老胳膊整理的以下關(guān)于 PIXASA的NAT與STATIC 命令總和: 動(dòng)態(tài)轉(zhuǎn)換---NAT: #nat (inside) 1 10.0.0.0 255.255.255.0 #global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 將10.x網(wǎng)段轉(zhuǎn)換為192.168.0.20-254這個(gè)ip池 不轉(zhuǎn)換地址: (config)
老胳膊整理的以下關(guān)于PIX&ASA的NAT與STATIC命令總和:
動(dòng)態(tài)轉(zhuǎn)換---NAT:
#nat (inside) 1 10.0.0.0 255.255.255.0
#global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
將10.x網(wǎng)段轉(zhuǎn)換為192.168.0.20-254這個(gè)ip池
不轉(zhuǎn)換地址:
(config)#access-list nonat permit ip host 10.1.1.1 any
(config)#nat (inside) 0 access-list nonat
端口轉(zhuǎn)換---PAT:
1個(gè)ip可以做65535-1024個(gè)PAT(理論值)
端口復(fù)用:
#nat (inside) 1 10.0.0.0 255.255.0.0
#global (outside) 1 192.168.0.3 netmask 255.255.255.255
將10.x網(wǎng)段轉(zhuǎn)換為192.168.0.3一個(gè)ip對(duì)應(yīng)不同的端口。
使用outside interface地址:
#nat (inside) 1 10.0.0.0 255.255.0.0
#global (outside) 1 interface
端口映射:
#static (i,o) tcp 20.1.1.100 23 10.1.1.100 23
將inside的10.1.1.100的23號(hào)端口映射到20.1.1.100的23號(hào)端口上
可用static做DOS防御,TCP和UPD都有最大連接數(shù),UDP沒(méi)有半開(kāi)鏈接數(shù),如:
static (inside,outside) 202.100.1.101 10.1.1.1 tcp 100 1000
最大全開(kāi)鏈接 最大半開(kāi)鏈接
static nat
基于不同的目的轉(zhuǎn)換為不同的地址(生成永久的xlate表項(xiàng))
access-list nat-to-202 per ip host 10.1.1.1 202.100.1.0
access-list nat-to-2 per ip host 10.1.1.1 2.2.2.0
static (i,o) 202.100.1.202 access-list nat-to-202
static (i,o) 202.100.1.2 access-list nat-to-2
static pat
基于特定的流量,把內(nèi)部的特定主機(jī)的特定端口,轉(zhuǎn)換為外部的特定主機(jī)的特定端口(生成永久的xlate表項(xiàng))
access-list nat-to-202 per tcp host 10.1.1.1 eq telnet 202.100.1.0 255.255.255.0
access-list nat-to-2 per tcp host 10.1.1.1 eq telnet 2.2.2.0 255.255.255.0
static (i,o) tcp 202.100.1.101 2323 access-list nat-to-202
static (i,o) tcp interface 23 access-list nat-to-2
Policy nat
access-list nat-to-202 per ip host 10.1.1.1 host 202.100.1.1
access-lsit nat-to-2 per ip host 10.1.1.1 host 2.2.2.2
nat (inside) 1 access-list nat-to-202
glob (outside) 1 202.100.1.202
nat (inside) 2 access-list nat-to-2
glob (outside) 2 202.100.1.2
access-list nat-to-3032 per tcp host 10.1.1.1 host 202.100.1.1 eq 3032
access-list nat-to-23 per tcp host 10.1.1.1 host 202.100.1.1 eq 23
nat (inside) 1 access-list nat-to-3032
glob (outside) 1 202.100.1.32
nat (inside) 2 access-list nat-to-23
glob (outside) 2 202.100.1.23
bypass nat
nat (inside) 0 10.1.1.0 255.255.255.0
0表示不轉(zhuǎn)換
NAT檢查順序
1. nat+acl
2. static
3. policy nat
4. nat+address
5. 地址池用完,使用pat(glob+地址)
相同網(wǎng)段必須在pix的outside端口啟用ARP代理功能
sysopt noproxyarp outside //在outside端口關(guān)閉ARP代理,一定不能使用。。
clear local-host //清除xlate、連接表項(xiàng)
sh xlate 查看IP對(duì)應(yīng)關(guān)系,存活周期3小時(shí),更改表項(xiàng)需清除xlate
更改任何NAT選項(xiàng),需要執(zhí)行clear xlate(清除動(dòng)態(tài)xlate表項(xiàng))
sh connect 檢查連接項(xiàng),可看到所有活躍鏈接
show local-host
老胳膊BLOG
聲明:本網(wǎng)頁(yè)內(nèi)容旨在傳播知識(shí),若有侵權(quán)等問(wèn)題請(qǐng)及時(shí)與本網(wǎng)聯(lián)系,我們將在第一時(shí)間刪除處理。TEL:177 7030 7066 E-MAIL:11247931@qq.com