1.测试拓扑:
源需求贴:http://bbs.51cto.com/thread-939762-1.html
2.基本配置:
R1:
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2:
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
ASA842:
interface G0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface G1
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
route outside 0 0 202.100.1.3
policy-map global_policy
class inspection_default
inspect icmp
3.R2路由器DNS服务器配置:
①配置成DNS服务器:
ip dns server
②配置解析条目:
ip host www.google.com 10.1.1.1
③测试:
R2(config)#ip domain lookup
R2(config)#exit
R2#ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/76 ms
R2#
4.ASA842的NAT配置:
①运行内网动态NAT出公网:
object network insidenet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
②配置去公网的任意dns查询都去内网10.1.1.2:
object network inside-dns
host 10.1.1.2
object network outside-dns
subnet 0.0.0.0 0.0.0.0
object service dns
service udp destination eq domain
nat (inside,inside) source static insidenet insidenet destination static outside-dns inside-dns service dns dns
③开启防火墙相同接口不同主机允许通讯:
same-security-traffic permit intra-interface
5.效果测试:
①内网主机可以去公网:
R1#ping 202.100.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/88 ms
R1#
②内网主机设置任意的公网DNS服务器,都会去内网10.1.1.2上去查询:
R1(config)#ip domain lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#do ping www.google.com
Translating "www.google.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1(config)#
备注:在checkpoint防火墙中能配出类似的效果,但是目标DNS的IP必须指定,并且DNS条目有优先级的概念,所以不能在内网对象上配置NAT,只能在NAT表中根据先后顺序来指定NAT转换,如下图所示:
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/974472,如需转载请自行联系原作者