Разлика между версии на „Конфигуриране на NAT (PAT) при Cisco ASA“
от БАРЗИКТ Wiki
(2 intermediate revisions by the same user not shown) | |||
Ред 1: | Ред 1: | ||
[[Category:Cisco]] | [[Category:Cisco]] | ||
+ | [http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html Basic ASA NAT Configuration: Webserver in the DMZ in ASA Version 8.3 and later] | ||
+ | |||
=Примерна топология= | =Примерна топология= | ||
[[Файл:ASA_PAT_Topology.png]] | [[Файл:ASA_PAT_Topology.png]] | ||
Ред 25: | Ред 27: | ||
interface ethernet0/0 | interface ethernet0/0 | ||
switchport access vlan 2 | switchport access vlan 2 | ||
+ | </pre> | ||
+ | ==DHCP за мрежа 10.0.0.0 (опционално)== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | |||
+ | dhcpd address 10.0.0.2-10.0.0.100 inside | ||
+ | dhcpd dns 8.8.8.8 interface inside | ||
+ | dhcpd enable inside | ||
+ | </pre> | ||
+ | ==Път по подразбиране (default route) на ASA0== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | |||
+ | route outside 0.0.0.0 0.0.0.0 194.141.69.2 | ||
+ | </pre> | ||
+ | ==NAT (PAT) на ASA0== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | |||
+ | object network INSIDE_NET | ||
+ | subnet 10.0.0.0 255.0.0.0 | ||
+ | nat (inside,outside) dynamic interface | ||
+ | </pre> | ||
+ | ==Разрешаване на изходящ трафик от ASA0 (за проверка на NAT)== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | |||
+ | access-list PERMIT_TCP permit tcp any any | ||
+ | access-group PERMIT_TCP out interface outside | ||
+ | access-group PERMIT_TCP in interface outside | ||
+ | </pre> | ||
+ | =Ctrl+C/Ctrl+V= | ||
+ | ==ASA== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | interface vlan 1 | ||
+ | nameif inside | ||
+ | ip address 10.0.0.1 255.0.0.0 | ||
+ | interface vlan 2 | ||
+ | nameif outside | ||
+ | ip address 194.141.69.1 255.255.255.0 | ||
+ | interface ethernet0/0 | ||
+ | switchport access vlan 2 | ||
+ | exit | ||
+ | dhcpd address 10.0.0.2-10.0.0.100 inside | ||
+ | dhcpd dns 8.8.8.8 interface inside | ||
+ | dhcpd enable inside | ||
+ | route outside 0.0.0.0 0.0.0.0 194.141.69.2 | ||
+ | access-list PERMIT_TCP permit tcp any any | ||
+ | access-group PERMIT_TCP out interface outside | ||
+ | access-group PERMIT_TCP in interface outside | ||
+ | object network INSIDE_NET | ||
+ | subnet 10.0.0.0 255.0.0.0 | ||
+ | nat (inside,outside) dynamic interface | ||
+ | end | ||
+ | </pre> | ||
+ | ==RBB== | ||
+ | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap;white-space: -pre-wrap;white-space: -o-pre-wrap; word-wrap: break-word"> | ||
+ | enable | ||
+ | configure terminal | ||
+ | hostname R1 | ||
+ | interface FastEthernet0/0 | ||
+ | ip address 194.141.69.2 255.255.255.0 | ||
+ | no shut | ||
+ | interface FastEthernet0/1 | ||
+ | ip address 8.0.0.1 255.0.0.0 | ||
+ | no shut | ||
+ | end | ||
</pre> | </pre> |
Текуща версия към 14:42, 16 май 2015
Basic ASA NAT Configuration: Webserver in the DMZ in ASA Version 8.3 and later
Съдържание
Примерна топология
В топологията вътрешната LAN мрежа (inside), която е свързана към ASA0 използва IPv4 адреси 10.0.0.0/8.
Мрежата между ASA0 (модел 5505) и RBB използва IPv4 адреси 194.141.69.0/24.
Към RBB е свързана и мрежа 8.0.0.0/8.
Базова конфигурация на ASA0
Интерфейси
enable configure terminal interface vlan 1 nameif inside ip address 10.0.0.1 255.0.0.0 interface vlan 2 nameif outside ip address 194.141.69.1 255.255.255.0 interface ethernet0/0 switchport access vlan 2
DHCP за мрежа 10.0.0.0 (опционално)
enable configure terminal dhcpd address 10.0.0.2-10.0.0.100 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside
Път по подразбиране (default route) на ASA0
enable configure terminal route outside 0.0.0.0 0.0.0.0 194.141.69.2
NAT (PAT) на ASA0
enable configure terminal object network INSIDE_NET subnet 10.0.0.0 255.0.0.0 nat (inside,outside) dynamic interface
Разрешаване на изходящ трафик от ASA0 (за проверка на NAT)
enable configure terminal access-list PERMIT_TCP permit tcp any any access-group PERMIT_TCP out interface outside access-group PERMIT_TCP in interface outside
Ctrl+C/Ctrl+V
ASA
enable configure terminal interface vlan 1 nameif inside ip address 10.0.0.1 255.0.0.0 interface vlan 2 nameif outside ip address 194.141.69.1 255.255.255.0 interface ethernet0/0 switchport access vlan 2 exit dhcpd address 10.0.0.2-10.0.0.100 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside route outside 0.0.0.0 0.0.0.0 194.141.69.2 access-list PERMIT_TCP permit tcp any any access-group PERMIT_TCP out interface outside access-group PERMIT_TCP in interface outside object network INSIDE_NET subnet 10.0.0.0 255.0.0.0 nat (inside,outside) dynamic interface end
RBB
enable configure terminal hostname R1 interface FastEthernet0/0 ip address 194.141.69.2 255.255.255.0 no shut interface FastEthernet0/1 ip address 8.0.0.1 255.0.0.0 no shut end