ASA防火墻NAT新版老版的配置方法對比

ASA8.3以后，NAT算是發(fā)生了很大的改變，之前也看過8.4的ASA改變的還有VPN加入了Ikev2。MPF方法加入了新的東西，QOS和策略都加強了，這算是Cisco把CCSP的課程改為CCNRSecurity的改革吧！拓撲圖就是上面的，基本配置都是一樣，地址每個路由器上一條默認路由指向 ASAtlscdAiACeaftfdg)*P勺M200.200.200.2Typeescape toabort.Eending5tIOCbyteICMr>Lchosto200^200.200.2ttlNQ^utiB2cecorwdti{F!Ji!suernsr^TfT車ionpercent rownd-ir1paln/^vg/nu*1/4/10ik.叮：Koa風字 人ZW.ETypeescapesequencetoabcrl.fendi5,byrtlCMf>Lchoslo12.1.1.2,Efnacutfs2seconds:I!1[>5jc<rar(■侶LtWpercent(5/>),rnumi-tripnir^avgnax■1 站ciscoiSiCcwTfig)*pin^ ZTypeescape5equenc?toab^rt.Senenq5’J(TObyteICMPEfhodto13.lr1.2,ffneoiitT亍?seconds:111ri!iuctrat^1etoof>er[:直nr round-tripntn/avg/nao(=1/1/20低基本通信沒問題，關(guān)于 8.3以后推出了兩個概念，一個是 networkobject它可以代表一個主機或者子網(wǎng)的訪問。另外一個是serviceobject ，代表服務。1、地址池的形式的NAT配置老版本代表一個 的地址池轉(zhuǎn)換成-54—對一的轉(zhuǎn)換global(outside)1200.200.200354新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#exitciscoasa(config)#objectnetworkoutside-poolciscoasa(config-network-object)#range54ciscoasa(config-network-object)#exitciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#nat(inside,outside)dynamicoutside-pool其實，剛開始接觸也挺不習慣的，不過弄懂了就習慣了，它的意思是先定義兩個 object,一個用于代表轉(zhuǎn)換前的地址圍，一個是轉(zhuǎn)化后的地址圍，最后在轉(zhuǎn)換前的 object進行調(diào)用轉(zhuǎn)化后的 object。ins1dc#tetn^tTrydngMOD.■ 2t?iQp?1nvcrlTTcaTlenPAs-sword:LUSor HO￡t<￡>idleLotatfan0con01dl0&：M：10H閒vryoIdle□D：Q0：OOZDQ.7GQ.EGG.interfaceuserEdiePeerAdJ-|outs.ido>由于地址不是一一對應的， 所以這里它就自動選擇了。 這里為了清楚表達要在需要的地方調(diào)用這個策略，所以輸入了兩次objectnetworkinside，其實我們看先創(chuàng)建一個地址池，然后在創(chuàng)建一個需要轉(zhuǎn)換的圍，然后在這個object里面調(diào)用。2、動態(tài)PAT多對一的配置老配置里面可以根據(jù)一個地址或者直接跟 interface 參數(shù)來做nat(inside)1global(outside)1orinterface新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicinterface2(W?2o6?Tryiinj .Optuiij<tp■ vor1-pvonPasDkrcrd:ftUtElets4tictrLineUserHOStia1?Location□rori0fiilP7* vty0■idlerrrtcrti^literMo4?W誕PeerXdcrtssqul5ido這個策略最簡單，就在需要轉(zhuǎn)換的地址進行 NAT配置，這里調(diào)用interface 作為轉(zhuǎn)換。如果是一個單一的地址話。ciscoasa(config)#objectnetworkoutside-patciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicoutside-pat 調(diào)用outside-pat策略用做PATTrying200.2D0.200.2…Trying200.2D0.200.2…openuserAcceisverificarionpuTsfdp>showuswLine

dcon0*bbvtyCHost(puTsfdp>showuswLine

dcon0*bbvtyCHost(5)idieidleMtxleidleP皀皀，essout￡idp>轉(zhuǎn)換成出去了3、StaticNAT 一對一轉(zhuǎn)換老版本，用于服務器公布出去static(inside,outside)新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkDMZciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(dmZ,outside)staticciscoasa(config)#access-list100permittcpanyhosteqtelnetciscoasa(config)#access-group100ininterfaceoutsideOdtslde/Tclnct2DD.?O0,2i3O.3Tryirg?00.2M.2DD,3…、UEDTHCSTCl)MoUEDTHCSTCl)MoLCTJTlOri0con0idie00;00;046&vt￥0icHeIrter^aceU^erModePeerUitrAlcess"wer?<_cttfenPissword!□MZ-shOfuser外部訪問DMZ沒問題，但是這里注意的是在 8.3以前的版本是需要放行轉(zhuǎn)換后的地址，而8.3以后，是放行真實的地址，也就是部地址。