關於twice nat的配置
twice nat的配置提供給用戶能夠利用一條rule就能匹配流量的源和目的的應用
在twice nat中的目的的匹配和轉換是可選的,可以使idendity NAT和進行靜態轉換
在twice nat中雖然設計的初衷是可以匹配目的地址但是在實際使用中匹配目的地址是可選的
利用twice nat來配置動態nat的配置
object network realsource
subnet 2.2.2.0 255.255.255.0
object network mappedsource
range 1.1.1.100 1.1.1.150
object network realdest
host 1.1.1.1
object network mappeddst
host 1.1.1.1
最後調用nat進行相應的匹配
nat (inside,outside) source dynamic realsource mappedsource destination static mappeddst realdest
ASA# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:1.1.1.1
flags sIT idle 0:02:22 timeout 0:00:00
NAT from inside:2.2.2.101 to outside:1.1.1.100 flags i idle 0:02:22 timeout 3:00:00
2.利用twice nat配置pat
object network realsource
subnet 2.2.2.0 255.255.255.0
object network mappedsource
range 1.1.1.100 1.1.1.150
object network realdest
host 2.2.2.100
object network mappeddst
host 1.1.1.100
nat (inside,outside) source dynamic realsource pat-pool mappedsource destination static mappeddst realdest
注意配置的順序和關鍵字,親自測試過如果destination中mapped配置錯誤的話是會影響通信的,如果配置錯誤ASA是不會對配置中object network中的地址做代理ARP應答的。
實際測試結果
接收方
R1#
*Mar 1 01:24:44.207: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.295: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.331: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.347: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.371: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
R1#
發送方
R2#ping 2.2.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/140 ms
R2#
*Mar 1 01:24:33.515: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.567: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.587: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.611: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.623: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
注意R2收到的reply數據包中的源ip地址
ASA上查看信息
ASA# show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:2.2.2.200
flags sT idle 0:00:02 timeout 0:00:00
ICMP PAT from inside:2.2.2.101/19 to outside:1.1.1.100/19 flags ri idle 0:00:02 timeout 0:00:30
ASA#
3.利用twice-nat來配置static nat和基於 靜態nat和端口的轉換
object network mappedsource
subnet 1.1.1.0 255.255.255.0
object network source
subnet 2.2.2.0 255.255.255.0
object network realdest
host 1.1.1.1
object network mappeddest
host 2.2.2.101
nat (inside,outside) source static mappedsource mappedsource destination static mappeddest realdest
這個時候進行靜態的轉換
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24
flags sT idle 0:00:06 timeout 0:00:00
NAT from outside:1.1.1.1 to inside:2.2.2.101
flags sT idle 0:10:47 timeout 0:00:00
注意在靜態的轉換中是對應關係是這樣的 2.2.2.201轉換爲1.1.1.201
4.對於twice nat的identity nat的配置和基於object network的配置方式一樣,只是可以配置目的地址的轉換。