一.測試拓撲
<a href="http://s3.51cto.com/wyfs02/M00/73/38/wKioL1X38T-gdNFLAAB2SFv8Pow785.jpg" target="_blank"></a>
二.測試思路
1.分别測試tcp和udp的連續端口PAT
2.再用靜态端口轉換工具分别将TCP端口和udp端口轉換到某個常用端口進行測試
---tcp轉換到TCP23,用telnet測試
---udp轉換到UDP514,用syslog發送進行測試
3.為了測試友善,防火牆隻設兩個區Outside和Inside
---将Inside伺服器的TCP1000~2000映射到防火牆Outside口的TCP1000~2000上
---将Inside伺服器的UDP1000~2000映射到防火牆Outside口的UPD2000~3000上
4.測試發現如果TCP端口範圍與UDP端口範圍一樣,第二個NAT配置不上,會報如下錯誤:
ERROR: NAT unable to reserve ports.
三.基本配置
1.Outside伺服器
IP:202.100.1.8/24
2.防火牆ASA842
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
3.Intside伺服器
IP:10.1.1.8/24
GW:10.1.1.10
四.靜态PAT端口範圍配置
1.定義端口範圍對象
object network Inside_Server
host 10.1.1.8
object service tcp_ports
service tcp destination range 1000 2000
object service udp_ports
service udp destination range 2000 3000
2.配置twice-nat
nat (outside,inside) source static any any destination static interface Inside_Server service tcp_ports tcp_ports
nat (outside,inside) source static any any destination static interface Inside_Server service udp_ports udp_ports
3.配置并應用防火牆政策
access-list Outside extended permit tcp any object Inside_Server range 1000 2000
access-list Outside extended permit udp any object Inside_Server range 2000 3000
access-group Outside in interface Outside
4.測試驗證
---可以用多種方式驗證,如果進行靜态端口轉換嫌麻煩,可以直接抓包驗證
<a href="http://s3.51cto.com/wyfs02/M01/73/3B/wKiom1X371WjYC-zAAKKG3cPRyk111.jpg" target="_blank"></a>
本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/1695049,如需轉載請自行聯系原作者
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)