twice nat的配置提供给用户能够利用一条rule就能匹配流量的源和目的的应用,在twice nat中的目的的匹配和转换是可选的,可以使idendity NAT和进行静态转换,在twice nat中虽然设计的初衷是可以匹配目的地址但是在实际使用中匹配目的地址是可选的,利用twice nat来配置动态nat的配置:
object network realsource
subnet 2.2.2.0 255.255.255.0
object network mappedsource
range 1.1.1.100 1.1.1.150
object network realdest
host 1.1.1.1
object network mappeddst
host 1.1.1.1
最后调用nat进行相应的匹配
nat (inside,outside) source dynamic realsource mappedsource destination static mappeddst realdest
ASA# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:1.1.1.1
flags sIT idle 0:02:22 timeout 0:00:00
NAT from inside:2.2.2.101 to outside:1.1.1.100 flags i idle 0:02:22 timeout 3:00:00
2.利用twice nat配置pat
object network realsource
subnet 2.2.2.0 255.255.255.0
object network mappedsource
range 1.1.1.100 1.1.1.150
object network realdest
host 2.2.2.100
object network mappeddst
host 1.1.1.100
nat (inside,outside) source dynamic realsource pat-pool mappedsource destination static mappeddst realdest
注意配置的顺序和关键字,亲自测试过如果destination中mapped配置错误的话是会影响通信的,如果配置错误ASA是不会对配置中object network中的地址做代理ARP应答的。
实际测试结果
接收方
R1#
*Mar 1 01:24:44.207: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.295: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.331: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.347: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.371: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
R1#
发送方
R2#ping 2.2.2.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/140 ms
R2#
*Mar 1 01:24:33.515: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.567: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.587: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.611: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.623: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
注意R2收到的reply数据包中的源ip地址
ASA上查看信息
ASA# show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:2.2.2.200
flags sT idle 0:00:02 timeout 0:00:00
ICMP PAT from inside:2.2.2.101/19 to outside:1.1.1.100/19 flags ri idle 0:00:02 timeout 0:00:30
ASA#
3.利用twice-nat来配置static nat和基于 静态nat和端口的转换
object network mappedsource
subnet 1.1.1.0 255.255.255.0
object network source
subnet 2.2.2.0 255.255.255.0
object network realdest
host 1.1.1.1
object network mappeddest
host 2.2.2.101
nat (inside,outside) source static mappedsource mappedsource destination static mappeddest realdest
这个时候进行静态的转换
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24
flags sT idle 0:00:06 timeout 0:00:00
NAT from outside:1.1.1.1 to inside:2.2.2.101
flags sT idle 0:10:47 timeout 0:00:00
注意在静态的转换中是对应关系是这样的 2.2.2.201转换为1.1.1.201
4.对于twice nat的identity nat的配置和基于object network的配置方式一样,只是可以配置目的地址的转换。
本文出自 “网络技术” 博客
![[实战]分公司c3750简单mls qos限速,Asa5510实现url过滤](https://www.eiahk.com/uploads/allimg/140508/1_050P043262Z9.jpg)
