ASA83及以后版本 NAT配置介绍

Network Object NAT 配置介绍1. Dynamic NAT (动态 NAT,动态一对一)实例一：传统配置方法：nat (Inside) 1 10.1.1.0 255.255.255.0global (Outside) 1 202.100.1.100-202.100.1.200新配置方法(Network Object NAT)object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network Inside-Networknat (Inside,Outside) dynamic Outside-Nat-Pool实例二：object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Outside-PAT-Addresshost 202.100.1.201object-group network Outside-Addressnetwork-object object Outside-Nat-Poolnetwork-object object Outside-PAT-Addressobject network Inside-Network(先100-200动态一对一，然后202.100.1.201动态PAT,最后使用接口地址动态PAT)nat (Inside,Outside) dynamic Outside-Address interface这种配置方式的好处是，新的NAT命令绑定了源接口和目的接口，所以不会出现传统配 置影响DMZ的问题(当时需要nat0 + acl来旁路)2. Dynamic PAT (Hide)(动态 PAT，动态多对一)传统配置方式:nat (Inside) 1 10.1.1.0 255.255.255.0global(outside) 1 202.100.1.101新配置方法(Network Object NAT)object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network Outside-PAT-Addresshost 202.100.1.101object network Inside-Networknat (Inside,Outside) dynamic Outside-PAT-Addressornat (Inside,Outside) dynamic 202.100.1.1023.Static NAT or Static NAT with Port Translation (静态一对一转换，静态端口转换)实例一：(静态一对一转换)传统配置方式：static (Inside,outside) 202.100.1.101 10.1.1.1新配置方法(Network Object NAT)object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Addresshost 10.1.1.1object network Static-Inside-Addressnat (Inside,Outside) static Static-Outside-Addressornat (Inside,Outside) static 202.100.1.102 实例二：(静态端口转换)传统配置方式：static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23新配置方法(Network Object NAT)object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Addresshost 10.1.1.1object network Static-Inside-Addressnat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323 ornat (Inside,Outside) static 202.100.1.101 service tcp telnet 23234.Identity NAT传统配置方式：nat (inside) 0 10.1.1.1 255.255.255.255新配置方法(Network Object NAT)object network Inside-Addresshost 10.1.1.1object network Inside-Addressnat (Inside,Outside) static Inside-Addressornat (Inside,Outside) static 10.1.1.1Twice NAT (类似于 Policy NAT)实例一：传统配置：access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 2 202.100.1.102新配置方法(Twice NAT):object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202实例二：传统配置：access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 2 202.100.1.102static (outside,inside) 10.1.1.101 1.1.1.1static (outside,inside) 10.1.1.102 202.100.1.1新配置方法(Twice NAT):object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network map-dst-1host 10.1.1.101object network map-dst-202host 10.1.1.102nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202实例三：传统配置：access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 1 202.100.1.102新配置方法(Twice NAT):object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0object service telnet23servicetcp destination eq telnet object service telnet3032servicetcp destination eq 3032nat （Inside,Outside） source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23nat （Inside,Outside） source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032Main Differences Between Network Object NAT and TwiceNAT （ Network Object NAT 和 Twice NAT 的主要区别）How you define the real address.（从如何定义真实地址的角度来比较）-Network object NATYou define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.NAT是network object的一个参数，network object定义自己为真实地址。这种配置方式， 让你轻松的为network object添加nat。这个object能够被用在配置的其它部分，例如：访 问控制列表或者twice nat策略。-Twice NATYou identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.为真实和映射后地址定义 network object 或者 network object group 0 在 twice nat 中，NAT 不是network object的一个参数，network object或者group是NAT配置的一个参数。能够 为真实地址使用network object group，也体现了 twice nat的可扩展性。How source and destination NAT is implemented.（源和目的 nat 被运用）-Network object NAT Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.每一个策略只能运用到数据包的源或者目的，如果要转换一个包的源和目的，需要使用两 个策略，这两个策略不能绑定到一起来做实现特殊的源和目的的转换。-Twice NATA single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.一个单一策略，既能转换源也能转换目的。一个包只能匹配上一个策略，并且不再做进一 步检查了。就算你没有配置twice nat的目的地址选项，一个数据包也只能匹配一个twice nat 策略，目的和源被绑定到一起，因此你能够基于不同的源和目的做转换，例如:源A/目的A 与源A/目的B转换不同We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).我们推荐使用network object NAT,除非你明确需要twice nat所提供的特性。Network object nat非常容易配置，并且对语音等运用更加可靠Table SectionRuEw TypeOrder M Rules within the SectionSection 1Twice NATApphed on a first match basis, in the order they appear in the ccnfau ration. 3y default, twice NAT ru es a ns added to sectioai 1.RIots If you configs re VPN. lhe client dynamically adds, invisible NAT rules E the end of this section. Be sure that you do nor configure a twice NAT rule in this s-eciion. that might match your VPN iraffic, i nst&ad of inatchn the imisible rule. U VPN does not v-ork due to NAT failure consider adding twice NAT rules to s-ectLon 3 instead.Section 2Network object NATSection 2 rules are applied in the following o-dert automatically determined glhe adapt tve security apphtincc:1. Static cules.2. Dynamic nde&.WEthin each rule type, the following ordering guLdelmes are used: Quantity of real IP addressesFrom s.iral lest to lajye-st. For example an object wath one address will be assessed before an object with 10 addresses.h. For quantities lhai sr-e die same, then the IP address nu mber is used, from lowest to highesr For example, 10,1,1,0 is assessed before 1 M. 1.0.g. If the same IP address u&ecL then ilie name of lhe network object istn alphabetical order. ForeK-nmpk. abracadabra i$ awwossed before cacvromtin.Section 3Twice MATSection 3 rules are appl ied on a first match bisis. in the order they appear in rhe configuration. You can specify whether to 仙叫e NAT讪心己好咄勿伊腮，以於凯阮康排序实例：192.168.1.1/32 (static)10.1.1.0/24 (static)192.168.1.0/24 (static)172.16.1.0/24 (dynamic) (object abc)172.16.1.0/24 (dynamic) (object def) 192.168.1.0/24 (dynamic)查看NAT顺序的命令:ASA(config)# sh run nat nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032!object network Inside-Networknat (Inside,Outside) dynamic 202.100.1.105!nat (Inside,Outside) after-auto source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23ASA(config)# shnatManual NAT Policies (Section 1)1 (Inside) to (Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032translate_hits = 1, untranslate_hits = 0Auto NAT Policies (Section 2)1 (Inside) to (Outside) source dynamic Inside-Network 202.100.1.105translate_hits = 0, untranslate_hits = 0Manual NAT Policies (Section 3)1 (Inside) to (Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23translate_hits = 0, untranslate_hits = 0如何调整和插入NATnat (Inside,Outside) 1 source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23