当前位置：文档之家› cisco-asa-8.2与8.4的nat区别

cisco-asa-8.2与8.4的nat区别

1.NAT(nat-control,8.2有这条命令，开了的话没有nat是不通的)1.8.2(PAT转换)global (outside) 10 201.100.1.100nat (inside) 10 10.1.1.0 255.255.255.0ASA/pri/act(config)# show xlate1 in use, 1 most usedPAT Global 201.100.1.100(1024) Local 10.1.1.1(11298)8.4object network natsubnet 10.1.1.0 255.255.255.0object network natnat (inside,outside) dynamic 201.100.1.100ASA8-4# show xlate1 in use,2 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PAT from inside:10.1.1.1/53851 to outside:201.100.1.100/5810 flags ri idle 0:00:04 timeout 0:00:302.8.2（动态的一对一转换）nat (inside) 10 10.1.1.0 255.255.255.0global (outside) 10 201.100.1.110-201.100.1.120 netmask 255.255.255.0ASA/pri/act# show xlate detail2 in use, 2 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,r - portmap, s - staticNAT from inside:10.1.1.1 to outside:201.100.1.110 flags iNAT from inside:10.1.1.2 to outside:201.100.1.111 flags i8.4object network natsubnet 10.1.1.0 255.255.255.0object network outside-natrange 201.100.1.110 201.100.1.120object network natnat (inside,outside) dynamic outside-natASA8-4# show xlate1 in use,2 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceNAT from inside:10.1.1.1 to outside:201.100.1.115 flags i idle 0:01:13 timeout 3:00:00 3.8.2(转换成接口地址)nat (inside) 10 10.1.1.0 255.255.255.0global (outside) 10 interfaceASA/pri/act# show xlate detail1 in use,2 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,r - portmap, s - staticTCP PAT from inside:10.1.1.1/61971 to outside:201.100.1.10/1024 flags ri8.4object network natsubnet 10.1.1.0 255.255.255.0object network natnat (inside,outside) dynamic interfaceASA8-4(config)# show xlate1 in use,2 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PAT from inside:10.1.1.1/35322 to outside:201.100.1.10/52970 flags ri idle 0:00:03timeout 0:00:304.8.2(不同的内部地址转换成不同的外部地址)nat (inside) 9 1.1.1.0 255.255.255.0nat (inside) 10 10.1.1.0 255.255.255.0//排列标准，先看明细，越明细的越在前面，明细相同看IP地址，IP址址小的在前面，在实际作用的时候也是按照这个面序来的。

global (outside) 10 interfaceglobal (outside) 9 201.100.1.111ASA/pri/act# show xlate detail2 in use, 2 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,r - portmap, s - staticTCP PAT from inside:1.1.1.1/51343 to outside:201.100.1.111/1026 flags riTCP PAT from inside:10.1.1.1/13938 to outside:201.100.1.10/1028 flags ri8.4ASA8-4# show running-config objectobject network inside1subnet 10.1.1.0 255.255.255.0object network inside2subnet 1.1.1.0 255.255.255.0object network ouside-inside2host 201.100.1.110ASA8-4# show running-config nat!object network inside1nat (inside,outside) dynamic interfaceobject network inside2nat (inside,outside) dynamic ouside-inside2ASA8-4# show xlate2 in use, 2 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PAT from inside:1.1.1.1/59611 to outside:201.100.1.110/34338 flags ri idle 0:00:08 timeout 0:00:30TCP PAT from inside:10.1.1.1/22181 to outside:201.100.1.10/53371 flags ri idle 0:00:19 timeout0:00:305.8.2(先做一对一转换，当且仅点地址都用完了，在做PAT转换)ASA/pri/act# show running-config natnat (inside) 10 10.1.1.0 255.255.255.0ASA/pri/act# show running-config globalglobal (outside) 10 201.100.1.110-201.100.1.112global (outside) 10 201.100.1.116ASA/pri/act# show xlate detail4 in use,5 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,r - portmap, s - staticNAT from inside:10.1.1.1 to outside:201.100.1.110 flags iNAT from inside:10.1.1.3 to outside:201.100.1.112 flags iTCP PAT from inside:10.1.1.6/19799 to outside:201.100.1.116/1025 flags riNAT from inside:10.1.1.2 to outside:201.100.1.111 flags i8.4object network outsiderange 201.100.1.110 201.100.1.112object network insidesubnet 10.1.1.0 255.255.255.0object network insidenat (inside,outside) dynamic outside interfaceASA8-4# show xlate4 in use, 4 most usedFlags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twiceTCP PAT from inside:10.1.1.4/49994 to outside:201.100.1.10/52626 flags ri idle 0:00:04 timeout 0:00:30NAT from inside:10.1.1.1 to outside:201.100.1.111 flags i idle 0:01:31 timeout 3:00:00NAT from inside:10.1.1.3 to outside:201.100.1.110 flags i idle 0:00:16 timeout 3:00:00NAT from inside:10.1.1.2 to outside:201.100.1.112 flags i idle 0:00:33 timeout 3:00:006.6.8.0 (策略NAT（从inside访问outside不同的端口号转换为不同的外部ip地址）)(策略nat永远是优于普通的nat的)access-list pat1 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq telnetaccess-list pat2 extended permit tcp host 10.1.1.1 host 201.100.1.1 eq wwwnat (inside) 10 access-list pat1nat (inside) 20 access-list pat2global (outside) 10 201.100.1.100global (outside) 20 201.100.1.200ASA/pri/act# show xlate detaASA/pri/act# show xlate detail2 in use, 5 most usedFlags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,r - portmap, s - staticTCP PAT from inside:10.1.1.1/30449 to outside(pat2):201.100.1.200/1024 flags riTCP PAT from inside:10.1.1.1/43167 to outside(pat1):201.100.1.100/1024 flags ri8.42新版本(Twice NAT) ，这个是两次NAT，一般加入了基于目的的元素，而之前的network object 只是基于源的，通常情况下使用object 就能解决问题了，这个只是在特殊情况下使用。

e商务文档

cisco-asa-8.2与8.4的nat区别

相关文档推荐：