CiscoASA-1

ASA(config)# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)

Telnet

username cisco password cisco encrypted privilege 15 //配置本地用户密码

telnet 12.12.12.0 255.255.255.0 inside //限制内部可以登录
aaa authentication telnet console LOCAL //远程本地用户登录

ASA(config)# sh ip //看ip add
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 inside 12.12.12.2 255.255.255.0 manual
Ethernet1 outside 200.200.200.1 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 inside 12.12.12.2 255.255.255.0 manual
Ethernet1 outside 200.200.200.1 255.255.255.0 manual
ASA(config)#

ASA(config)# sh rou //看路由

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

    • candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is not set

C 200.200.200.0 255.255.255.0 is directly connected, outside
C 12.12.12.0 255.255.255.0 is directly connected, inside
ASA(config)#

放行ICMP //做acl

access-list 101 extended deny icmp host 200.200.200.2 host 12.12.12.1

access-list 101 extended permit icmp any any

ASA(config)# show access-list 101
access-list 101; 2 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended deny icmp host 200.200.200.2 host 12.12.12.1 (hitcnt=10) 0x4c640740
access-list 101 line 2 extended permit icmp any any (hitcnt=1) 0x744a4825
ASA(config)#

添加路由(inside;outdide方向)

ASA(config)# route ? //添加路由

configure mode commands/options:
Current available interface(s):
inside Name of interface Ethernet0
outside Name of interface Ethernet1
ASA(config)# route 172.16.0.0 255.255.255.0 ?
ERROR: % Unrecognized command
ASA(config)# route in172.16.0.0 255.255.255.0
ASA(config)# route in 172.16.0.0 255.255.255.0 ?

configure mode commands/options:
Hostname or A.B.C.D The address of the gateway by which the foreign network
is reached.
ASA(config)# route in 172.16.0.0 255.255.255.0 12.12.12.2

ASA(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

    • candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is not set

C 200.200.200.0 255.255.255.0 is directly connected, outside
S 2.2.2.0 255.255.255.0 [1/0] via 200.200.200.2, outside
C 12.12.12.0 255.255.255.0 is directly connected, inside
ASA(config)#

Nat //各种nat

1、地址池的形式的NAT 配置

老版本代表一个12.12.12.0/24的地址池转换成200.200.200.10-200.200.200.20一对一的转换
nat (inside) 1 12.12.12.0 255.255.255.0
global (outside) 1 200.200.200.10-200.200.200.20

object network inside
subnet 12.12.12.0 255.255.255.0
object network outsidepool
range 200.200.200.10 200.200.200.20

access-list 100 extended permit icmp any any
access-group 100 in interface outside

object network inside
nat (inside,outside) dynamic outsidepool

ASA(config)# show conn
1 in use, 6 most used
TCP outside 200.200.200.2:23 inside 12.12.12.1:48081, idle 0:00:07, bytes 468, flags UIO
ASA(config)#

ASA(config)# show xlate
1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:12.12.12.1 to outside:200.200.200.10 flags i idle 0:02:41 timeout 3:00:00
ASA(config)#

ASA(config)# show nat detail

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside outsidepool
translate_hits = 7, untranslate_hits = 8
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.10-200.200.200.20
ASA(config)#

utside(config)#do show user
Line User Host(s) Idle Location

  • 0 con 0 idle 00:00:00
    98 vty 0 cisco idle 00:03:53 200.200.200.10

    Interface User Mode Idle Peer Address

outside(config)#

2、动态PAT,多对一的配置

老版本里面可以根据一个地址或者直接跟interface 参数来做
nat (inside) 1 12.1.1.0 255.255.255.0
global (outside) 1 200.200.200.1 or interface

object network inside
subnet 12.12.12.0 255.255.255.0
access-list 100 extended permit icmp any any

object network inside
nat (inside,outside) dynamic interface
access-group 100 in interface outside

ASA(config)# show nat de

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside interface
translate_hits = 3, untranslate_hits = 2
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.1/24
ASA(config)# show xl
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:12.12.12.1/26542 to outside:200.200.200.1/8741 flags ri idle 0:00:09 timeout 0:00:30
NAT from inside:12.12.12.1 to outside:200.200.200.10 flags i idle 0:07:01 timeout 3:00:00
ASA(config)# show conn
1 in use, 6 most used
TCP outside 200.200.200.2:23 inside 12.12.12.1:26542, idle 0:00:08, bytes 215, flags UIO
ASA(config)#

outside#show users
Line User Host(s) Idle Location

  • 0 con 0 idle 00:00:00
    98 vty 0 cisco idle 00:01:15 200.200.200.1

    Interface User Mode Idle Peer Address

outside#

3、单一的公网地址

object network inside
subnet 12.12.12.0 255.255.255.0
object network outsidehost
host 200.200.200.200
access-list 100 extended permit icmp any any
object network inside
nat (inside,outside) dynamic outsidehost
access-group 100 in interface outside

