GNS3 作PIX中的NAT时的问题
简单的网络拓扑
PC1—>SWITCH-->;PIX 802—>;OUTSIDE SWITCH—>OUTSIDE PC
PIX802的配置如下:
PIX Version 8.0(2) ! hostname pixfirewall enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list permiticmp extended permit icmp any any access-list permitnat1 extended permit ip host 192.168.1.2 host 192.168.2.2 pager lines 24 mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 2.2.2.2 netmask 255.255.255.255 nat (inside) 1 access-list permitnat1 access-group permiticmp in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! ! prompt hostname context Cryptochecksum:00000000000000000000000000000000 : end
注意到公网的IP网段是192.168.2.0/24,然而NAT转化后的IP是2.2.2.2与公网是不同的网段,可以最后测试时,竟然可以PING 通??
请问各位对此有什么见解??
最后看到的解决方案:
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_tech_note09186a0080094aad.shtml
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
- If you use ICMP pings to test a configured translation, the pings are likely to fail and make it seem as though the translation is not working. By default, the PIX blocks ICMP messages from lower security interfaces to higher security interfaces. This occurs even if the echo-reply is in response to a ping initiated from the inside. As a result, be sure to use another method, like Telnet, to verify your configuration.
- After you make any changes to translation rules on the PIX it is strongly encouraged that the clear xlate command be issued. This ensures that any old translations do not interfere with newly configured ones and cause them to operate incorrectly.
- After you configure or change static translations between servers on the inside or DMZ and the outside, it might be necessary to clear the ARP cache of the gateway router or other next-hop device.
- 本文的由于前期理解不深,上面所有的论述大部分不正确,根据NAT的四个表,映射最后还是通过路由来传递,只是IP的源与目的的改变;
- 最新补充。终结版
7.0以后开始 nat-control 是默认关闭的,关闭的时候是没有nat转换的,相当于路由器一样,但是ACL的规则还是存在的
默认情况的变化: 在6.3的时候只要是穿越防火墙都 需要创建转换项,比如:nat;static等等,没有转换项是不能穿越防火墙的,但是到了7.0这个规则有了变化,不需要任何转换项也能正常的像路由器 一样穿越防火墙。但是一个新的命令出现了!当你打上nat-control这个命令的时候,这个规则就改变得和6.3时代一样必须要有转换项才能穿越防火 墙了。
下面的实验有助于大家理解nat-control的真正意义
拓扑 R1—-inside-PIX-outside—-R3 12.0.0.0 23.0.0.0
在 nat-control 关闭的情况下 1,只配置IP,不配置其他任何设置 R1可以telnet到R3,没有xlate表项,R3 telnet R1的时候只需要在outside放行就可以了
2,配置了nat (inside) 1 12.1.1.0 255.255.255.0 glob (outside) interface 这个时候会出现xlate表,因为这个时候的流量是匹配配置的,所以会产生xlate PAT Global 23.1.1.2(1026) Local 12.1.1.1(14930)
3,配置了nat (inside) 1 192.168.1.0 255.255.255.0 glob (outside) interface 这个时候R1可以telnet到R3,但是不会出现xlate,由于nat-control是关闭的,就算配置错了,也可以通
当nat-control 打开的情况下 配置了nat (inside) 1 12.1.1.0 255.255.255.0 glob (outside) interface 这样R1可以telnet到R3,有xlate
nat (inside) 1 192.168.1.0 255.255.255.0 glob (outside) interface 这样就不行了,由于nat-control做了控制 我遇到过很多朋友在配置7.0以上的时候,都不会打上nat-control命令,不启用的话ASA的防护能力会降低,还是建议大家养成习惯,配置前第一句话先敲上这句命令
腾讯云开发者