這里還可以用一個 obejet來單獨設置一個地址，然后在調(diào)用。另外如果是http的轉(zhuǎn)換或者這些依賴DNS解析的服務話，而部有是通過公網(wǎng)地址訪問的話，那么就加個 DNS參數(shù)nat(dmZ,outside)staticdns4、StaticNAT端口轉(zhuǎn)換static(inside,outside)tcp232323新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkDMZciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(dmZ,outside)staticciscoasa(config-network-object)#nat(dmZ,outside)staticservicetcptelnet2323這個是格式，前面telnet 是代表部服務的端口號，而后面的代表轉(zhuǎn)換后的端口號。Gustsuui zoo.?523Trring ■斗2123???ORenu"r writfcnlanPassword: 這里要加2323的端口號。另外一種轉(zhuǎn)換形式就是跟 interface參數(shù)的，它跟8.3以前一樣，接口地址不能作為object的一部分，只能通過interface來表示，而不是地址形式。ciscoasa(config-network-object)#nat(dmZ,outside)staticinterfaceservicetcptelnet2323tIi-FLUUJILIIlL jTlOVr~11ILLI 's匚(jms?(匚orrff孚》#show刊匸匚e&s-listacctss^l1STcarnwia￡lIoqflows;totalC,cien<fd0(denyflownax4CW)1.1ert-intervaliQOaccess-14st100;1r1ement5；naivehash;Ox{:駅對acces^-11st1QO11ne1exTPndedperalrtcpanvhost13.1.1□??1EelrWT(Mtcnt-rilff,UMS?(ronf勺曹)* *這里8.3以后放行真實地址的流量就可以了，而不關(guān)心轉(zhuǎn)換后的地址。5、IdentityNATnat(inside)0222255在老版本里面有個NATO的策略，分為identity 和bypass，我們通常用的denyVPN流量不做NAT用的是bypass，不過在8.3以后實現(xiàn)方法有點不同。在這個拓撲中，inside 新增加一個的地址，不被轉(zhuǎn)換出去。ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(inside,outside)dynamicinterfacefinalde*telnet2D0.200*.200.2/sourct-lnterfacetoTrying200.2<HL200,2…openUitrAccessver1fdc.dLt1onPassword;nujrtsiL1：neuse『Host(si idleLO匚hin0con0Idle (M;09133*G6vty0idle OS:00:00昭￡?「FperAddressOutside^默認情況下是轉(zhuǎn)換地址出去的，做個 identity后新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinside1ciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(inside,outside)statictris{de^lelwt2Qi>.200. 2/saurce-interfdce'：o0Tryir.(j?ft3.20-0. ??，ooen1utpr xiprlfir^TinnOut3ide>s,ni?fluiserLineuserHostts)idleLoeal1onUcon0"1fjl庭? wy0(KJ：CK7：<H?-FirTterfaceU5ET**7dcidlef巳亡廠扎anirrwTri口、

這里自己轉(zhuǎn)換自己，它是優(yōu)于 PAT的。6policyNATaccess-list100permitiphost 關(guān)于網(wǎng)段去往的轉(zhuǎn)換用nat(inside)1access-list100global(outside)1globat(outside)1interface在老版本中，叫做策略 NAT,根據(jù)訪問不同的網(wǎng)段，轉(zhuǎn)換成不同地址出去。新版本(TwiceNAT)，這個是兩次NAT,—般加入了基于目的的元素，而之前的 networkobject只是基于源的，通常情況下使用object就能解決問題了，這個只是在特殊情況下使用。一般我們把 object叫做AutoNAT，而TwiceNAT叫做manualNAT這是outside有個和3.333 的地址，當 的網(wǎng)段訪問的時候轉(zhuǎn)換成出去，而其余的就用接口地址轉(zhuǎn)換。ciscoasa(config)#objectnetworkpolicy 這個代表訪問ciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkoutside-pat 用這個地址做專門訪問 的PATciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicinterface這里定義了部網(wǎng)段，并且用接口地址做 PAT。關(guān)于TwiceNAT是在全局下做的，而 AutoNAT是基于:在Object下做的。ciscoasa(config)#nat(inside,outside)sourcedynamicinsideoutside-patdestinationstaticpolicypolicy這個跟普通的AutoNAT，這里多了個destination 目的，policypolicy 這是書寫格式?？聪滦Ч鹖nsideftelnet九九14Trying1.1,1.1…operAct甲,,veri'FicationLlrir0con0

?釀穴￥QLlrir0con0

