Network Object NAT配置介绍1.Dynamic NAT（动态NAT，动态一对一）实例一:传统配置方法：nat (Inside) 1 10.1.1.0 255.255.255.0global (Outside) 1 202.100.1.100-202.100.1.200新配置方法（Network Object NAT）object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network Inside-Networknat (Inside,Outside) dynamic Outside-Nat-Pool实例二:object network Outside-Nat-Poolrange 202.100.1.100 202.100.1.200object network Outside-PAT-Addresshost 202.100.1.201object-group network Outside-Addressnetwork-object object Outside-Nat-Poolnetwork-object object Outside-PAT-Addressobject network Inside-Network（先100-200动态一对一，然后202.100.1.201动态PAT,最后使用接口地址动态PAT）nat (Inside,Outside) dynamic Outside-Address interface教主认为这种配置方式的好处是，新的NAT命令绑定了源接口和目的接口，所以不会出现传统配置影响DMZ的问题（当时需要nat0 + acl来旁路）2.Dynamic PAT (Hide)（动态PAT，动态多对一）传统配置方式：nat (Inside) 1 10.1.1.0 255.255.255.0global(outside) 1 202.100.1.101新配置方法（Network Object NAT）object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network Outside-PAT-Addresshost 202.100.1.101object network Inside-Networknat (Inside,Outside) dynamic Outside-PAT-Addressornat (Inside,Outside) dynamic 202.100.1.1023.Static NAT or Static NAT with Port Translation（静态一对一转换，静态端口转换）实例一：（静态一对一转换）传统配置方式：static (Inside,outside) 202.100.1.101 10.1.1.1新配置方法（Network Object NAT）object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Addresshost 10.1.1.1object network Static-Inside-Addressnat (Inside,Outside) static Static-Outside-Addressornat (Inside,Outside) static 202.100.1.102 <dns>实例二：（静态端口转换）传统配置方式：static (inside,outside) tcp 202.100.1.102 2323 10.1.1.1 23新配置方法（Network Object NAT）object network Static-Outside-Addresshost 202.100.1.101object network Static-Inside-Addresshost 10.1.1.1object network Static-Inside-Addressnat (Inside,Outside) static Static-Outside-Address service tcp telnet 2323 ornat (Inside,Outside) static 202.100.1.101 service tcp telnet 23234.Identity NAT传统配置方式：nat (inside) 0 10.1.1.1 255.255.255.255新配置方法（Network Object NAT）object network Inside-Addresshost 10.1.1.1object network Inside-Addressnat (Inside,Outside) static Inside-Addressornat (Inside,Outside) static 10.1.1.1Twice NAT（类似于Policy NAT）实例一：传统配置:access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 1 202.100.1.102新配置方法（Twice NAT）:object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 实例二：传统配置:access-list inside-to-1 permit ip 10.1.1.0 255.255.255.0 host 1.1.1.1access-list inside-to-202 permit ip 10.1.1.0 255.255.255.0 host 202.100.1.1nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 1 202.100.1.102static (outside,inside) 10.1.1.101 1.1.1.1static (outside,inside) 10.1.1.102 202.100.1.1新配置方法（Twice NAT）:object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0object network map-dst-1host 10.1.1.101object network map-dst-202host 10.1.1.102nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static map-dst-1 dst-1nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static map-dst-202 dst-202 实例三：传统配置:access-list inside-to-1 permit tcp 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23access-list inside-to-202 permit tcp 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032nat (inside) 1 access-list inside-to-1nat (inside) 2 access-list inside-to-202global(outside) 1 202.100.1.101global(outside) 1 202.100.1.102新配置方法（Twice NAT）:object network dst-1host 1.1.1.1object network dst-202host 202.100.1.1object network pat-1host 202.100.1.101object network pat-2host 202.100.1.102object network Inside-Networksubnet 10.1.1.0 255.255.255.0object service telnet23service tcp destination eq telnetobject service telnet3032service tcp destination eq 3032nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032Main Differences Between Network Object NAT and Twice NAT（Network Object NAT和Twice NAT的主要区别）How you define the real address.（从如何定义真实地址的角度来比较）– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.<NAT是network object的一个参数，network object定义自己为真实地址。