一.測試拓撲
<a href="http://s3.51cto.com/wyfs02/M00/73/0F/wKioL1Xztm_z5aokAAEJC0duUpE278.jpg" target="_blank"></a>
二.測試思路
不考慮網絡拓撲的合理性,隻是考慮網絡是否可通
外網通路内部伺服器在防火牆上映射的公網位址不通是因為R1的預設路由指向的不是防火牆,出現了非對稱路由問題,導緻TCP連接配接來回路徑不一緻而會話失敗
如果把外網通路内部伺服器的源位址轉換為防火牆内網接口位址,則不會出現非對稱路由問題
三.基本配置
路由器Server:
interface FastEthernet0/0
ip address 192.168.1.8 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
路由器R1:
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
no shut
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254
路由器R2:
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shut
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1
ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
permit ip 192.168.0.0 0.0.255.255 any
防火牆ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.254 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
路由器Internet:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
ip address 202.100.1.2 255.255.255.0
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
四.防火牆twice-nat相關配置
定義内網伺服器對象:
object network ServerReal
host 192.168.1.8
定義内網伺服器映射後的公網IP對象:
object network ServerMap
host 202.100.1.8
配置twice-nat:
轉換前-----源位址:any 目标位址:内網伺服器映射後的公網IP
轉換後-----源位址:防火牆inside口位址 目标位址:内網伺服器實際
IP nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
定義防火牆外網口政策:
access-list Outside extended permit ip any object ServerReal
---注意這些是伺服器的實際位址,而不是映射後的位址
應用防火牆外網口政策:
access-group Outside in interface Outside
測試:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
Line User Host(s) Idle Location
0 con 0 idle 00:05:42
* 2 vty 0 idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
Internet#
-----從公網來的防火牆已經作了源位址轉換
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 ms
Server#
Internet#debug ip icmp
ICMP packet debugging is on
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
------Server可以正常從R2路由器PAT上公網
五.後記
多個内網位址,多個公網位址,都是一對一映射情況
可以按上面格式配置多個映射,并且都是映射到防火牆内網口位址
host 202.100.1.8
object network R1Map
host 202.100.1.18
object network R1Real
host 192.168.1.1
nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
nat (Outside,Inside) source dynamic any interface destination static R1Map R1Real
access-list Outside extended permit tcp any object ServerReal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
多個内網位址,一個公網位址(比如接口位址),都是端口映射情況
object service telnet
service tcp destination eq telnet
object service ServerMapTelnet2321
service tcp destination eq 2321
object service R1MapTelnet2322
service tcp destination eq 2322
nat (Outside,Inside) source dynamic any interface destination static interface ServerReal service ServerMapTelnet2321 telnet
nat (Outside,Inside) source dynamic any interface destination static interface R1Real service R1MapTelnet2322 telnet
access-list Outside extended permit tcp any object Serverreal eq telnet
本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/1694064,如需轉載請自行聯系原作者
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)