ASA8.4的Inside區域同時訪問DMZ公網地址和真實地址測試

一.測試拓撲

   R1---Outside----ASA842----Inside-----R2

                                    |

                                  DMZ

                                    |

                                  R3

二.測試思路

  利用ASA的twice nat實現訪問DMZ的公網地址時轉向DMZ的真實地址。

三.基本配置

A.R1:

interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 no shut

B.R2:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10

C.R3:

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

line vty 0 4

 password cisco

 login

D.ASA842:

interface GigabitEthernet0
 nameif Outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0
 no shut
interface GigabitEthernet1
 nameif DMZ
 security-level 50
 ip address 192.168.1.10 255.255.255.0
 no shut
interface GigabitEthernet2
 nameif Inside
 security-level 100
 ip address 10.1.1.10 255.255.255.0
 no shut

四.ASA靜態NAT,twice-NAT和策略配置

A.定義對象：

object network R3-dmz
 host 192.168.1.1
object network R3-outside
 host 202.100.1.8
object network Inside-net
 subnet 10.1.1.0 255.255.255.0

B.配置DMZ到Outside的靜態NAT:

object network R3-dmz
    nat (DMZ,Outside) static R3-outside

C.配置inside到DMZ的的twice-nat：

nat (Inside,DMZ) source static Inside-net Inside-net destination static R3-outside R3-dmz

D.配置并應用outside接口策略:

-----Inside訪問DMZ默認放行

access-list Outside extended permit ip any object R3-dmz
access-group Outside in interface Outside

五.驗證：

A.從Ouside訪問DMZ的公網地址：

R1#telnet 202.100.1.8
Trying 202.100.1.8 ... Open


User Access Verification

Password:
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:14:22   
*  2 vty 0                idle                 00:00:00 202.100.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

B.從Inside訪問DMZ的公網地址：

R2#telnet 202.100.1.8
Trying 202.100.1.8 ... Open


User Access Verification

Password:
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:16:37   
*  2 vty 0                idle                 00:00:00 10.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

C.從Inside訪問DMZ真實地址：

R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password:
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:17:03   
*  2 vty 0                idle                 00:00:00 10.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>