ASA8.4端口映射篇
方法一:
A. 在object下做nat
object network test
host 100.1.1.3
object network R3
host 192.168.2.1
object network R3
nat (inside,outside) static test service tcp telnet 50000
###############################################################
外网test port 50000映射到内网 R3 port 23(telnet)。
###############################################################
ciscoasa(config)# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.2.1 23-23 to outside:100.1.1.3 50000-50000
flags sr idle 0:00:06 timeout 0:00:00
###############################################################
B.
object network server
subnet 192.168.2.1 255.255.255.255
object service telnet
service tcp source eq telnet
object network test
host 100.1.1.3
object service 50000
service tcp source eq 50000
nat (inside,outside) source static server test service telnet 50000
###############################################################
此处的 telnet为object的名称。
###############################################################
ciscoasa(config)# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.2.1 23-23 to outside:100.1.1.3 50000-50000
flags sr idle 0:03:11 timeout 0:00:00
ciscoasa(config)#
###############################################################
端口23已经成功映射50000。
###############################################################
方法二:范围映射。多个不连续端口映射,使用如下方法。
object network test
host 100.1.1.3
object network R3
host 192.168.2.1
object service telnet
service tcp source eq telnet
object service smtp
service tcp source eq smtp
object service 3000-5000
service tcp source range 3000 5000
nat (inside,outside) source static R3 test service telnet telnet
nat (inside,outside) source static R3 test service smtp smtp
nat (inside,outside) source static R3 test service 3000-5000 3000-5000
ciscoasa(config)# show xlate
3 in use, 9 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.2.1 23-23 to outside:100.1.1.3 23-23
flags sr idle 0:16:33 timeout 0:00:00
TCP PAT from inside:192.168.2.1 25-25 to outside:100.1.1.3 25-25
flags sr idle 0:16:02 timeout 0:00:00
TCP PAT from inside:192.168.2.1 3000-5000 to outside:100.1.1.3 3000-5000
flags sr idle 0:01:58 timeout 0:00:00
ciscoasa(config)#
下一篇:使用ping命令检测ip