加载中…Twice Nat
(2014-10-16 09:06:19)
标签:
股票 |
之前在公司遇到一个问题,内网无法访问映射后的对应公网地址,针对这一问题可采用Twice Nat来解决。
所谓Twice Nat,就是可以根据Object制定的相关策略,来重新进行Nat。例如传统上,在Inside做SNAT的转换,在Outside做DNAT的转换。而采用twice nat后,根据相关策略加上一个转换,在Inside上做SNAT的转换不变,同时添加在Inside上的一个DNAT的转换。这样就可以在Inside上把内网映射后的地址重新转化为内网地址,即Inside进,Inside出。
-------------------------------------------------------------------------------------------------
下面有一个连接,详细介绍了Cisco ASA twice nat的配置,转载一下。
利用ASA的Twice NAT解决内网无法访问映射后的公网地址
http://www.it165.net/network/html/201307/1136.html
默 认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。 ASA8.3版本之后有一种新的NAT叫Twice-NAT,它可以在一个NAT语句中既匹配源地址,又匹配目标地址,并且可以对源地址、目标地址,端口 号,三个参数中一~三个参数的转换。
|
|
|
|
R2
R3(DMZ)
no shut
no shut
ip address 202.100.1.10
255.255.255.0
no shut
no shut
ip route
0.0.0.0 0.0.0.0 192.168.1.10
no shut
nat (Inside,Outside) dynamic
interface
object
network DMZ-NET
subnet
192.168.1.0 255.255.255.0
nat (DMZ,Outside) dynamic
interface
host 10.1.1.2
nat
(Inside,Outside) static interface service tcp 23 23
object network DMZ-R3
host 192.168.1.3
nat
(DMZ,Outside) static interface service tcp 23 2323
所谓Twice Nat,就是可以根据Object制定的相关策略,来重新进行Nat。例如传统上,在Inside做SNAT的转换,在Outside做DNAT的转换。而采用twice nat后,根据相关策略加上一个转换,在Inside上做SNAT的转换不变,同时添加在Inside上的一个DNAT的转换。这样就可以在Inside上把内网映射后的地址重新转化为内网地址,即Inside进,Inside出。
-------------------------------------------------------------------------------------------------
下面有一个连接,详细介绍了Cisco ASA twice nat的配置,转载一下。
利用ASA的Twice NAT解决内网无法访问映射后的公网地址
http://www.it165.net/network/html/201307/1136.html
默 认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。 ASA8.3版本之后有一种新的NAT叫Twice-NAT,它可以在一个NAT语句中既匹配源地址,又匹配目标地址,并且可以对源地址、目标地址,端口 号,三个参数中一~三个参数的转换。
二.基本思路:
A.Inside区映射到Outside区
①Outside区访问Inside区映射后的地址没有问题
②Inside区访问Inside区映射后的地址,通过Twice
NAT做源地址和目标地址转换
---将源地址转换为Inside接口地址,目标地址转换为Inside设备实际地址
---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话
③DMZ区访问Inside区映射后的地址,通过Twice
NAT做目标地址转换
---将目标地址转换为Inside设备的实际地址
---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由
---也可以同时做源地址转换,将源地址转换为Iniside接口地址,为了便于审计,不建议这样做
B.DMZ区映射到Outside区
①Outside区访问DMZ区映射后的地址没有问题
②Inside区访问DMZ区映射后的地址,通过Twice
NAT做目标地址转换
---将目标地址转换为DMZ区设备的实际地址
---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由
---也可以同时做源地址转换,将源地址转换为DMZ接口地址,为了便于审计,不建议这样做
---实际用模拟器测试,却发现不做源地址转换,经常报
-- bad sequence number的错误
---想不来为什么会报序列号错误,即使用MPF设置set connection random-sequence-number
disable,也只是缓解,还是会偶尔出现,觉得可能是模拟器的缘故
③DMZ区访问DMZ区映射后的地址,通过Twice
NAT做源地址和目标地址转换
---将源地址转换为DMZ接口地址,目标地址转换为DMZ区设备实际地址
---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话
三.测试拓扑:
R1-----SW--(Inside)----ASA---(Outside)----R4
四.测试需求:
A.将R2的TCP23端口映射到ASA的Outside接口的23端口上
----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口
B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上
----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口
五.基本配置:
A.R1:
interface
FastEthernet0/0
ip address
10.1.1.1 255.255.255.0
ip route
0.0.0.0 0.0.0.0 10.1.1.10
B.R2
interface
FastEthernet0/0
ip address
10.1.1.2 255.255.255.0
ip route
0.0.0.0 0.0.0.0 10.1.1.10
line vty 0
4
password
cisco
login
C.ASA:
interface
GigabitEthernet0
nameif
Inside
security-level 100
ip address
10.1.1.10 255.255.255.0
no shut
interface
GigabitEthernet1
nameif
DMZ
security-level 50
ip address
192.168.1.10 255.255.255.0
no shut
interface
GigabitEthernet2
nameif
Outside
security-level 0
D.R3:
interface
FastEthernet0/0
ip address
192.168.1.3 255.255.255.0
line vty 0
4
password
cisco
login
E.R4:
interface
FastEthernet0/0
ip address
202.100.1.4 255.255.255.0
五.ASA的NAT及策略配置:
A.动态PAT允许Inside和DMZ区能访问公网
object
network Inside-NET
subnet
10.1.1.0 255.255.255.0
B.静态PAT将R2和R3映射出去:
object
network Inside-R2
object network DMZ-R3
C.防火墙策略:
①开启icmp审查:
policy-map
global_policy
class
inspection_default
inspect
icmp
②Outside口放行策略:
access-list
OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet
access-group
OUTSIDE in interface Outside
③DMZ口放行策略:
access-list
DMZ extended permit tcp any object Inside-R2 eq telnet
access-list
DMZ extended permit icmp any any
access-list
DMZ extended deny ip any object Inside-NET
access-list
DMZ extended permit ip any any
access-group
DMZ in interface DMZ
---备注:这里只是测试,实际除非必要,尽量不要放行DMZ到Inside的访问,要放行也需要针对主机放行
D.测试:
①Inside区和DMZ区能访问公网:
R1#PING
202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 ms
R2#ping
