cisco asa 5520 8.4 (一)-- 靜態(tài)nat-pat
cisco asa 5520 8.4 NAT轉(zhuǎn)換配置
1)定義nat轉(zhuǎn)換規(guī)則
object network 192.168.3.233_18096 #定義網(wǎng)絡(luò)對(duì)象名
host 192.168.3.233 #定義內(nèi)網(wǎng)IP
nat (dmz,outside) static xxx.17.xxx.36 service tcp 18096 18096 #轉(zhuǎn)換規(guī)則,把內(nèi)網(wǎng)主機(jī)192.168.3.233映射到外網(wǎng)xxx.17.xxx.36.
2)定義訪問(wèn)列表
方式一
access-list outside_access_in_1 extended permit tcp any
object 192.168.3.233_18096 eq 18096 #注意:目的地址為定義的NAT對(duì)象.
方式二
a. object service tcp_18096_acl #定義服務(wù)對(duì)象
service tcp source range 1 65535 destination eq 18096 #源端口任意端口���,目的端口 #為18096
b. access-list outside_access_in_1 extended permit
object tcp_18096_acl any object 192.168.3.233_18096
4)應(yīng)用訪問(wèn)列表
access-group outside_access_in_1 in interface outside
-----------------------------------------------------------
如下是8.4版官方配置示例:
Configuration Examples for Permitting or Denying Network Access
This section includes typical configuration examples for permitting or denying network access.
The following example adds a network object for inside server 1, performs static NAT for the server, and enables access to from the outside for inside server 1.
hostname(config)# object network inside-server1
hostname(config)# host 10.1.1.1
hostname(config)# nat (inside,outside) static 209.165.201.12
hostname(config)# access-list outside_access extended permit tcp any object inside-server1 eq www
hostname(config)# access-group outside_access in interface outside
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_rules.html
