一、实验拓扑:
二、实验要求:
前提:R1、R2、R3分别有默认路由指向ASA对应的接口地址
1、R1直接Telnet R3转化后的地址,就可以成功进入R3界面;
2、这时候流量放行是不需要放行R3转换后的流量的,因为已经放行了主机R1访问真实主机R3地址的流量;
3、部署好以后即使干掉R1到ASA的默认路由,R1依然可以Telnet到R3
三、命令部署:
1、清除上个实验的Object并查看:
ASA(config)# clear configure object
ASA(config)# show run object
2、ACL抓取流量放行R1到R3的Telnet流量,并在Outside接口应用:
ASA(config)# access-list nameout extended permit tcp host 202.100.1.1 host 10.1.2.3 eq 23
ASA(config)# access-group nameout in interface outside
验证:
R1#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Username: cc
Password:
R3>
ASA(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list nameout; 1 elements; name hash: 0xb3be6588 access-list nameout line 1 extended permit tcp host 202.100.1.1 host 10.1.2.3 eq telnet (hitcnt=1) 0x96543a58 //可以看到是有匹配ACL的,匹配数目为1
ASA(config)# show xlate //目前没有NAT转换信息 0 in use, 3 most used
R3#show users //R1用的真实地址来远程管理R3 Line User Host(s) Idle Location
- 0 con 0 idle 00:00:00
130 vty 0 cc idle 00:02:36 202.100.1.1
3、用静态NAT将DMZ区域地址转换到Outside地址:202.101.1.101 ASA(config)# object network dmzquyu ASA(config-network-object)# host 10.1.2.3 ASA(config-network-object)# nat (dmz,outside) static 202.100.1.101 验证: ASA# show xlate 1 in use, 3 most used Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice NAT from dmz:10.1.2.3 to outside:202.100.1.101 flags s idle 0:00:31 timeout 0:00:00 //该槽位是永久存在的,所以没有超时时间 。
遇到问题:R1没法Telnet R3转换后地址:202.100.1.101,GNS3中右键reload R3、R1,两个都重启下可以了,但是仍然Ping不通。 R1#ping 10.1.2.10 //老师这个地方可以Ping通的 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2 seconds:..... Success rate is 0 percent (0/5)
R1#telnet 202.100.1.101 Trying 202.100.1.101 ... Open User Access Verification Username: cc Password: R3> 4、干掉R1的默认路由以后: R1(config)#no ip route 0.0.0.0 0.0.0.0 202.100.1.10 验证: R1#telnet 202.100.1.101 Trying 202.100.1.101 ... Open User Access Verification Username: cc Password: R3>//成功了,即使没有默认路由,R1一样可以远程到R3。
