一.測試拓撲
二.測試思路
不考慮網絡拓撲的合理性,只是考慮網絡是否可通
外網訪問內部服務器在防火牆上映射的公網地址不通是因爲R1的默認路由指向的不是防火牆,出現了非對稱路由問題,導致TCP連接來回路徑不一致而會話失敗
如果把外網訪問內部服務器的源地址轉換爲防火牆內網接口地址,則不會出現非對稱路由問題
三.基本配置
路由器Server:
interface FastEthernet0/0
ip address 192.168.1.8 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1路由器R1:
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
no shut
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254路由器R2:
interface Ethernet0/0
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shutinterface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
ip nat inside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1
ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
permit ip 192.168.0.0 0.0.255.255 any防火牆ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.254 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1路由器Internet:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
四.防火牆twice-nat相關配置
定義內網服務器對象:
object network ServerReal
host 192.168.1.8定義內網服務器映射後的公網IP對象:
object network ServerMap
host 202.100.1.8
配置twice-nat:
轉換前-----源地址:any 目標地址:內網服務器映射後的公網IP
轉換後-----源地址:防火牆inside口地址 目標地址:內網服務器實際
IP nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
定義防火牆外網口策略:
access-list Outside extended permit ip any object ServerReal
---注意這些是服務器的實際地址,而不是映射後的地址
應用防火牆外網口策略:
access-group Outside in interface Outside
測試:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
Line User Host(s) Idle Location
0 con 0 idle 00:05:42
* 2 vty 0 idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
Internet#-----從公網來的防火牆已經作了源地址轉換
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 msServer#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
Internet#------Server可以正常從R2路由器PAT上公網
五.後記
多個內網地址,多個公網地址,都是一對一映射情況
可以按上面格式配置多個映射,並且都是映射到防火牆內網口地址
object network ServerMap
host 202.100.1.8
object network ServerReal
host 192.168.1.8object network R1Map
host 202.100.1.18object network R1Real
host 192.168.1.1nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
nat (Outside,Inside) source dynamic any interface destination static R1Map R1Real
access-list Outside extended permit tcp any object ServerReal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
access-group Outside in interface Outside多個內網地址,一個公網地址(比如接口地址),都是端口映射情況
object network ServerReal
host 192.168.1.8
object network R1Real
host 192.168.1.1object service telnet
service tcp destination eq telnet
object service ServerMapTelnet2321
service tcp destination eq 2321
object service R1MapTelnet2322
service tcp destination eq 2322
nat (Outside,Inside) source dynamic any interface destination static interface ServerReal service ServerMapTelnet2321 telnet
nat (Outside,Inside) source dynamic any interface destination static interface R1Real service R1MapTelnet2322 telnetaccess-list Outside extended permit tcp any object Serverreal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
access-group Outside in interface Outside