防火墙NAT

拓扑图如下：

配置命令如下：

动态NAT配置
ciscoasa(config)#object network out-pool
ciscoasa(config-network-object)#range 200.1.1.10 200.1.1.20
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network in-ld
ciscoasa(config-network-object)#subnet 172.16.88.0 255.255.255.0
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network in-xd 
ciscoasa(config-network-object)#subnet 172.16.1.0 255.255.255.0 
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network dmz-1
ciscoasa(config-network-object)# 
ciscoasa(config-network-object)#subnet 192.168.0.0 255.255.255.0
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network dmz-2
ciscoasa(config-network-object)#subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)#exit
ciscoasa(config)#object-group network in-lan
ciscoasa(config-network-object-group)#network-object object in-ld
ciscoasa(config-network-object-group)#network-object object in-xd
ciscoasa(config-network-object-group)#exit
ciscoasa(config)#object-group network dmz-lan
ciscoasa(config-network-object-group)#network-object object dmz-1 
ciscoasa(config-network-object-group)#network-object object dmz-2 
ciscoasa(config-network-object-group)#exit

指定PAT
ciscoasa(config)#object network out-pool
ciscoasa(config-network-object)#range 200.1.1.10 200.1.1.20
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network out-pat3
ciscoasa(config-network-object)#host 200.1.1.3
ciscoasa(config-network-object)#exit
ciscoasa(config)# 
ciscoasa(config)#object-group network out-nat
ciscoasa(config-network-object-group)#network-object object out-pat3
ciscoasa(config-network-object-group)#network-object object out-pool
ciscoasa(config-network-object-group)#exit
ciscoasa(config)#nat source dynamic in-lan out-nat                

静态NAt（一对一）
ciscoasa(config)#object network web
ciscoasa(config-network-object)#host 200.1.1.21
ciscoasa(config-network-object)#exit
ciscoasa(config)#object network dmz-web
ciscoasa(config-network-object)#host 192.168.1.11
ciscoasa(config-network-object)#exit
ciscoasa(config)#access-list web extended permit tcp any host 192.168.1.11
ciscoasa(config)#nat source static dmz-web web              

端口一对一
ciscoasa(config)#object network teldmz
ciscoasa(config-network-object)#host 200.1.1.22
ciscoasa(config-network-object)# 
ciscoasa(config-network-object)#object network dmz-web
ciscoasa(config-network-object)#host 192.168.1.11
ciscoasa(config-network-object)#exit
ciscoasa(config)#object service telnet
ciscoasa(config-service-object)#service tcp source eq telnet 
ciscoasa(config-service-object)#exit
ciscoasa(config)#nat source static dmz-web teldmz service telnet telnet