关于twice nat的配置
   twice nat的配置提供给用户能够利用一条rule就能匹配流量的源和目的的应用
 在twice nat中的目的的匹配和转换是可选的,可以使idendity NAT和进行静态转换
 在twice nat中虽然设计的初衷是可以匹配目的地址但是在实际使用中匹配目的地址是可选的
 利用twice nat来配置动态nat的配置
 
object network realsource
 subnet 2.2.2.0 255.255.255.0
object network mappedsource
 range 1.1.1.100 1.1.1.150
object network realdest
 host 1.1.1.1
object network mappeddst
 host 1.1.1.1
 
最后调用nat进行相应的匹配
nat (inside,outside) source dynamic realsource mappedsource destination static   mappeddst    realdest
ASA# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:1.1.1.1
    flags sIT idle 0:02:22 timeout 0:00:00
NAT from inside:2.2.2.101 to outside:1.1.1.100 flags i idle 0:02:22 timeout 3:00:00
 
2.利用twice nat配置pat
  
object network realsource
 subnet 2.2.2.0 255.255.255.0
object network mappedsource
 range 1.1.1.100 1.1.1.150
object network realdest
 host 2.2.2.100
object network mappeddst
 host 1.1.1.100
 
nat (inside,outside) source dynamic realsource pat-pool mappedsource destination static mappeddst  realdest
注意配置的顺序和关键字,亲自测试过如果destination中mapped配置错误的话是会影响通信的,如果配置错误ASA是不会对配置中object network中的地址做代理ARP应答的。
 
实际测试结果
接收方
R1#
*Mar 1 01:24:44.207: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.295: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.331: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.347: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
*Mar 1 01:24:44.371: ICMP: echo reply sent, src 1.1.1.1, dst 1.1.1.100
R1#
 
发送方
R2#ping 2.2.2.200
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/140 ms
R2#
*Mar 1 01:24:33.515: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.567: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.587: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.611: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
*Mar 1 01:24:33.623: ICMP: echo reply rcvd, src 2.2.2.200, dst 2.2.2.101
 
 
注意R2收到的reply数据包中的源ip地址
 
ASA上查看信息
ASA# show xlate
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from outside:1.1.1.1 to inside:2.2.2.200
    flags sT idle 0:00:02 timeout 0:00:00
ICMP PAT from inside:2.2.2.101/19 to outside:1.1.1.100/19 flags ri idle 0:00:02 timeout 0:00:30
ASA#
 
 
3.利用twice-nat来配置static nat和基于 静态nat和端口的转换
object network mappedsource
  subnet 1.1.1.0 255.255.255.0
object network source
 subnet 2.2.2.0 255.255.255.0
object network realdest
 host 1.1.1.1
object network mappeddest
 host 2.2.2.101
nat (inside,outside) source static mappedsource mappedsource destination static mappeddest realdest
 
这个时候进行静态的转换
2 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:2.2.2.0/24 to outside:1.1.1.0/24
    flags sT idle 0:00:06 timeout 0:00:00
NAT from outside:1.1.1.1 to inside:2.2.2.101
    flags sT idle 0:10:47 timeout 0:00:00
 
注意在静态的转换中是对应关系是这样的 2.2.2.201转换为1.1.1.201
 
4.对于twice nat的identity nat的配置和基于object network的配置方式一样,只是可以配置目的地址的转换。