object NAT)
object networkInside-Address
host 10.1.1.1
object networkInside-Address
nat (Inside,Outside) static Inside-Address
or
nat (Inside,Outside) static 10.1.1.1
Twice NAT(类似于PolicyNAT)
实例一:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202
实例二:
传统配置:
access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host1.1.1.1
access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host202.100.1.1
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 2 202.100.1.102
static (outside,inside) 10.1.1.101 1.1.1.1
static (outside,inside) 10.1.1.102 202.100.1.1
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object network map-dst-1
host 10.1.1.101
object network map-dst-202
host 10.1.1.102
nat (Inside,Outside) source dynamic Inside-Network pat-1destination static map-dst-1 dst-1
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static map-dst-202 dst-202
实例三:
传统配置:
access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host1.1.1.1 eq 23
access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host202.100.1.1 eq 3032
nat (inside) 1 access-list inside-to-1
nat (inside) 2 access-list inside-to-202
global(outside) 1 202.100.1.101
global(outside) 1 202.100.1.102
新配置方法(Twice NAT):
object network dst-1
host 1.1.1.1
object network dst-202
host 202.100.1.1
object network pat-1
host 202.100.1.101
object network pat-2
host 202.100.1.102
object network Inside-Network
subnet 10.1.1.0 255.255.255.0
object service telnet23
service tcp destination eq telnet
object service telnet3032
service tcp destination eq 3032
nat (Inside,Outsi
4000
de) source dynamic Inside-Network pat-1destination static dst-1 dst-1 service telnet23 telnet23
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
MainDifferences Between Network Object NAT and Twice NAT(Network ObjectNAT和Twice NAT的主要区别)
How you define the realaddress.(从如何定义真实地址的角度来比较)
– Network object NAT—You define NAT as a parameter for a networkobject; the network object definition itself provides the realaddress. This method lets you easily add NAT to network objects.The objects can also be used in other parts of your configuration,for
example, for access rules or even in twice NAT rules.
<NAT是network object的一个参数,networkobject定义自己为真实地址。这种配置方式,让你轻松的为network object添加nat。这个object能够被用在配置的其它部分,例如:访问控制列表或者twicenat策略。>
– Twice NAT—You identify a network object or network objectgroup for both the real and
mapped addresses. In this case, NAT is not a parameter of thenetwork object; the network object or group is a parameter of theNAT configuration. The ability to use a network object group forthe real address means that twice NAT is more scalable.
<为真实和映射后地址定义network object或者network objectgroup。在twice nat中,NAT不是network object的一个参数,networkobject或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twicenat的可扩展性。 >
How source and destination NAT isimplemented.(源和目的nat被运用)
– Network object NAT— Each rule can apply to either the sourceor destination of a packet. So two rules might be used, one for thesource IP address, and one for the destination IP address. Thesetwo rules cannot be tied together to enforce a specific translationfor
a source/destination combination.
<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>
– Twice NAT—A single rule translates both the source anddestination. A matching packet only matches the one rule, andfurther rules are not checked. Even if you do not configure theoptional destination address for twice NAT, a matching packet stillonly matches
one twice NAT rule. The source and destination aretied together, so you can enforce different translations dependingon the source/destination combination. For example,sourceA/destinationA can have a different translation thansourceA/destinationB.
<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twicenat的目的地址选项,一个数据包也只能匹配一个twicenat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>
We recommend using network object NAT unless you need the extrafeatures that twice NAT provides. Network object NAT is easier toconfigure, and might be more reliable for applications such asVoice over IP (VoIP).
<我们推荐使用network object NAT,除非你明确需要twicenat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>
NAT RuleOrder
排序实例:
192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)
172.16.1.0/24 (dynamic) (object abc)
172.16.1.0/24 (dynamic) (object def)
192.168.1.0/24 (dynamic)
查看NAT顺序的命令:
ASA(config)# sh run nat
nat (Inside,Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
!
object network Inside-Network
nat (Inside,Outside) dynamic 202.100.1.105
!
nat (Inside,Outside) after-auto source dynamicInside-Network pat-1 destination static dst-1 dst-1 servicetelnet23 telnet23
ASA(config)# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic Inside-Network pat-2destination static dst-202 dst-202 service telnet3032telnet3032
translate_hits = 1, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic Inside-Network202.100.1.105
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (Inside) to (Outside) source dynamic Inside-Network pat-1destination static dst-1 dst-1 service telnet23 telnet23
translate_hits = 0, untranslate_hits = 0
如何调整和插入NAT
nat (Inside,Outside) 1 source dynamic Inside-Networkpat-1 destination static dst-1 dst-1 service telnet23 telnet23