简单的网络拓扑
PC1—>SWITCH-->;PIX 802—>;OUTSIDE SWITCH—>OUTSIDE PC
PIX802的配置如下:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list permiticmp extended permit icmp any any
access-list permitnat1 extended permit ip host 192.168.1.2 host 192.168.2.2
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.2 netmask 255.255.255.255
nat (inside) 1 access-list permitnat1
access-group permiticmp in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
注意到公网的IP网段是192.168.2.0/24,然而NAT转化后的IP是2.2.2.2与公网是不同的网段,可以最后测试时,竟然可以PING 通??
请问各位对此有什么见解??
最后看到的解决方案:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
-
If you use ICMP pings to test a configured translation, the pings are likely to fail and make it seem as though the translation is not working. By default, the PIX blocks ICMP messages from lower security interfaces to higher security interfaces. This occurs even if the echo-reply is in response to a ping initiated from the inside. As a result, be sure to use another method, like Telnet, to verify your configuration.
-
After you make any changes to translation rules on the PIX it is strongly encouraged that the clear xlate command be issued. This ensures that any old translations do not interfere with newly configured ones and cause them to operate incorrectly.
-
After you configure or change static translations between servers on the inside or DMZ and the outside, it might be necessary to clear the ARP cache of the gateway router or other next-hop device.
-
-
本文的由于前期理解不深,上面所有的论述大部分不正确,根据NAT的四个表,映射最后还是通过路由来传递,只是IP的源与目的的改变;
-
- 最新补充。终结版
7.0以后开始 nat-control 是默认关闭的,关闭的时候是没有nat转换的,相当于路由器一样,但是ACL的规则还是存在的
默认情况的变化:
在6.3的时候只要是穿越防火墙都 需要创建转换项,比如:nat;static等等,没有转换项是不能穿越防火墙的,但是到了7.0这个规则有了变化,不需要任何转换项也能正常的像路由器 一样穿越防火墙。但是一个新的命令出现了!当你打上nat-control这个命令的时候,这个规则就改变得和6.3时代一样必须要有转换项才能穿越防火 墙了。
下面的实验有助于大家理解nat-control的真正意义
拓扑
R1—-inside-PIX-outside—-R3
12.0.0.0 23.0.0.0
在 nat-control 关闭的情况下
1,只配置IP,不配置其他任何设置
R1可以telnet到R3,没有xlate表项,R3 telnet R1的时候只需要在outside放行就可以了
2,配置了nat (inside) 1 12.1.1.0 255.255.255.0
glob (outside) interface
这个时候会出现xlate表,因为这个时候的流量是匹配配置的,所以会产生xlate
PAT Global 23.1.1.2(1026) Local 12.1.1.1(14930)
3,配置了nat (inside) 1 192.168.1.0 255.255.255.0
glob (outside) interface
这个时候R1可以telnet到R3,但是不会出现xlate,由于nat-control是关闭的,就算配置错了,也可以通
当nat-control 打开的情况下
配置了nat (inside) 1 12.1.1.0 255.255.255.0
glob (outside) interface
这样R1可以telnet到R3,有xlate
nat (inside) 1 192.168.1.0 255.255.255.0
glob (outside) interface
这样就不行了,由于nat-control做了控制
我遇到过很多朋友在配置7.0以上的时候,都不会打上nat-control命令,不启用的话ASA的防护能力会降低,还是建议大家养成习惯,配置前第一句话先敲上这句命令