?釀穴￥QjserL5rrHO5L(53idleidleModeIdle LCXdVl00:06;刃00:00:00200.200.ZOO.3IdI& pQPi"A.ddrps^IinsidcrtelnttJ.J.J*3TryT為F.r7.?*..opor.LineuseridleLocationLineuseridleLocationQcon0-idle*岳Evty0idie00:30:GO206.200,500.：HRPP'TUsvrmodi?jdiePeerjuldre&sLseraccessvsrificaticrPaiswore:ti-UT51dp>shnwkptputsidol效果出來了，訪問 的時候用轉(zhuǎn)換，而訪問 3.333 的時候用interface 轉(zhuǎn)換出去。VPN流量旁路在老版本里面我們用 NAT0來解決這個問題，而在新版本里面沒有 NAT0這個概念了，它用TwiceNAT+Identify 組合的使用access-list100permitiphosthost2222nat(inside)0access-list100objectnetworklocal-vpn-traffichostobjectnetoworkremote-vpn-traffichostnat(inside,outside) sourcestaticlocal-vpn-traffic local-vpn-traffic destinationstaticremote-vpn-trafficremote-vpn-traffic( 全局下)執(zhí)行順序：1、 manualNAT:(TwiceNAT):、TwiceNAT+Identify(VPN旁路)、優(yōu)先選擇TwiceNAT有服務的轉(zhuǎn)換、選擇 TwiceNAT關(guān)于TwiceNAT的順序完全是誰在最前面誰最優(yōu)，沒有什么比較的，可以通過人為的修改順序。2、 AutoNAT:1、identify2 、static3 、dynamic其中static是優(yōu)于dynamic的。如果static 存在多個，那么首先比較子網(wǎng)掩碼圍，大的優(yōu)先，也就是 32位由于24位，如果都一樣，就比較網(wǎng)絡位，小的優(yōu)先，就是/24網(wǎng)段比/24 優(yōu)先，最后都相同比較 objectname，字母最前面的優(yōu)先，也就是 ab是優(yōu)于bc的Dynamic的話，順序也跟static一樣，只是static是優(yōu)于dyanmic的NetworkObjectNAT 配置介紹1.DynamicNAT(動態(tài)NAT動態(tài)一對一)實例一:傳統(tǒng)配置方法：nat(Inside)1global(Outside)100-00新配置方法(NetworkObjectNAT)objectnetworkOutside-Nat-Poolrange0000objectnetworkInside-NetworksubnetobjectnetworkInside-Networknat(Inside,Outside)dynamicOutside-Nat-Pool實例二:objectnetworkOutside-Nat-Poolhost01object-groupnetworkOutside-Addressnetwork-objectobjectOutside-Nat-Poolnetwork-objectobjectOutside-PAT-AddressobjectnetworkInside-Network(先100-200動態(tài)一對一，然后01動態(tài)PAT,最后使用接口地址動態(tài)PATnat(Inside,Outside)dynamicOutside-Addressinterface教主認為這種配置方式的好處是，新的 NAT命令綁定了源接口和目的接口，所以不會出現(xiàn)傳統(tǒng)配置影響DMZ的問題(當時需要nat0+acl來旁路)2.DynamicPAT(Hide) (動態(tài)PAT，動態(tài)多對一)傳統(tǒng)配置方式：nat(Inside)1新配置方法(NetworkObjectNAT)objectnetworkInside-NetworksubnetobjectnetworkOutside-PAT-Addresshost01objectnetworkInside-Networknat(Inside,Outside) dynamicOutside-PAT-Addressornat(Inside,Outside)dynamic023.StaticNATorStaticNATwithPortTranslation (靜態(tài)一對一轉(zhuǎn)換，靜態(tài)端口轉(zhuǎn)換)實例一：(靜態(tài)一對一轉(zhuǎn)換)傳統(tǒng)配置方式：static(Inside,outside)01新配置方法(NetworkObjectNAT)objectnetworkStatic-Outside-AddresshostobjectnetworkStatic-Inside-Addressnat(Inside,Outside)staticStatic-Outside-Addressornat(Inside,Outside)static02實例二：(靜態(tài)端口轉(zhuǎn)換)傳統(tǒng)配置方式：static(inside,outside)tcp02232323新配置方法(NetworkObjectNAT)objectnetworkStatic-Outside-Addresshost01objectnetworkStatic-Inside-Addresshostnat(Inside,Outside)staticStatic-Outside-Addressservicetcptelnet2323ornat(Inside,Outside)static01servicetcptelnet23234.IdentityNAT傳統(tǒng)配置方式：nat(inside)055新配置方法(NetworkObjectNAT)objectnetworkInside-AddresshostobjectnetworkInside-Addressnat(Inside,Outside)staticInside-Addressornat(Inside,Outside)staticTwiceNAT(類似于PolicyNAT)實例一:傳統(tǒng)配置:access-listinside-to-1permitiphostaccess-listinside-to-202permitiphostnat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)202新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetnat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202實例二：傳統(tǒng)配置:access-listinside-to-1permitiphostaccess-listinside-to-202permitiphostnat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)202static(outside」nside)01static(outside,inside)02新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetobjectnetworkmap-dst-1host01objectnetworkmap-dst-202host02nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticmap-dst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticmap-dst-202dst-202實例三：傳統(tǒng)配置:access-list inside-to-1 permittcphosteq23access-listinside-to-202permittcphosteq3032nat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)102新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetobjectservicetelnet23servicetcpdestinationeqtelnetobjectservicetelnet3032servicetcpdestinationeq3032nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032MainDifferences BetweenNetworkObjectNATandTwiceNAT（NetworkObjectNAT和TwiceNAT的主要區(qū)別）Howyoudefinetherealaddress. （從如何定義真實地址的角度來比較）NetworkobjectNAT—YoudefineNATasaparameterforanetworkobject;thenetworkobjectdefinitionitselfprovidestherealaddress.ThismethodletsyoueasilyaddNATtonetworkobjects.Theobjectscanalsobeusedinotherpartsofyourconfiguration,forexample,foraccessrulesorevenintwiceNATrules.TwiceNAT—Youidentifyanetworkobjectornetworkobjectgroupforboththerealandmappedaddresses.Inthiscase,NATisnotaparameterofthenetworkobject;thenetworkobjectorgroupisaparameteroftheNATconfiguration.TheabilitytouseanetworkobjectgroupfortherealaddressmeansthattwiceNATismorescalable.＜為真實和映射后地址定義networkobject或者networkobjectgroup。在twicenat中，NAT不是networkobject的一個參數(shù)，networkobject或者group是NAT配置的一個參數(shù)。能夠為真實地址使用networkobjectgroup，也體現(xiàn)了twicenat的可擴展性。＞HowsourceanddestinationNATisimplemented.（ 源和目的nat被運用）—NetworkobjectNAT—Eachrulecanapplytoeitherthesourceordestinationofapacket.Sotworulesmightbeused,oneforthesourceIPaddress,andoneforthedestinationIPaddress.Thesetworulescannotbetiedtogethertoenforceaspecifictranslationforasource/destinationcombination.＜每一個策略只能運用到數(shù)據(jù)包的源或者目的，如果要轉(zhuǎn)換一個包的源和目的，需要使用兩個策略，這兩個策略不能綁定到一起來做實現(xiàn)特殊的源和目的的轉(zhuǎn)換。 ＞-TwiceNAT—Asingleruletranslatesboththesourceanddestination.Amatchingpacketonlymatchestheonerule,andfurtherrulesarenotchecked.Evenifyoudonotconfiguretheoptional destination addressfortwiceNAT,amatchingpacketstillonlymatchesonetwiceNATrule.Thesourceanddestinationaretiedtogether,soyoucanenforcedifferenttranslationsdependingonthesource/destinationcombination.Forexample,sourceA/destinationAcanhaveadifferenttranslationthansourceA/destinationB.＜一個單一策略，既能轉(zhuǎn)換源也能轉(zhuǎn)換目的。一個包只能匹配上一個策略，并且不再做進一步檢查了。就算你沒有配置twicenat的目的地址選項，一個數(shù)據(jù)包也只能匹配一個 twicenat策略，目的和源被綁定到一起，因此你能夠基于不同的源和目