本文转自:http://blog.sina.com.cn/s/blog_6e66cc750100np54.html
公司搬家,更新两台ASA防火墙,配置完failover后,准备把原PIX上的NATting迁移过来,发现连global命令都deprecated了!!!
ASA系统新版本为8.3,与以前的8.2及PIX 7,6有很大的不同,新NAT命令看起来是object-oriented, 明显比原来的命令冗长,但其实更清晰易于理解--正如C与C++的比较。
这得用点时间习惯一下,另外几千条static 和 access-list 命令是不是得编个小程序转换一下?
另:failover 的primary不肯主动承担active--重启后就一直是standby了--沦落为与secondary同等的地位,debug及log中没发现错误及警告,不知与ver 8.3有关没有, not urgent, 日后解决。
Static NAT/PAT
| Pre-8.3 NAT | 8.3 NAT |
|---|---|
| Regular Static NATstatic (inside,outside) 192.168.100.100 10.1.1.6 netmask |
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 192.168.100.100
|
| Regular Static PATstatic (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask |
object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 192.168.100.100 service tcp 8080 www
|
| Static Policy NATaccess-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1 |
object network obj-10.1.2.27
host 10.1.2.27
object network obj-192.168.100.100
host 192.168.100.100
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100
destination static obj-10.76.5.0 obj-10.76.5.0
|
| Pre-8.3 NAT | 8.3 NAT |
|---|---|
Regular Dynamic PAT
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100
|
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,outside) dynamic 192.168.100.100
|
Regular Dynamic PAT
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1
|
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
subnet 10.1.2.0 255.255.255.0
nat (inside,dmz) dynamic 192.168.1.1
|
Regular Dynamic PAT-3
nat (inside) 1 0 0
global (outside) 1 interface
|
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
|
Dynamic Policy NAT
object-group network og-net-src
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network og-net-dst
network-object 192.168.200.0 255.255.255.0
object-group service og-ser-src
service-object tcp gt 2000
service-object tcp eq 1500
access-list NET6 extended permit object-group og-ser-src
object-group og-net-src object-group og-net-dst
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100
|
object network obj-192.168.100.100
host 192.168.100.100
object service obj-tcp-range-2001-65535
service tcp destination range 2001 65535
object service obj-tcp-eq-1500
service tcp destination eq 1500
nat (inside,outside) source dynamic og-net-src
obj-192.168.100.100 destination
static og-net-dst og-net-dst
service obj-tcp-range-2001-65535
obj-tcp-range-2001-65535
nat (inside,outside) source dynamic og-net-src
obj-192.168.100.100 destination
static og-net-dst og-net-dst
service obj-tcp-eq-1500 obj-tcp-eq-1500
|
Policy Dynamic NAT (with multiple ACEs)
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
192.168.1.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
192.168.3.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100
|
object network obj-172.29.0.0
subnet 172.29.0.0 255.255.0.0
object network obj-192.168.100.100
host 192.168.100.100
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
destination static obj-192.168.4.0 obj-192.168.4.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
|
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0 outside
static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
|
object network obj-10.1.2.27
host 10.1.2.27
nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
range 10.1.2.30 10.1.2.40
|
NAT & Interface PAT together
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 192.168.100.100-192.168.100.200
|
object network obj-192.168.100.100_192.168.100.200
range 192.168.100.100 192.168.100.200
object network obj-10.1.2.0
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) dynamic
obj-192.168.100.100_192.168.100.200 interface
|
评论