PIX7.2下的NAT NO NAT-CONTROL NONAT简介

 NAT地址转换,把内部的地址转换成为外部的地址,可以一对一的、多对一的、多对多的转换。在PIX总默认的访问规则是允许高安全级别的访问低安全级别的。想要低安全级别的区域访问高安全级别的区域需要做访问控制列表明确放行。

PIX7.2下的NAT <wbr>NO <wbr>NAT-CONTROL <wbr>NONAT简介

实验预配置

inside路由器的配置

interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!

ip route 0.0.0.0 0.0.0.0 192.168.10.254

line vty 0 4
 no login
!

outside路由器的配置
interface FastEthernet0/0
 ip address 218.18.100.1 255.255.255.0
 duplex auto
 speed auto
!

ip route 0.0.0.0 0.0.0.0 218.18.100.254

line vty 0 4
 no login
!

DMZ路由器的配置

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!

ip route 0.0.0.0 0.0.0.0 10.1.1.254

line vty 0 4
 no login
!

PIX上的配置

interface Ethernet0
 nameif outside
 security-level 0
 ip address 218.18.100.254 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 10.1.1.254 255.255.255.0
!

 

no-control场景

首先内部访问外部时,PIX上用一天命令:no nat-control高级别的区域可以直接访问低级别的区域

pixfirewall(config)# no nat-control

inside区域就可以直接telnet到outside区域

R1_Inside#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>


R2_DMZ#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>

开启了NAT的场景

pixfirewall(config)# nat-control

nat-control
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0

同样可以telnet

R1_Inside#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>

 

pixfirewall(config)# sho xlate
1 in use, 2 most used
PAT Global 218.18.1.254(1029) Local 192.168.10.1(33580)
pixfirewall(config)#

 

NAT的编号为0的identity translated 场景

并不转换地址,直接用源IP地址访问

pixfirewall(config)# nat (inside) 0 192.168.10.0 255.255.255.0
#nat 0 192.168.10.0 will be identity translated for outbound
R1_Inside#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>

 

pixfirewall(config)# sho xlate
1 in use, 2 most used
Global 192.168.10.1 Local 192.168.10.1
pixfirewall(config)#

 

no nat-control 的nonat 没有xlate

pixfirewall(config)# no nat-control

pixfirewall(config)# access-list nonat permit ip 192.16.10.0 255.255.255.0 any

pixfirewall(config)# nat (inside) 0 access-list nonat

R1_Inside#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>

pixfirewall(config)# sho xlate
0 in use, 2 most used
pixfirewall(config)#

这是唯一一个没有xlate转换,而identity translated又xlate转换

在这种场合下允许外部的区域访问内部在identity translated的场合下外部也有访问内部的可能,但是首先要内部向外部先发起一个连接。如下

 

identity translated

nat-control
nat (inside) 0 192.168.10.0 255.255.255.0

access-list OUT_ACL extended permit tcp host 218.18.1.1 host 192.168.10.1

access-group OUT_ACL in interface outside

当pix没有xlate是外部时不能访问内部的

pixfirewall(config)# sho xlate
0 in use, 2 most used
pixfirewall(config)#

 

R3_Outeside#telnet 192.168.10.1
Trying 192.168.10.1 ...
% Connection timed out; remote host not responding
而当内部发起了一个访问,有了xlate时,外部才可以访问内部

R1_Inside#telnet 218.18.1.1
Trying 218.18.1.1 ... Open


User Access Verification

Password:
R3_Outeside>

 

pixfirewall(config)# sho xlate
1 in use, 2 most used
Global 192.168.10.1 Local 192.168.10.1

 

R3_Outeside#telnet 192.168.10.1
Trying 192.168.10.1 ... Open

R1_Inside>

这种方式的缺点就是必须要内部先发起一个连接

而用no-nat时就不需要内部先访问

nonat

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 any

nat-control
nat (inside) 0 access-list nonat

access-list OUT_ACL extended permit tcp host 218.18.1.1 host 192.168.10.1

access-group OUT_ACL in interface outside

 

外部可以直接访问内部,不需要xlate

R3_Outeside#telnet 192.168.10.1
Trying 192.168.10.1 ... Open

R1_Inside>

pixfirewall(config)# sho xlate
0 in use, 2 most used

 

 

 

 

 

posted on 2012-05-20 13:49  侯志清  阅读(624)  评论(0编辑  收藏  举报

导航