一：基本网络top搭建配置动态nat，实现网段10.0.0.0进行地址转换后访问172.16.1.1注意：Host1和Host2都要设置网管，其中Host2设置网管是为了后续的测试。

1：r1路由器端口ip的配置R1#configure terminalR1(config)#interface loop0R1(config-if)#ip address 10.1.1.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exitR1(config)#int loop1R1(config-if)#ip address 10.2.2.2 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exitR1(config)#interface fastEthernet 0/0R1(config-if)#ip address 10.3.3.1 255.255.255.0R1(config-if)#no shutdownR1(config-if)#exit2：配置asa各个端口ciscoasa> enablePassword:ciscoasa# configure terminalciscoasa(config)# interface ethernet 0/0ciscoasa(config-if)# ip address 10.3.3.2 255.255.255.0ciscoasa(config-if)# no shutdownciscoasa(config-if)# nameif insideciscoasa(config-if)# security-level 100ciscoasa(config-if)# exitciscoasa(config)# interface ethernet 0/1ciscoasa(config-if)# ip address 172.16.1.2 255.255.255.0ciscoasa(config-if)# no shutdownciscoasa(config-if)# nameif outsideciscoasa(config-if)# security-level 0ciscoasa(config-if)# exitciscoasa(config)# interface ethernet 0/2ciscoasa(config-if)# ip address 192.168.100.2 255.255.255.0 ciscoasa(config-if)# no shutdownciscoasa(config-if)# nameif dmzciscoasa(config-if)# security-level 50ciscoasa(config-if)# exitciscoasa(config)#3：配置各个主机的ip地址在R1上的loop0和loop1模拟两台主机PC1和PC2，使用两个虚拟机PC3做dmz区域的主机，PC4做internet中的主机在PC3上部署web服务4：配置r1的路由R1(config)#ip route 0.0.0.0 0.0.0.0 10.3.3.25：配置asa的路由ciscoasa(config)# route inside 0 0 10.3.3.16：允许ping报文ciscoasa(config)# access-list 110 permit icmp any anyciscoasa(config)# access-group 110 in int outsideciscoasa(config)# access-group 110 in int dmz一：在asa上配置动态nat，对10.1.1.0网段的地址进行转换ciscoasa(config)# nat (inside) 1 10.1.1.0 255.255.255.0ciscoasa(config)# global (outside) 1 172.16.1.100-172.16.1.200再用1访问4（能ping通，被nat转换了源ip地址）ciscoasa(config)# show xlate detail发现有地址映射条目将1的ip改为10.1.1.10，再访问ciscoasa(config)# show xlate detail发现多出一项地址映射条目如果要求配置动态NAT实现网段10.1.1.0/24访问DMZ区的主机PC3时也进行地址转换，NA T地址池为192.168.100.100－192.168.100.200 ，则配置方法如下：ASA(config)#access-list in-dmz extended permit ip 10.1.1.0 255.255.255.0 192.168.100.0 255.255.255.0ASA(config)# nat (inside) 2 access-list in-dmzASA(config)# global (dmz) 2 192.168.100.100-192.168.100.200####开始####动态NAT#########以下是新版本ASA（8.4及以后）防火墙的配置############################ciscoasa(config)# object network outside-poolciscoasa(config-network-object)# range 172.16.1.100 172.16.1.200ciscoasa(config-network-object)# exitciscoasa(config)# object network inside1ciscoasa(config-network-object)# subnet 10.0.0.0 255.0.0.0ciscoasa(config-network-object)# nat (inside,outside) dynamic outside-poolciscoasa(config-network-object)#如果要求配置动态NAT实现网段10.1.1.0/24访问DMZ区的主机PC3时也进行地址转换，NA T地址池为192.168.100.100－192.168.100.200 ，则配置方法如下：ciscoasa(config)# object network dmz-poolciscoasa(config-network-object)# range 192.168.100.100 192.168.100.200ciscoasa(config-network-object)# exitciscoasa(config)# object network inside2ciscoasa(config-network-object)# subnet 10.0.0.0 255.0.0.0ciscoasa(config-network-object)# nat (inside,dmz) dynamic dmz-poolciscoasa(config-network-object)# exit######结束#################################################################################二：动态PAT1：先把第一个实验中的相关语句删除掉，并清空nat缓存ciscoasa(config)# no nat (inside) 1 10.1.1.0 255.255.255.0ciscoasa(config)#no global (outside) 1 172.16.1.100-172.16.1.200ciscoasa(config)# clear xlate detail2：配置动态patciscoasa(config)# nat (inside) 1 10.1.1.0 255.255.255.0ciscoasa(config)# global (outside) 1 172.16.1.200用a去访问dciscoasa(config)# show xlate detail修改1的ip后再访问一次ciscoasa(config)# show xlate detail对比得到的结果和上一实验的区别####开始###动态PAT##########以下是新版本ASA（8.4及以后）防火墙的配置############################ciscoasa(config)# object network outside-patciscoasa(config-network-object)# host 172.16.1.100ciscoasa(config-network-object)# exitciscoasa(config)# object network inside1ciscoasa(config-network-object)# subnet 10.0.0.0 255.0.0.0ciscoasa(config-network-object)# nat (inside,outside) dynamic outside-patciscoasa(config-network-object)# exitciscoasa(config)#######结束#################################################################################三：静态nat1：先把上一个实验的相关语句删掉ciscoasa(config)# no global (outside) 1 172.16.1.100ciscoasa(config)# no nat (inside) 1 10.1.1.0 255.255.255.02：配置静态natciscoasa(config)# static (dmz,outside) 172.16.1.201 192.168.100.1ciscoasa(config)# access-list out-to-dmz permit ip any host 172.16.1.201ciscoasa(config)# access-group out-to-dmz in int outside3：用d访问c（访问映射过后的地址172.16.1.201）用Host2访问DMZ区域的web服务，要方位映射的地址172.16.1.201ciscoasa(config)# show xlate detail再用4访问3的原地址192.168.100.1，发现不通####开始###静态NAT##########以下是新版本ASA（8.4及以后）防火墙的配置############################ciscoasa(config)# object network dmz1ciscoasa(config-network-object)# host 192.168.100.1ciscoasa(config-network-object)# nat (dmz,outside) static 172.16.1.100ciscoasa(config-network-object)# exitciscoasa(config)# access-list 100 permit ip any host 192.168.100.1######结束#################################################################################重要注意：老版本要让acl允许外网访问nat出去的外网公有ip地址ciscoasa(config)# access-list out-to-dmz permit ip any host 172.16.1.201新版本要让acl允许外网访问nat前的内网私有ip地址ciscoasa(config)# access-list 100 permit ip any host 192.168.100.1四：静态pat1：为dmz区域的主机安装iis服务，搭建web网站2：删除上个实验的相关语句ciscoasa(config)# no access-group out-to-dmz in int outsideciscoasa(config)# no static (dmz,outside) 172.16.1.201 192.168.100.1ciscoasa(config)# no access-list out-to-dmz permit ip any host 172.16.1.2013：配置静态patciscoasa(config)# static (dmz,outside) tcp 172.16.1.201 http 192.168.100.1 httpciscoasa(config)# static (dmz,outside) tcp 172.16.1.201 smtp 192.168.100.2 smtpciscoasa(config)# access-list out-to-dmz permit ip any host 172.16.1.201ciscoasa(config)# access-group out-to-dmz in int outside4：用4访问3的网站http://172.16.1.201####开始###静态PAT##########以下是新版本ASA（8.4及以后）防火墙的配置############################ciscoasa(config)# object network dmz1ciscoasa(config-network-object)# host 192.168.100.1ciscoasa(config-network-object)# nat (dmz,outside) static 172.16.1.200 service tcp 80 8080ciscoasa(config-network-object)# exitciscoasa(config)#######结束#################################################################################五：nat控制（清空前面的nat）注意前面的配置中在outside接口的in方向上我们应用过其他的acl，因此方形icmp的acl就失效了，一定要检查一下，把原来的110号acl应用到outside的in方向，否则ping的测试会ping不通1：用1和2访问4，都可以访问R1#ping 172.16.1.1 source 10.1.1.1R1#ping 172.16.1.1 source 10.2.2.22：启用nat控制ciscoasa(config)# nat-control测试发现都不通了配置acl规则ciscoasa(config)# nat (inside) 1 10.1.1.0 255.255.255.0ciscoasa(config)# global (outside) 1 172.16.1.100-172.16.1.200用1访问4，可以访问用2访问4，无法访问3：为10.2.2.0网段配置nat豁免ciscoasa(config)# access-list nonat extended permit ip 10.2.2.0 255.255.255.0 172.16.1.0 255.255.255.0ciscoasa(config)# nat (inside) 0 access-list nonat再次用2访问4的共享，发现可以访问如果希望4访问2ciscoasa (config)# access-list out_to_in permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0ciscoasa (config)# access-group out_to_in in int outside####开始###NAT控制##########以下是新版本ASA（8.4及以后）防火墙的配置############################开启nat控制（针对inside到outside）ciscoasa(config)# object network out-0.0.0.0ciscoasa(config-network-object)# host 0.0.0.0ciscoasa(config-network-object)# exitciscoasa(config)# object network inside-0.0.0.0ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0ciscoasa(config-network-object)# nat (inside,outside) dynamic out-0.0.0.0ciscoasa(config-network-object)# exitciscoasa(config)#nat豁免（针对inside到outside）ciscoasa(config)# object network outside-patciscoasa(config-network-object)# host 172.16.1.100ciscoasa(config-network-object)# exitciscoasa(config)# object network inside1ciscoasa(config-network-object)# subnet 10.0.0.0 255.0.0.0ciscoasa(config-network-object)# nat (inside,outside) dynamic outside-patciscoasa(config-network-object)# exit######结束#################################################################################。