ASA Version 8.4(2)、NAT與HOST

對(duì)于switch0、switch2，如果是三層交換機(jī)，則需要寫路由，如果為二層交換機(jī)，則需要寫網(wǎng)關(guān)。

靜態(tài)NAT地址轉(zhuǎn)換

 object network waiwang

 host 192.168.1.2

 nat (inside,outside) static 10.99.121.141 理解為：從inside到outside方向，192.168.1.2這個(gè)     源地址轉(zhuǎn)換為10.99.121.141這個(gè)地址

靜態(tài)NAT地址轉(zhuǎn)換特點(diǎn)：

 1.數(shù)據(jù)包從outside進(jìn)入inside,也就是從低優(yōu)先級(jí)到高優(yōu)先級(jí)的訪問(wèn)，在訪問(wèn)控制列表里要放過(guò)

  2. host要真是存在

  3.首先要考慮會(huì)話的發(fā)起者，并確定是單向訪問(wèn)，還是雙向訪問(wèn)。

Static (inside,outside) 10.99.216.202 192.168.0.2

Object network yelian

Host 10.99.216.205

Nat (outside,inside) static 192.168.1.2

1.數(shù)據(jù)包從inside進(jìn)入outside,也就是從高優(yōu)先級(jí)到低優(yōu)先級(jí)的訪問(wèn)，然后從outside到inside返回，理論上在防火墻上有session,數(shù)據(jù)包從outside到inside能正常返回。但測(cè)試的時(shí)候，不能ping通192.168.1.2，FTP訪問(wèn)正常。防火墻有一個(gè)inspect機(jī)制，配置命令: inspcet icmp?；蛘咴?/span>outside端的in方向的訪問(wèn)控制列表放過(guò)icmp。

官方文檔：

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.

實(shí)驗(yàn)總結(jié)：

  1.在防火墻outside接口配置default-route,那么其他別的接口的主機(jī)數(shù)將受到限制。

 2.在防火墻inside接口配置default-route,其他接口的主機(jī)數(shù)也受到限制。8.2（1）以下的版本相對(duì)混亂。（認(rèn)為是低版本的BUG)

 3.如果接口不配置默認(rèn)路由，那么其他接口的主機(jī)數(shù)不受限制。