ASA-NAT实验配置

本轮实验使用GNS3模拟器进行

实验要求：实现全网互通，分别使用动态NAT，PAT，静态NAT进行实验

实验拓扑：

R1的配置

Configure terminal

Hostname R1

Interface ethernet 0/0

Duplex full

Ip address 10.0.10.1 255.255.255.0

No shutdown

Exit

Interface loopback 0

Ip address 192.168.10.1 255.255.255.0

No shutdown

Exit

Ip route 0.0.0.0 0.0.0.0 10.0.10.254

telnet的配置

username bdqn privilege 15 password 123

line vty 0 4

login local

transport input telnet

exit

R2的配置

Configure terminal

Hostname R2

Interface ethernet 0/0

Duplex full

Ip address 20.0.10.1 255.255.255.0

No shutdown

Exit

Interface loopback 0

Ip address 192.168.20.1 255.255.255.0

No shutdown

Exit

Ip route 0.0.0.0 0.0.0.0 20.0.10.254

telnet的配置

username bdqn privilege 15 password 123

line vty 0 4

login local

transport input telnet

exit

R3的配置

Configure terminal

Hostname R3

Interface ethernet 0/0

Duplex full

Ip address 30.0.10.1 255.255.255.0

No shutdown

Exit

Interface loopback 0

Ip address 192.168.30.1 255.255.255.0

No shutdown

Exit

Ip route 0.0.0.0 0.0.0.0 30.0.10.254

telnet的配置

username bdqn privilege 15 password 123

line vty 0 4

login local

transport input telnet

exit

ASA的配置

Configure terminal

Hostname ASA

Interface gigabitethernet 0

Nameif outside

Security-level 0

Ip address 10.0.10.254 255.255.255.0

No shutdown

Exit

Interface gigabitethernet 1

Nameif dmz

Security-level 50

Ip address 20.0.10.254 255.255.255.0

No shutdown

Exit

Interface gigabitethernet 2

Nameif inside

Security-level 100

Ip address 30.0.10.254 255.255.255.0

No shutdown

Exit

动态NAT

Object network out-pool

Range 10.0.10.60 10.0.10.80

Exit

Object network in-kao

Subnet 30.0.10.0 255.255.255.0

Exit

Object network in-qian

Subnet 192.168.30.0 255.255.255.0

Exit

Object network dmz-ka

Subnet 20.0.10.0 255.255.255.0

Exit

Object network dmz-men

Subnet 192.168.20.0 255.255.255.0

Exit

Object-group network in-yiqi

Network-object object in-kao

Network-object object in-qian

Exit

Object-group network dmz-yiqi

Network-object object dmz-ka

Network-object object dmz-qian

Exit

Nat (inside,outside)
source dynamic in-yiqi out-pool

Nat (dmz,outside)
source dynamic dmz-yiqi out-pool

PAT配置（多内网架构，多个网段，多个zone，直接使用外网接口）：

No掉

No nat (inside,outside) source dynamic
in-yiqi out-pool

No nat (dmz,outside) source dynamic
dmz-yiqi out-pool

No掉之后

nat (inside,outside) source dynamic in-yiqi
interface

nat (dmz,outside) source dynamic dmz-yiqi
interface

使用show xlate查看

PAT配置（多内网架构使用一个指定外网IP）：

也要no掉配置

No nat (inside,outside) source dynamic
in-yiqi interface

No nat (dmz,outside) source dynamic
dmz-yiqi interface

Object network out-po1

Host 10.0.10.88

Exit

Object network out-po2

Host 10.0.10.99

Exit

nat (inside,outside) source dynamic in-kao
pat-pool out-po1

nat (dmz,outside) source dynamic dmz-ka
pat-pool out-po2

end

先配置动态NAT。最后用指定IP做PAT：

也要no掉配置

No nat (inside,outside) source dynamic
in-kao pat-pool out-po1

No nat (dmz,outside) source dynamic dmz-ka
pat-pool out-po2

Object-group network out-nat

Network-object object out-pool

Exit

Nat (inside,outside) source dynamic in-yiqi
out-nat

静态NAT（一对一）：

Object network web

Host 10.0.10.8

Exit

Object network dmz-web

Host 192.168.20.1

Exit

Access-list web extended permit tcp any
host 192.168.20.1

Access-group web in interface outside

Nat (dmz,outside) source static dmz-web web

Route dmz 192.168.20.0 255.255.255.255 20.0.10.1

Route inside 192.168.30.0 255.255.255.255
30.0.10.1

端口一对一

Object network teldmz

Host 10.0.10.111

Exit

Object service telnet

Service tcp source eq telnet

Exit

Object network dmz-web

Host 192.168.20.1

Exit

Nat (dmz,outside) source static dmz-web
teldmz service telnet telnet