ASA(config)# sh xl
3 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:12.12.12.1/23806 to outside:200.200.200.10/54239 flags ri idle 0:00:10 timeout 0:00:30
ICMP PAT from inside:12.12.12.1/3 to outside:200.200.200.10/6938 flags ri idle 0:00:18 timeout 0:00:30
ICMP PAT from inside:12.12.12.1/2 to outside:200.200.200.10/19041 flags ri idle 0:00:19 timeout 0:00:30
ASA(config)# sh nat de

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside outsidepool
translate_hits = 3, untranslate_hits = 2
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.10/32
ASA(config)# show conn
1 in use, 4 most used
TCP outside 200.200.200.2:23 inside 12.12.12.1:23806, idle 0:00:07, bytes 267, flags UIO
ASA(config)#

4、policy NAT

object network policy
host 200.200.200.2
object network outsidepat
host 200.200.200.100
object network inside
subnet 12.12.12.0 255.255.255.0
nat (inside,outside) source dynamic inside outsidepat destination static policy policy

access-list 100 extended permit icmp any any
access-group 100 in interface outside

route inside 0.0.0.0 0.0.0.0 12.12.12.2 1

outside#show user
Line User Host(s) Idle Location

  • 0 con 0 idle 00:00:00
    98 vty 0 cisco idle 00:01:39 200.200.200.100

    Interface User Mode Idle Peer Address

outside#

ASA(config)# sh xl
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:12.12.12.1/29145 to outside:200.200.200.100/2644 flags ri idle 0:01:22 timeout 0:00:30
ASA(config)# sh nat de
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside outsidepat destination static policy policy
translate_hits = 2, untranslate_hits = 0
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.100/32
Destination - Origin: 200.200.200.2/32, Translated: 200.200.200.2/32

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside interface
translate_hits = 2, untranslate_hits = 0
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.1/24
ASA(config)# sh conn
1 in use, 4 most used
TCP outside 200.200.200.2:23 inside 12.12.12.1:29145, idle 0:01:17, bytes 464, flags UIO
ASA(config)#

5、Static NAT 端口转换
有多个公网地址情况下:
object network DMZ
nat (dmz,outside) static 200.200.200.150 service tcp telnet telnet
object network DMZ
host 172.16.10.10

access-list 100 extended permit tcp any any
access-group 100 in interface outside

ASA(config-network-object)# sh xl
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from dmz:172.16.10.10 23-23 to outside:200.200.200.150 23-23
flags sr idle 0:00:08 timeout 0:00:00
ASA(config-network-object)# sh nat de
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside outsidepat destination static policy policy
translate_hits = 2, untranslate_hits = 0
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.100/32
Destination - Origin: 200.200.200.2/32, Translated: 200.200.200.2/32

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ 200.200.200.150 service tcp telnet telnet
translate_hits = 0, untranslate_hits = 1
Source - Origin: 172.16.10.10/32, Translated: 200.200.200.150/32
Service - Protocol: tcp Real: telnet Mapped: telnet
2 (inside) to (outside) source dynamic inside interface
translate_hits = 2, untranslate_hits = 0
Source - Origin: 12.12.12.0/24, Translated: 200.200.200.1/24
ASA(config-network-object)# sh conn
1 in use, 4 most used
TCP outside 200.200.200.2:44381 dmz 172.16.10.10:23, idle 0:00:05, bytes 490, flags UIOB
ASA(config-network-object)#

只有一个公网IP地址情况下(只有一个映射):
object network DMZ
host 172.16.10.10
object network DMZ
nat (dmz,outside) static interface service tcp telnet 2323
access-group 100 in interface outside
access-list 100 extended permit tcp any any

只有一个公网IP地址情况下(多个映射):

object network dmz
host 172.16.10.10
object network dmz1
host 172.16.10.10

access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any any

object network dmz
nat (dmz,outside) static interface service tcp www 8080
object network dmz1
nat (dmz,outside) static interface service tcp telnet 2323
access-group 100 in interface outside
route inside 0.0.0.0 0.0.0.0 12.12.12.2 1

ASA(config-network-object)# sh xl
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from dmz:172.16.10.10 80-80 to outside:200.200.200.1 8080-8080
flags sr idle 0:01:32 timeout 0:00:00
TCP PAT from dmz:172.16.10.10 23-23 to outside:200.200.200.1 2323-2323
flags sr idle 0:00:05 timeout 0:00:00
ASA(config-network-object)#

ASA(config-network-object)# sh nat de

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dmz interface service tcp www 8080
translate_hits = 0, untranslate_hits = 1
Source - Origin: 172.16.10.10/32, Translated: 200.200.200.1/24
Service - Protocol: tcp Real: www Mapped: 8080
2 (dmz) to (outside) source static dmz1 interface service tcp telnet 2323
translate_hits = 0, untranslate_hits = 2
Source - Origin: 172.16.10.10/32, Translated: 200.200.200.1/24
Service - Protocol: tcp Real: telnet Mapped: 2323
ASA(config-network-object)#