ASA的twice-nat将互联网访问的源地址转换为内网接口地址测试

原创

碧云天 2015-09-12 13:12:51 博主文章分类：ASA实验 ©著作权

文章标签 ide 内网服务器 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者碧云天的原创作品，请联系作者获取转载授权，否则将追究法律责任

一.测试拓扑

二.测试思路

不考虑网络拓扑的合理性，只是考虑网络是否可通
外网访问内部服务器在防火墙上映射的公网地址不通是因为R1的默认路由指向的不是防火墙，出现了非对称路由问题，导致TCP连接来回路径不一致而会话失败
如果把外网访问内部服务器的源地址转换为防火墙内网接口地址，则不会出现非对称路由问题

三.基本配置

路由器Server

interface FastEthernet0/0
     ip address 192.168.1.8 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1

路由器R1

interface Ethernet0/0
     ip address 192.168.2.1 255.255.255.0
     no shut!         
interface Ethernet0/1
     ip address 192.168.3.1 255.255.255.0
     no shut
interface Ethernet0/2
     ip address 192.168.1.1 255.255.255.0
     no shut!
ip route 0.0.0.0 0.0.0.0 192.168.3.254

路由器R2

interface Ethernet0/0
 ip address 202.100.2.1 255.255.255.0
     ip nat outside
     no shut
interface Ethernet0/1
     ip address 192.168.3.254 255.255.255.0
     ip nat inside
     no shut
ip route 0.0.0.0 0.0.0.0 202.100.2.2
ip route 192.168.0.0 255.255.0.0 192.168.3.1

ip nat inside source list PAT interface Ethernet0/0 overload
ip access-list extended PAT
 permit ip 192.168.0.0 0.0.255.255 any

防火墙ASA842：

interface GigabitEthernet0
     nameif Outside
     security-level 0
     ip address 202.100.1.1 255.255.255.0 
interface GigabitEthernet1
     nameif Inside
     security-level 100
     ip address 192.168.2.254 255.255.255.0 

route Outside 0.0.0.0 0.0.0.0 202.100.1.2 1
route Inside 192.168.0.0 255.255.0.0 192.168.2.1 1

路由器Internet：

interface Loopback0
     ip address 61.1.1.1 255.255.255.0
interface FastEthernet0/0
     ip address 202.100.1.2 255.255.255.0
     no shut
interface FastEthernet0/1
     ip address 202.100.2.2 255.255.255.0
     no shut

四.防火墙twice-nat相关配置

定义内网服务器对象

object network ServerReal
     host 192.168.1.8

定义内网服务器映射后的公网IP对象：

object network ServerMap
host 202.100.1.8

配置twice-nat：转换前-----源地址：any 目标地址：内网服务器映射后的公网IP转换后-----源地址：防火墙inside口地址目标地址：内网服务器实际

nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal

定义防火墙外网口策略：
access-list Outside extended permit ip any object ServerReal
---注意这些是服务器的实际地址，而不是映射后的地址
应用防火墙外网口策略：
access-group Outside in interface Outside
测试：

Internet#telnet 202.100.1.8
Trying 202.100.1.8 ... Open

User Access Verification

Password:
Server>show user
% Ambiguous command: "show user"
Server>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:05:42
* 2 vty 0                idle                 00:00:00 192.168.2.254

Interface    User               Mode         Idle     Peer Address

Server>q

[Connection to 202.100.1.8 closed by foreign host]
Internet#
-----从公网来的防火墙已经作了源地址转换
Server#ping 61.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 61.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/80/144 ms

Server#
Internet#debug ip icmp
ICMP packet debugging is on
Internet#
*Aug 22 13:02:57.787: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:57.967: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.067: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.123: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
*Aug 22 13:02:58.127: ICMP: echo reply sent, src 61.1.1.1, dst 202.100.2.1
Internet#

------Server可以正常从R2路由器PAT上公网

五.后记

多个内网地址，多个公网地址，都是一对一映射情况
可以按上面格式配置多个映射，并且都是映射到防火墙内网口地址
object network ServerMap

     host 202.100.1.8

object network ServerReal
     host 192.168.1.8
object network R1Map
     host 202.100.1.18
object network R1Real
     host 192.168.1.1

nat (Outside,Inside) source dynamic any interface destination static ServerMap ServerReal

nat (Outside,Inside) source dynamic any interface destination static R1Map R1Real

access-list Outside extended permit tcp any object ServerReal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
access-group Outside in interface Outside
多个内网地址，一个公网地址（比如接口地址），都是端口映射情况
object network ServerReal
     host 192.168.1.8
object network R1Real
     host 192.168.1.1

object service telnet
     service tcp destination eq telnet
object service ServerMapTelnet2321
     service tcp destination eq 2321
object service R1MapTelnet2322
     service tcp destination eq 2322

nat (Outside,Inside) source dynamic any interface destination static interface ServerReal service ServerMapTelnet2321 telnet
nat (Outside,Inside) source dynamic any interface destination static interface R1Real service R1MapTelnet2322 telnet

access-list Outside extended permit tcp any object Serverreal eq telnet
access-list Outside extended permit tcp any object R1Real eq telnet
access-group Outside in interface Outside