202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 ms
R3#ping
202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms
②被映射后的端口只能被Outside区访问:
R4#TELNET
202.100.1.10 23
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:55:06
* 66 vty 0
idle
00:00:00 202.100.1.4
Interface
User
Mode
Idle
Peer Address
R2>
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
* 66 vty 0
R2>
R4#TELNET
202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:51:12
* 66 vty 0
idle
00:00:00 202.100.1.4
Interface
User
Mode
Idle
Peer Address
R3>
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
* 66 vty 0
R3>
R1#telnet
202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding
六.ASA的Twice
NAT配置:
A.使得Inside区访问Inside区映射后的地址时,既做源地址转换,又做目标地址转换
①配置对象:
object
network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:
nat
(Inside,Inside) source static any interface destination static
Public-R2 Inside-R2 service tcp23 tcp23
③允许相同接口的访问:
same-security-traffic
permit intra-interface
---因为访问时,既从Inside口进,又从Inside出,所以需要这条
④测试:
R1#telnet
202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line
User
Host(s)
Idle
Location
0 con 0
idle
01:07:35
* 66 vty 0
idle
00:00:00 10.1.1.10
Interface
User
Mode
Idle Peer
Address
R2>
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
* 66 vty 0
R2>
R2#telnet
202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line
User
Host(s)
Idle
Location
0 con 0
202.100.1.10
00:00:00
* 66 vty 0
idle
00:00:00 10.1.1.10
Interface
User
Mode
Idle Peer
Address
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
* 66 vty 0
B.使得Inside区访问DMZ区映射后的地址时,只做目标地址转换
①配置对象:
object
network Public-R3
host
202.100.1.10
object
network DMZ-R3
host
192.168.1.3
object service tcp2323
service tcp
destination eq 2323
object service tcp2323
②配置twice-NAT:
nat
(Inside,DMZ) source static any any destination static Public-R3
DMZ-R3 service tcp2323 tcp23
③测试:
R1#telnet
202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
R3#debug ip
tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar1 13:18:25.648: tcp0: I LISTEN
10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar1 13:18:25.652: tcp0: O SYNRCVD
10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN
4128
*Mar1 13:18:25.656: tcp0: I SYNRCVD
10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar1 13:18:25.660: tcp0: O SYNRCVD
10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar1 13:18:25.660: TCP0: bad seg from 10.1.1.1
-- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt
1568429505 rcvwnd 4128 len 0
TCP Packet debugging is on for port number 23
R3#
*Mar
*Mar
*Mar
*Mar
*Mar
④解决方法:
---修改NAT,做源地址转换
nat
(Inside,DMZ) source static any interface destination static
Public-R3 DMZ-R3 service tcp2323 tcp23
⑤再次测试:
R1#telnet
202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:02:15
* 66 vty 0
idle
00:00:00 192.168.1.10
Interface
User
Mode
Idle
Peer Address
R3>
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
* 66 vty 0
R3>
R2#telnet
202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line
User
Host(s)
Idle
Location
0 con 0
idle
00:03:13
66 vty 0
idle
00:00:58 192.168.1.10
* 67 vty 1
idle
00:00:00 192.168.1.10
Interface
User
Mode
Idle
Peer Address
R3>
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
* 67 vty 1
R3>
C.使得DMZ区访问Inside区映射后的地址时,只做目标地址转换
①配置对象:
---前面已经定义
②配置twice-NAT:
nat
(DMZ,Inside) source static any any destination static Public-R2
Inside-R2 service tcp23 tcp23
③测试:
R3#telnet
202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line
User
Host(s)
Idle
Location
0 con 0
202.100.1.10
00:02:49
* 66 vty 0
idle
00:00:00 192.168.1.3
Interface
User
Mode
Idle Peer
Address
R2>
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
* 66 vty 0
R2>
D.使得DMZ区访问DMZ区映射后的地址时,既做源地址转换,又做目标地址转换
①配置对象:
---前面已经定义
②配置twice-NAT:
nat
(DMZ,DMZ) source static any interface destination static Public-R3
DMZ-R3 service tcp2323 tcp23
③允许相同接口的访问:
---前面已经配置:same-security-traffic
permit intra-interface
④测试:
R3#telnet
202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line
User
Host(s)
Idle
Location
0 con 0
202.100.1.10
00:00:00
66 vty 0
idle
00:07:01 192.168.1.10
67 vty 1
idle
00:06:02 192.168.1.10
* 68 vty 2
idle
00:00:00 192.168.1.10
Interface
User
Mode
Idle
Peer Address
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
* 68 vty 2
喜欢
0
赠金笔
前一篇:Nat的一些理解
后一篇:测试在软件开发流程中的漫谈