ASA防火墙配置NAT实验

满堂花醉三千客，一剑霜寒十四州。这篇文章主要讲述ASA防火墙配置NAT实验相关的知识，希望能为你提供帮助。
实验要求：
配置NAT使相应区域可以远程登录外网路由器，并比较不同配置方法的利弊。

实验环境：

实验配置：
【ASA防火墙配置NAT实验】（配置下一实验时，用no +原命令清除原配置）
端口基本配置：R1:

config terminal
int e0/0
ip address 200.1.1.2 255.255.255.0
no shutdown
int loop 0
ip address 216.84.152.99 255.255.255.0
no shutdown
exit

R2:

config terminal
int e0/0
ip address 192.168.0.1 255.255.255.0
no shutdown
int loop 0
ip address 192.168.1.11 255.255.255.0
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 192.168.0.254

R3:

config terminal
int e0/0
ip address 172.16.1.1 255.255.255.0
no shutdown
int loop 0
ip address 172.16.88.11 255.255.255.0
no shutdown
exit
ip route 0.0.0.0 0.0.0.0 172.16.1.254

ASA：

enable
config terminal
int g0
nameif outside
security-level 0
ip address 200.1.1.1 255.255.255.0
no shutdown
int g1
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
no shutdown
int g2
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
no shutdown
exit
route outside 0.0.0.0 0.0.0.0 200.1.1.2
route dmz 192.168.1.0 255.255.255.0 192.168.0.1
route inside 172.16.88.0 255.255.255.0 172.16.1.1

配置远程登录：

username bdqn privilege 15 password 123.123
line vty 0 4
login local
transport input telnet
exit

ASA配置NAT实验：动态NAT：

object network out-pool
range 200.1.1.10 200.1.1.20
exit
object network in-l0
subnet 172.16.88.0 255.255.255.0
exit
object network in-e0
subnet 172.16.1.0 255.255.255.0
exit
object network dmz-1
subnet 192.168.0.0 255.255.255.0
exit
object network dmz-2
subnet 192.168.1.0 255.255.255.0
exit
object-group network in-lan
network-object object in-l0
network-object object in-e0
exit
object-group network dmz-lan
network-object object dmz-1
network-object object dmz-2
exit
nat (inside,outside) source dynamic in-lan out-pool
nat (dmz,outside) source dynamic dmz-lan out-pool

测试结果：

使用外网接口配置NAT：

nat (inside,outside) source dynamic in-lan interface
nat (dmz,outside) source dynamic dmz-lan interface

测试结果：

使用指定外网IP：

object network out-pat3
host 200.1.1.3
exit
nat (inside,outside) source dynamic in-e0 pat-pool out-pat3
object network out-pool4
host 200.1.1.4
exit
nat (inside,outside) source dynamic in-l0 pat-pool out-pool4

测试结果：

先动态NAT 最后用指定IP做PAT：（因动态NAT地址池地址较多，故实验没有体现出指定IP）

object network out-pool
range 200.1.1.10 200.1.1.20
exit
object network out-pat3
host 200.1.1.3
exit
object-group network out-nat
network-object object out-pat3
network-object object out-pool
exit
nat (inside,outside) source dynamic in-lan out-nat

测试结果:

静态NAT:

object network web
host 200.1.1.21
exit
object network dmz-web
host 192.168.1.11
exit
access-list web permit tcp any host 192.168.1.11
access-group web in interface outside
nat (dmz,outside) source static dmz-web web

测试结果：

端口一对一：

object network teldmz
host 200.1.1.22
exit
object network dmz-web
host 192.168.0.1
exit
object service telnet
service tcp source eq telnet
exit
nat (dmz,outside) source static dmz-web teldmz service telnet telnet