ASA8.3及以后版本 NAT配置介绍

NetworkObjectNAT配置介绍1.DynamicNAT（动态NAT，动态一对一）实例一:传统配置方法：nat(Inside)110.1.1.0255.255.255.0global(Outside)1202.100.1.100-202.100.1.200新配置方法（NetworkObjectNAT）objectnetworkOutside-Nat-Poolrange202.100.1.100202.100.1.200objectnetworkInside-Networksubnet10.1.1.0255.255.255.0objectnetworkInside-Networknat(Inside,Outside)dynamicOutside-Nat-Pool实例二:objectnetworkOutside-Nat-Poolrange202.100.1.100202.100.1.200objectnetworkOutside-PAT-Addresshost202.100.1.201object-groupnetworkOutside-Addressnetwork-objectobjectOutside-Nat-Poolnetwork-objectobjectOutside-PAT-AddressobjectnetworkInside-Network（先100-200动态一对一，然后202.100.1.201动态PAT,最后使用接口地址动态PAT）nat(Inside,Outside)dynamicOutside-Addressinterface这种配置方式的好处是，新的NAT命令绑定了源接口和目的接口，所以不会出现传统配置影响DMZ的问题（当时需要nat0+acl来旁路）2.DynamicPAT(Hide)（动态PAT，动态多对一）传统配置方式：nat(Inside)110.1.1.0255.255.255.0global(outside)1202.100.1.101新配置方法（NetworkObjectNAT）objectnetworkInside-Networksubnet10.1.1.0255.255.255.0objectnetworkOutside-PAT-Addresshost202.100.1.101objectnetworkInside-Networknat(Inside,Outside)dynamicOutside-PAT-Addressornat(Inside,Outside)dynamic202.100.1.1023.StaticNATorStaticNATwithPortTranslation（静态一对一转换，静态端口转换）实例一：（静态一对一转换）传统配置方式：static(Inside,outside)202.100.1.10110.1.1.1新配置方法（NetworkObjectNAT）objectnetworkStatic-Outside-Addresshost202.100.1.101objectnetworkStatic-Inside-Addresshost10.1.1.1objectnetworkStatic-Inside-Addressnat(Inside,Outside)staticStatic-Outside-Addressornat(Inside,Outside)static202.100.1.102dns实例二：（静态端口转换）传统配置方式：static(inside,outside)tcp202.100.1.102232310.1.1.123新配置方法（NetworkObjectNAT）objectnetworkStatic-Outside-Addresshost202.100.1.101objectnetworkStatic-Inside-Addresshost10.1.1.1objectnetworkStatic-Inside-Addressnat(Inside,Outside)staticStatic-Outside-Addressservicetcptelnet2323ornat(Inside,Outside)static202.100.1.101servicetcptelnet23234.IdentityNAT传统配置方式：nat(inside)010.1.1.1255.255.255.255新配置方法（NetworkObjectNAT）objectnetworkInside-Addresshost10.1.1.1objectnetworkInside-Addressnat(Inside,Outside)staticInside-Addressornat(Inside,Outside)static10.1.1.1TwiceNAT（类似于PolicyNAT）实例一：传统配置:access-listinside-to-1permitip10.1.1.0255.255.255.0host1.1.1.1access-listinside-to-202permitip10.1.1.0255.255.255.0host202.100.1.1nat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)1202.100.1.101global(outside)2202.100.1.102新配置方法（TwiceNAT）:objectnetworkdst-1host1.1.1.1objectnetworkdst-202host202.100.1.1objectnetworkpat-1host202.100.1.101objectnetworkpat-2host202.100.1.102objectnetworkInside-Networksubnet10.1.1.0255.255.255.0nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202实例二：传统配置:access-listinside-to-1permitip10.1.1.0255.255.255.0host1.1.1.1access-listinside-to-202permitip10.1.1.0255.255.255.0host202.100.1.1nat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)1202.100.1.101global(outside)2202.100.1.102static(outside,inside)10.1.1.1011.1.1.1static(outside,inside)10.1.1.102202.100.1.1新配置方法（TwiceNAT）:objectnetworkdst-1host1.1.1.1objectnetworkdst-202host202.100.1.1objectnetworkpat-1host202.100.1.101objectnetworkpat-2host202.100.1.102objectnetworkInside-Networksubnet10.1.1.0255.255.255.0objectnetworkmap-dst-1host10.1.1.101objectnetworkmap-dst-202host10.1.1.102nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticmap-dst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticmap-dst-202dst-202实例三：传统配置:access-listinside-to-1permittcp10.1.1.0255.255.255.0host1.1.1.1eq23access-listinside-to-202permittcp10.1.1.0255.255.255.0host202.100.1.1eq3032nat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)1202.100.1.101global(outside)1202.100.1.102新配置方法（TwiceNAT）:objectnetworkdst-1host1.1.1.1objectnetworkdst-202host202.100.1.1objectnetworkpat-1host202.100.1.101objectnetworkpat-2host202.100.1.102objectnetworkInside-Networksubnet10.1.1.0255.255.255.0objectservicetelnet23servicetcpdestinationeqtelnetobjectservicetelnet3032servicetcpdestinationeq3032nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032MainDifferencesBetweenNetworkObjectNATandTwiceNAT（NetworkObjectNAT和TwiceNAT的主要区别）Howyoudefinetherealaddress.（从如何定义真实地址的角度来比较）–NetworkobjectNAT—YoudefineNATasaparameterforanetworkobject;thenetworkobjectdefinitionitselfprovidestherealaddress.ThismethodletsyoueasilyaddNATtonetworkobjects.Theobjectscanalsobeusedinotherpartsofyourconfiguration,forexample,foraccessrulesorevenintwiceNATrules.NAT是networkobject的一个参数，networkobject定义自己为真实地址。这种配置方式，让你轻松的为networkobject添加nat。这个object能够被用在配置的其它部分，例如：访问控制列表或者twicenat策略。–TwiceNAT—Youidentifyanetworkobjectornetworkobjectgroupforboththerealandmappedaddresses.Inthiscase,NATisnotaparameterofthenetworkobject;thenetworkobjectorgroupisaparameteroftheNATconfiguration.Theabilitytouseanetworkobj