簡單的網絡拓撲
PC1—>SWITCH-->;PIX 802—>;OUTSIDE SWITCH—>OUTSIDE PC
PIX802的配置如下:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list permiticmp extended permit icmp any any
access-list permitnat1 extended permit ip host 192.168.1.2 host 192.168.2.2
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.2 netmask 255.255.255.255
nat (inside) 1 access-list permitnat1
access-group permiticmp in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
注意到公網的IP網段是192.168.2.0/24,然而NAT轉化後的IP是2.2.2.2與公網是不同的網段,可以最後測試時,竟然可以PING 通??
請問各位對此有什麼見解??
最後看到的解決方案:
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_tech_note09186a0080094aad.shtml
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
-
If you use ICMP pings to test a configured translation, the pings are likely to fail and make it seem as though the translation is not working. By default, the PIX blocks ICMP messages from lower security interfaces to higher security interfaces. This occurs even if the echo-reply is in response to a ping initiated from the inside. As a result, be sure to use another method, like Telnet, to verify your configuration.
-
After you make any changes to translation rules on the PIX it is strongly encouraged that the clear xlate command be issued. This ensures that any old translations do not interfere with newly configured ones and cause them to operate incorrectly.
-
After you configure or change static translations between servers on the inside or DMZ and the outside, it might be necessary to clear the ARP cache of the gateway router or other next-hop device.
-
-
本文的由於前期理解不深,上面所有的論述大部分不正確,根據NAT的四個表,映射最後還是通過路由來傳遞,只是IP的源與目的的改變;
-
- 最新補充。終結版
7.0以後開始 nat-control 是默認關閉的,關閉的時候是沒有nat轉換的,相當於路由器一樣,但是ACL的規則還是存在的
默認情況的變化:
在6.3的時候只要是穿越防火牆都 需要創建轉換項,比如:nat;static等等,沒有轉換項是不能穿越防火牆的,但是到了7.0這個規則有了變化,不需要任何轉換項也能正常的像路由器 一樣穿越防火牆。但是一個新的命令出現了!當你打上nat-control這個命令的時候,這個規則就改變得和6.3時代一樣必須要有轉換項才能穿越防火 牆了。
下面的實驗有助於大家理解nat-control的真正意義
拓撲
R1—-inside-PIX-outside—-R3
12.0.0.0 23.0.0.0
在 nat-control 關閉的情況下
1,只配置IP,不配置其他任何設置
R1可以telnet到R3,沒有xlate表項,R3 telnet R1的時候只需要在outside放行就可以了
2,配置了nat (inside) 1 12.1.1.0 255.255.255.0
glob (outside) interface
這個時候會出現xlate表,因爲這個時候的流量是匹配配置的,所以會產生xlate
PAT Global 23.1.1.2(1026) Local 12.1.1.1(14930)
3,配置了nat (inside) 1 192.168.1.0 255.255.255.0
glob (outside) interface
這個時候R1可以telnet到R3,但是不會出現xlate,由於nat-control是關閉的,就算配置錯了,也可以通
當nat-control 打開的情況下
配置了nat (inside) 1 12.1.1.0 255.255.255.0
glob (outside) interface
這樣R1可以telnet到R3,有xlate
nat (inside) 1 192.168.1.0 255.255.255.0
glob (outside) interface
這樣就不行了,由於nat-control做了控制
我遇到過很多朋友在配置7.0以上的時候,都不會打上nat-control命令,不啓用的話ASA的防護能力會降低,還是建議大家養成習慣,配置前第一句話先敲上這句命令