外部NAT轉(zhuǎn)換－OutsideNAT

來源：懂視網(wǎng) 責編：小采時間：2020-11-09 08:25:38

外部NAT轉(zhuǎn)換－OutsideNAT

外部NAT轉(zhuǎn)換－OutsideNAT:從PIX 6.2 開始，NAT 和PAT 能夠被應(yīng)用到來自外部的流量和從低安全級接口到高安全級接口的流量。該功能有時也被稱為雙向 NAT（bi-directional NAT）。外部 NAT/PAT 和內(nèi)部NAT/PAT 相同，不過是被應(yīng)用到PIX 外部或低安全級接口罷了。可以配置

推薦度：

點擊下載本文 文檔為doc格式

導讀外部NAT轉(zhuǎn)換－OutsideNAT:從PIX 6.2 開始，NAT 和PAT 能夠被應(yīng)用到來自外部的流量和從低安全級接口到高安全級接口的流量。該功能有時也被稱為雙向 NAT（bi-directional NAT）。外部 NAT/PAT 和內(nèi)部NAT/PAT 相同，不過是被應(yīng)用到PIX 外部或低安全級接口罷了。可以配置

從PIX 6.2 開始，NAT 和PAT 能夠被應(yīng)用到來自外部的流量和從低安全級接口到高安全級接口的流量。該功能有時也被稱為“雙向NAT（bi-directional NAT）”。外部NAT/PAT 和內(nèi)部NAT/PAT 相同，不過是被應(yīng)用到PIX 外部或低安全級接口罷了。可以配置動態(tài)外部NAT：在低安全級接口上配置地址轉(zhuǎn)換，在高安全級接口上配置全局地址或地址池。也可以使用static 命令指定一對一的映射。外部NAT 配置完成后，當一個數(shù)據(jù)包抵達PIX 的外部或低安全級接口時，PIX 將試圖在連接信息數(shù)據(jù)庫中定位已經(jīng)存在的xlate（地址轉(zhuǎn)換條目）。如果沒有xlate，PIX 將在配置中搜索NAT 策略。找到了NAT 策略后，一個xlate 將被建立并插入連接信息數(shù)據(jù)庫。然后PIX 使用靜態(tài)映射或全局地址池內(nèi)的地址重寫這個數(shù)據(jù)包的源地址，將其轉(zhuǎn)發(fā)到內(nèi)部接口。一旦xlate 建立，后續(xù)數(shù)據(jù)包將使用該條目迅速被轉(zhuǎn)發(fā)。
下面我們將進行外部NAT 的示例配置。
9.1 網(wǎng)絡(luò)拓撲圖
本例中，我們將實現(xiàn)如下意圖：
l 10.100.1.2 外出轉(zhuǎn)換為209.165.202.135
l 209.165.202.129 進入時轉(zhuǎn)換為10.100.1.3
l 10.100.1.0/24 外出時轉(zhuǎn)換為209.165.202.140-209.165.202.141
l 從209.165.202.129 到10.100.1.2 的連接在209.165.202.129 看來是連接到了209.165.202.135，同時10.100.1.2 將實際上來自209.165.202.129 的數(shù)據(jù)看作來自于10.100.1.3（因為進行了外部NAT 轉(zhuǎn)換）。
我們將用ACL 或conduit 允許訪問209.165.202.0/24 內(nèi)的所有設(shè)備。
9.2 外部NAT 配置
以下是PIX 中Outside NAT 部分的配置。
- 10 -
ip address outside 209.165.202.130 255.255.255.224
ip address inside 10.100.1.1 255.255.255.0
global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224
nat (inside) 5 10.100.1.0 255.255.255.0 0 0
static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0
conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
! --- 或者用ACL 代替conduit，但是記住static 命令是必須的。
access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
access-group 101 in interface outside

Outside NAT

Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT."

Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping.

After outside NAT is configured, when a packet arrives at the outer (less secure) interface of the PIX, the PIX attempts to locate an existing xlate (address translation entry) in the connections database. If no xlate exists, it searches the NAT policy from the running configuration. If a NAT policy is located, an xlate is created and inserted into the database. The PIX then rewrites the source address to the mapped or global address and transmits the packet on the inside interface. Once the xlate is established, the addresses of any subsequent packets can be quickly translated by consulting the entries in the connections database.

Network Diagram - Outside NAT

In the example, we wanted the following.

Device 10.100.1.2 to NAT to 209.165.202.135 when going out

Device 209.165.202.129 to NAT to 10.100.1.3 when coming in

Other devices on the 10.100.1.x network to NAT to addresses in the 209.165.202.140-209.165.202.141 pool when going out

Connectivity from device 209.165.202.129 to device 10.100.1.2 with device 209.165.202.129 seeing the inside device as 209.165.202.135 and device 10.100.1.2 seeing traffic from 209.165.202.129 as coming from 10.100.1.3 (because of the outside NAT)

We are permitting access to all 209.165.202.x devices using ACLs or conduits.

Partial PIX Configuration - Outside NAT

Partial PIX Configuration - Outside NAT
ip address outside 209.165.202.130 255.255.255.224 ip address inside 10.100.1.1 255.255.255.0 global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224 nat (inside) 5 10.100.1.0 255.255.255.0 0 0 static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0 static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0 conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0 !--- Or in lieu of conduits, we leave the static statements but have the following. access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0 access-group 101 in interface outside

ip address outside 209.165.202.130 255.255.255.224
ip address inside 10.100.1.1 255.255.255.0
global (outside) 5 209.165.202.140-209.165.202.141 netmask 255.255.255.224
nat (inside) 5 10.100.1.0 255.255.255.0 0 0
static (inside,outside) 209.165.202.135 10.100.1.2 netmask 255.255.255.255 0 0
static (outside,inside) 10.100.1.3 209.165.202.129 netmask 255.255.255.255 0 0
conduit permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0

!--- Or in lieu of conduits, we leave the static statements but have the following.
 
access-list 101 permit ip 209.165.202.0 255.255.255.0 209.165.202.0 255.255.255.0
access-group 101 in interface outside

聲明：本網(wǎng)頁內(nèi)容旨在傳播知識，若有侵權(quán)等問題請及時與本網(wǎng)聯(lián)系，我們將在第一時間刪除處理。TEL:177 7030 7066 E-MAIL:11247931@qq.com