一.测试拓扑
二.测试思路
不考虑网络拓扑的合理性,只是考虑网络是否可通
外网访问内部服务器在防火墙上映射的公网地址不通是因为R1的默认路由指向的不是防火墙,出现了非对称路由问题,导致TCP连接来回路径不一致而会话失败
如果把外网访问内部服务器的源地址转换为防火墙内网接口地址,则不会出现非对称路由问题
三.基本配置
路由器Server:
interface FastEthernet0/0
ip address 192.168.1.8 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
路由器R1:
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
no shut
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254
路由器R2:
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shut
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1
ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
permit ip 192.168.0.0 0.0.255.255 any
防火墙ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.254 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
路由器Internet:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
四.防火墙twice-nat相关配置
定义内网服务器对象:
object network ServerReal
host 192.168.1.8
定义内网服务器映射后的公网IP对象:
object network ServerMap
host 202.100.1.8
配置twice-nat:
转换前-----源地址:any 目标地址:内网服务器映射后的公网IP
转换后-----源地址:防火墙inside口地址 目标地址:内网服务器实际
IP nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
定义防火墙外网口策略:
access-list Outside extended permit ip any object ServerReal
---注意这些是服务器的实际地址,而不是映射后的地址
应用防火墙外网口策略:
access-group Outside in interface Outside
测试:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
Line User Host(s) Idle Location
0 con 0 idle 00:05:42
* 2 vty 0 idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
Internet#
-----从公网来的防火墙已经作了源地址转换
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 ms
Server#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
Internet#
------Server可以正常从R2路由器PAT上公网
本文出自 “httpyuntianjxxll.spac..” 博客,请务必保留此出处http://333234.blog.51cto.com/323234/1694064
ASA的twice-nat将互联网访问的源地址转换为内网接口地址测试
原文地址:http://333234.blog.51cto.com/323234/1694064
