1.測試拓撲:
2.基本配置:
R1:
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2:
ip address 10.1.1.2 255.255.255.0
ASA842:
interface G0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
interface G1
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
route outside 0 0 202.100.1.3
policy-map global_policy
class inspection_default
inspect icmp
3.R2路由器DNS伺服器配置:
①配置成DNS伺服器:
ip dns server
②配置解析條目:
ip host www.google.com 10.1.1.1
③測試:
R2(config)#ip domain lookup
R2(config)#exit
R2#ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/76 ms
R2#
4.ASA842的NAT配置:
①運作内網動态NAT出公網:
object network insidenet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
②配置去公網的任意dns查詢都去内網10.1.1.2:
object network inside-dns
host 10.1.1.2
object network outside-dns
subnet 0.0.0.0 0.0.0.0
object service dns
service udp destination eq domain
nat (inside,inside) source static insidenet insidenet destination static outside-dns inside-dns service dns dns
③開啟防火牆相同接口不同主機允許通訊:
same-security-traffic permit intra-interface
5.效果測試:
①内網主機可以去公網:
R1#ping 202.100.1.3
Sending 5, 100-byte ICMP Echos to 202.100.1.3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/88 ms
R1#
②内網主機設定任意的公網DNS伺服器,都會去内網10.1.1.2上去查詢:
R1(config)#ip domain lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#do ping www.google.com
Translating "www.google.com"...domain server (8.8.8.8) [OK]
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1(config)#
備注:在checkpoint防火牆中能配出類似的效果,但是目标DNS的IP必須指定,并且DNS條目有優先級的概念,是以不能在内網對象上配置NAT,隻能在NAT表中根據先後順序來指定NAT轉換,如下圖所示:
本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/974472,如需轉載請自行聯系原作者
![HTTP 錯誤 403.9 - 禁止通路:連接配接的使用者過多 XP IIS伺服器連接配接數的修改[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)