溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
實驗要求:
分別劃分inside(內網),outside(外網),dmz(服務器區)三個區
配置PAT,直接使用outside接口的ip地址進行轉換
配置靜態NAT,發布內網服務器
啟用NAT控制,配置NAT豁免,內網訪問dmz區中的主機時,不做NAT轉換
R1配置:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#host outsite
outsite(config)#int f0/0
outsite(config-if)#ip add 12.0.0.2 255.255.255.0
outsite(config-if)#no shut
outsite(config-if)#int f0
00:21:15: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:21:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
outsite(config-if)#int f0/1
outsite(config-if)#ip add 13.0.0.1 255.255.255.0
outsite(config-if)#no shut
outsite(config-if)#
00:21:33: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:21:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
outsite(config-if)#exit
outsite(config)#ip route 0.0.0.0 0.0.0.0 f0/0
outsite(config)#end
ASA配置:
ciscoasa# conf t
ciscoasa(config)# hostname asa
asa(config)# int e0/0
asa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
asa(config-if)# ip add 192.168.1.1 255.255.255.0
asa(config-if)# no shut
asa(config-if)# int e0/2
asa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
asa(config-if)# ip add 12.0.0.1 255.255.255.0
asa(config-if)# no shut
asa(config-if)# int e0/1
asa(config-if)# ip add 192.168.10.1 255.255.255.0
asa(config-if)# no shut
asa(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
asa(config-if)# sec
asa(config-if)# security-level 50
asa(config-if)# no shut
asa(config-if)# exit
asa(config)# route outside 0 0 12.0.0.2
ciscoasa# conf t
ciscoasa(config)# nat-control
ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
ciscoasa(config)# gl
ciscoasa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)# end
ciscoasa# show xlate
0 in use, 1 most used
ciscoasa# show xlate
1 in use, 1 most used
PAT Global 12.0.0.1(1) Local 192.168.1.2 ICMP id 1
很明顯的看出來已經把內網地址轉換成外網地址,從而可以讓內網用戶上網了
Ping不通是因為防火墻的原因,這里需要些acl放行
ciscoasa(config)# access-list 111 permit icmp any any
ciscoasa(config)# acc
ciscoasa(config)# access-g
ciscoasa(config)# access-group 111 in int
ciscoasa(config)# access-group 111 in interface outside
ciscoasa(config)# access-list nonat permit ip host 192.168.1.2 host 192.168.10.10 //豁免nat,也就是說從內網訪問到dmz區域的流量不走nat,直接走內網。
ciscoasa(config)# nat (inside) 0 access-list nonat
再次測試就ok了
因為默認高到低是可以通的,所以內網訪問dmz區無需配置,測試如下:
靜態NAT(發布DMZ區的服務器)一對一的固定轉換:
ciscoasa(config)# static (dmz,outside) 12.0.0.3 192.168.10.10
ciscoasa(config)# access-list out_to_dmz permit tcp any host 12.0.0.3 eq www
ciscoasa(config)# access-group out_to_dmz in int outside
ciscoasa(config)# exit
外網驗證如下:
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
