nat转换槽:
show xlate
clear xlate
? Static NAT
(在真实地址和mapped地址间固定转换,允许任一方发起请求)
A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation.
? Dynamic NAT
(一组真实地址映射到一组mapped地址,先到先得.只运行真实地址发起请求)
A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic.
? Dynamic Port Address Translation (PAT)
(一组真实地址映射到一个使用了唯一源端口的地址)
A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
? Identity NAT
(真实地址映射成自己,本质上绕过了nat.一般用于需要nat一组很大的地址,但需要剥离其子集地址)
A real address is statically transalted to itself, essentially bypassing NAT.
You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.
两种方式:
Network Object NAT (优选)
Twice NAT
主要不同:
1.定义真实地址
Network object NAT
把nat定义为network object的参数.
Twice NAT
把真实地址和mapped地址定义成network object或network object group.
2.源目NAT实现
Network object NAT
每个规则可以适用于一个数据包的源或目标.所以可以使用两个规则,一个源IP地址,和一个目的IP地址。这两个规则不能绑在一起执行一个源目组合的地址转换.
Twice NAT
使用一条规则完成源目地址的转换.
3.NAT规则执行顺序
Network object NAT
Automatically ordered in the NAT table.
Twice NAT
Manually ordered in the NAT table (before or after network object NAT rules).
Network object NAT规则和Twice NAT规则存储在一个表中,分为三章节。第一节规则被首先应用,然后第二节,最后第三节.
在第一次匹配基础上,按照配置顺序匹配.
Twice NAT默认添加在第一节.
1.静态规则
2.动态规则
每个规则类型中,存在一下优先顺序:
a.一个object真实地址数量少的优先
b.相同地址数情况下,小地址的优先
c.相同ip地址,按照network object名首字母小的优先
将Twice NAT手动指定在第三节中,按照配置顺序匹配.
1.将192.168.2.0网段映射到10.2.2.1-10:
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.2.2.1 10.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
2.(PAT)将192.168.2.0网段映射到10.2.2.2
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
1.把内网10.1.1.1映射10.2.2.2的dns进行重写
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns
2.把10.1.1.1的21端口映射到outside接口的2121端口
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
1.方式一:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
2.方式二:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
1.根据不同的目的地址,转换成不同的源地址
a.定义真实源地址
hostname(config)# object network myInsideNetwork
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0
b.定义真实目的地址1(mapped目的地址是自身)
hostname(config)# object network DMZnetwork1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
c.定义mapped源地址1
hostname(config)# object network PATaddress1
hostname(config-network-object)# host 209.165.202.129
d.twice nat1
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1
e.定义真实目的地址2(mapped目的地址是自身)
hostname(config)# object network DMZnetwork2
hostname(config-network-object)# subnet 209.165.200.224 255.255.255.224
f.定义mapped源地址2
hostname(config)# object network PATaddress2
hostname(config-network-object)# host 209.165.202.130
g.twice nat2
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2
2.根据不同的目的端口,转换成不同的源地址
a.定义真实源地址
hostname(config)# object network myInsideNetwork
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0
b.定义真实目的地址(mapped目的地址是自身)
hostname(config)# object network TelnetWebServer
hostname(config-network-object)# host 209.165.201.11
c.定义mapped源地址1
hostname(config)# object network PATaddress1
hostname(config-network-object)# host 209.165.202.129
d.定义真实目的端口1(mapped目的端口是自身)
hostname(config)# object service TelnetObj
hostname(config-network-object)# service tcp destination eq telnet
e.twice nat1
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1
destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj
f.定义mapped源地址2
hostname(config)# object network PATaddress2
hostname(config-network-object)# host 209.165.202.130
g.定义真实目的端口2(mapped目的端口是自身)
hostname(config)# object service HTTPObj
hostname(config-network-object)# service tcp destination eq http
h.twice nat2
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2
destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj原文地址:http://blog.csdn.net/jschunlei/article/details/46678591
