一.测试拓扑
<a href="http://s3.51cto.com/wyfs02/M00/73/0F/wKioL1Xztm_z5aokAAEJC0duUpE278.jpg" target="_blank"></a>
二.测试思路
不考虑网络拓扑的合理性,只是考虑网络是否可通
外网访问内部服务器在防火墙上映射的公网地址不通是因为R1的默认路由指向的不是防火墙,出现了非对称路由问题,导致TCP连接来回路径不一致而会话失败
如果把外网访问内部服务器的源地址转换为防火墙内网接口地址,则不会出现非对称路由问题
三.基本配置
路由器Server:
interface FastEthernet0/0
ip address 192.168.1.8 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
路由器R1:
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
no shut!
interface Ethernet0/1
ip address 192.168.3.1 255.255.255.0
no shut
interface Ethernet0/2
ip address 192.168.1.1 255.255.255.0
no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254
路由器R2:
ip address 202.100.2.1 255.255.255.0
ip nat outside
no shut
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1
ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
permit ip 192.168.0.0 0.0.255.255 any
防火墙ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 192.168.2.254 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1
路由器Internet:
interface Loopback0
ip address 61.1.1.1 255.255.255.0
ip address 202.100.1.2 255.255.255.0
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
四.防火墙twice-nat相关配置
定义内网服务器对象:
object network ServerReal
host 192.168.1.8
定义内网服务器映射后的公网IP对象:
object network ServerMap
host 202.100.1.8
配置twice-nat:
转换前-----源地址:any 目标地址:内网服务器映射后的公网IP
转换后-----源地址:防火墙inside口地址 目标地址:内网服务器实际
IP nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
定义防火墙外网口策略:
access-list Outside extended permit ip any object ServerReal
---注意这些是服务器的实际地址,而不是映射后的地址
应用防火墙外网口策略:
access-group Outside in interface Outside
测试:
Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
Line User Host(s) Idle Location
0 con 0 idle 00:05:42
* 2 vty 0 idle 00:00:00 192.168.2.254
Interface User Mode Idle Peer Address
Server>q
[Connection to 202.100.1.8 closed by foreign host]
Internet#
-----从公网来的防火墙已经作了源地址转换
Server#ping 61.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 ms
Server#
Internet#debug ip icmp
ICMP packet debugging is on
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
------Server可以正常从R2路由器PAT上公网
五.后记
多个内网地址,多个公网地址,都是一对一映射情况
可以按上面格式配置多个映射,并且都是映射到防火墙内网口地址
host 202.100.1.8
object network R1Map
host 202.100.1.18
object network R1Real
host 192.168.1.1
nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal
nat (Outside,Inside) source dynamic any interface destination static R1Map R1Real
access-list Outside extended permit tcp any object ServerReal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
多个内网地址,一个公网地址(比如接口地址),都是端口映射情况
object service telnet
service tcp destination eq telnet
object service ServerMapTelnet2321
service tcp destination eq 2321
object service R1MapTelnet2322
service tcp destination eq 2322
nat (Outside,Inside) source dynamic any interface destination static interface ServerReal service ServerMapTelnet2321 telnet
nat (Outside,Inside) source dynamic any interface destination static interface R1Real service R1MapTelnet2322 telnet
access-list Outside extended permit tcp any object Serverreal eq telnet
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1694064,如需转载请自行联系原作者
![高防服务器、高防IP与高防CDN的区别[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)