一.测试拓扑
二.测试思路
1.分别测试tcp和udp的连续端口PAT
2.再用静态端口转换工具分别将TCP端口和udp端口转换到某个常用端口进行测试
---tcp转换到TCP23,用telnet测试
---udp转换到UDP514,用syslog发送进行测试
3.为了测试方便,防火墙只设两个区Outside和Inside
---将Inside服务器的TCP1000~2000映射到防火墙Outside口的TCP1000~2000上
---将Inside服务器的UDP1000~2000映射到防火墙Outside口的UPD2000~3000上
4.测试发现如果TCP端口范围与UDP端口范围一样,第二个NAT配置不上,会报如下错误:
ERROR: NAT unable to reserve ports.
三.基本配置
1.Outside服务器
IP:202.100.1.8/24
2.防火墙ASA842
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface GigabitEthernet1
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
3.Intside服务器
IP:10.1.1.8/24
GW:10.1.1.10
四.静态PAT端口范围配置
1.定义端口范围对象
object network Inside_Server
host 10.1.1.8
object service tcp_ports
service tcp destination range 1000 2000
object service udp_ports
service udp destination range 2000 3000
2.配置twice-nat
nat (outside,inside) source static any any destination static interface Inside_Server service tcp_ports tcp_ports
nat (outside,inside) source static any any destination static interface Inside_Server service udp_ports udp_ports
3.配置并应用防火墙策略
access-list Outside extended permit tcp any object Inside_Server range 1000 2000
access-list Outside extended permit udp any object Inside_Server range 2000 3000
access-group Outside in interface Outside
4.测试验证
---可以用多种方式验证,如果进行静态端口转换嫌麻烦,可以直接抓包验证
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1695049,如需转载请自行联系原作者
