NAT Cisco ASA

From Teknologisk videncenter
Revision as of 13:48, 1 May 2017 by Pema (talk | contribs) (Outside in - one-to-one nat)
Jump to: navigation, search

Outside in - one-to-one nat

Internal IP: 192.168.138.152 External IP: 217.198.220.152

Version 8 ASA 

access-list H5MAJ2017 permit ip any host 192.168.138.152
access-group H5MAJ2017 in interface OUTSIDE
!
object network OBJ192.168.138.152
 host 192.168.138.152
 nat (INSIDE,OUTSIDE) static 217.198.220.152
!

Version 9 ASA

Ved det ser ud af rigtig meget når man skriver alt det her, men det giver mening i forhold til at holde styr på reglerne i firewallen via det grafiske interface, og det giver nemmere log gennemgang efterfølgende ved evt. fejl.

Objekt 

      object <b>network 217.198.220.139--SMTP.HOTDATA.DK </b>
        host <b>212.198.213.139</b>
     object network <b>WEB01.HOTDATA.DK</b>
        host <b>192.168.130.3</b>

NAT REGL 

      nat (OUTSIDE,INSIDE) 2 source static any any destination static <b>217.198.220.139--SMTP.HOTDATA.DK 192.168.130.15--SMTP.HOTDATA.DK</b> no-proxy-arp description <b>SMTP.HOTDATA.DK</b>

ACCESS LIST bemærk om der er oprettet en objekt gruppe der dækker det samme behov som du har før du opretter en ny 

      object-group service <>DM_INLINE_TCP_5 tcp
        port-object eq http
        port-object eq https
      access-list global_access line 4 extended permit tcp any object <b>192.168.130.30--WEB01.HOTDATA.DK</b> object-group <b>DM_INLINE_TCP_5 </b>

links

Retrieved from "http://mars.merhot.dk/w/index.php?title=NAT_Cisco_ASA&oldid=37642"