新版本防火墙配置命令5512,5515,5525,5545

SessionBRKSEC-3020AdvancedFirewallsTheEVOLUTIONOFTHENATOFTOMORROWBYCISCO©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30202一对多NAT应用环境一对一NAT应用环境双NAT应用环境124CiscoASA防火墙NAT多种场景应用NATException应用环境3webServerwebServerGlobalClientInternetSeverwebServerGlobalClientInternetClient隐藏内外网地址，减少攻击产生webServerInternetClient用于客户网络地址不能改变，类似NATbypass技术webServer常见客户环境，对外提供Web或者邮件服务常见用户环境地址不足网络流量映射成出口地址©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30203多对一NAT应用环境一对多NAT应用环境多对多NAT应用环境567CiscoASA防火墙NAT多种场景应用透明防火墙的NAT应用环境8webServerwebServerGlobal1webServerGlobal2ClientClientwebServerGlobalwebServerInternetClient隐藏内外网地址，减少攻击产生webServerClient透明防火墙可以对连端业务端进行地址隐藏webServer帮助客户在更换DNS后，仍能保留原有业务帮助内网业务服务器建立负载均衡Internet©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30204SuperMan变化VS©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30205ASA8.3版本的数据转发变化Preversion8.3Version8.3+IngressInterface©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30206NAT在不同版本的转换对比1.nat0access-list(nat-exempt)2.Matchexistingxlates3.Matchstaticcommands(firstmatch)a.StaticNATwithaccess-listb.StaticPATwithandwithoutaccess-list4.Matchnatcommandsa.natidaccess-list(firstmatch)b.natidaddressmask(bestmatch)i.IftheIDis0,createanidentityxlateii.UseglobalpoolfordynamicNATiii.UseglobalpoolfordynamicPATFirstMatch1.ManualNATentries2.AutoNATentries3.After-AutoNATentriesFirstMatchPreversion8.3Version8.3+©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30207NAT8.3+转换顺序通过配置命令建立NATTable(通过shownat命令)NAT表项基于最先匹配原则(自上而下的匹配)ManualNATPolicies(Section1)AutoNATPolicies(Section2)ManualNAT[afterauto]Policies(Section3)StaticNATDynamicNATNATTableLongestPrefixShortestPrefixLongestPrefixShortestPrefixFirstMatch(inconfig)FirstMatch(inconfig)©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-30209•ManualNAT-允许进行双向NAT转换，例如2次NAT进出流量都进行NAT-允许特定的源和目的在同一个NAT装换条目上-常用于复杂场景(一对一,一对多,多对多,多对一)•AutomaticNAT-每个object对应一个nat规则-常用于较简单的场景•Manual“after”NAT-用于NAT处理表的结尾部分，常用于NAT收尾处理NAT8.3+NAT特点©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-302010insideoutsideNAT配置结构ASA(config)#shorunobjectobjectnetworkhostAhost192.168.2.100objectnetworkhostAOhost192.0.1.100objectnetworkhostBhost192.0.1.200objectnetworkhostBIhost192.168.2.200ASA(config)#shorunnatnat(inside,outside)sourcestatichostAhostAOdestinationstatichostBIhostBhostA在inside接口真实IPhostA在Outside接口NAT地址hostB在Outside接口真实IPhostB在Inside接口NAT地址数据流从Inside接口发起数据流从Outside接口发起按需转换：两个方向都可以发起数据流，进行NAT转换hostA192.168.2.100hostB192.0.1.200192.168.2.100192.168.2.200192.168.2.100192.0.1.200192.0.1.100192.0.1.200PackethittingInsideintPacketasseeninsideFW–afterUN-NatPacketontheoutside–aftersourceNAT192.0.1.100192.0.1.200PackethittingOutsideint192.168.2.100192.0.1.200PacketasseeninsideFW–afterUN-Nat192.168.2.100192.168.2.200Packetontheinside–aftersourceNAT©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-302011•ThisishowittranslatesdowntoNATruleconstructsonaDPlevel:•Xlate/Untranslatedatabase:NAT规则表ASA(config)#shoasptableclassifydomainnatInputTableinid=0xd88acd60,priority=6,domain=nat,deny=falsehits=0,user_data=0xd86ea2a8,cs_id=0x0,use_real_addr,flags=0x0,protocol=0srcip/id=192.168.2.100,mask=255.255.255.255,port=0dstip/id=192.0.1.200,mask=255.255.255.255,port=0,dscp=0x0input_ifc=inside,output_ifc=outsideinid=0xd88ad500,priority=6,domain=nat,deny=falsehits=0,user_data=0xd80b72f8,cs_id=0x0,use_real_addr,flags=0x0,protocol=0srcip/id=192.0.1.200,mask=255.255.255.255,port=0dstip/id=192.168.2.100,mask=255.255.255.255,port=0,dscp=0x0input_ifc=outside,output_ifc=inside数据流有效这个ID表示数据流从内部发起，进行NATASA(config)#shonatdetailManualNATPolicies(Section1)1(inside)to(outside)sourcestatichostAhostAOdestinationstatichostBhostBItranslate_hits=0,untranslate_hits=0Source-Real:192.168.2.100/32,Mapped:192.0.1.100/32Destination-Real:192.168.2.200/32,Mapped:192.0.1.200/32ASA(config)#shxlate2inuse,2mostusedFlags:D-DNS,i-dynamic,r-portmap,s-static,I-identity,T-twiceNATfrominside:192.168.2.100tooutside:192.0.1.100flagssTidle0:14:33timeout0:00:00NATfromoutside:192.0.1.200toinside:192.168.2.200flagssTidle0:14:33timeout0:00:00ID表示NAT处理的顺序，它将被ASP首先处理缓冲中的NAT条目将被FastPath快速转发这个ID表示数据流从外部发起，进行双向NAT©2011Ciscoand/oritsaffiliates.Allrightsreserved.CiscoPublicBRKSEC-302012•增加一条DynamicNAT，建立顺序讲出现变化NAT转换顺序ASA(config)#shorunnatnat(inside,outside)sourcestatichostAhostAOdestinationstatichostBhostBInat(inside,outside)sourcedynamichostAinterfaceASA(config)#shoasptableclassifydomainnatInputTableinid=0xd88acd60,priority=6,domain=nat,deny=falsehits=0,user_data=0xd86ea2a8,cs_id=0x0,use_real_addr,flags=0x0,protocol=0srcip/id=192.168.2.100,mask=255.255.255.255,port=0dstip/id=192.0.1.200,mask=255.255.255.255,port=0,dscp=0x0input_ifc=inside,output_ifc=outsideinid=0xd88ad500,priority=6,domain=nat,deny=falsehits=0,user_data=0xd80b72f8,cs_id=0x0,use_real_addr,flags=0x0,protocol=0srcip/id=192.0.1.200,mask=255.255.255.255,port=0dstip/id=192.168.2.100,mask=255.255.255.255,port=0,dscp=