シスコサポートコミュニティ
キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 

ASA 8.3 以降で Twice NAT と Object NAT の処理順序

ASA 8.3 以降で、Twice NAT と Object NAT 両方を設定した場合に、

Section 1 (Twice NAT) -> Section 2 (Object NAT) の順番で処理されます。

Twice NAT に after-auto パラメータを設定することで、Object NAT の後で

処理させることができ、Section 2 (Object NAT) -> Section 3 (Twice NAT)

の順番となります。

 

************ 設定例 *************

[Twice NAT]

object-group network TEST_1

 network-object host 172.16.10.1

object network Host_1

 host 192.168.11.1

object network Host_2

 host 192.168.12.2

object network Host_3

 host 192.168.13.3

 

nat (outside,inside) source dynamic TEST_1 Host_1 destination static Host_2 Host_3

 

[Object NAT]

object network Host_Object

 host 10.10.10.4

object network Host_Object

 nat (inside,outside) static 172.16.10.130

object-group service TCP_host tcp

 port-object eq www

 

access-list ACL extended permit tcp any object Host_Object object-group TCP_host

 

*********** "show nat detail" ************

ciscoasa# show nat detail

Manual NAT Policies (Section 1)

1 (outside) to (inside) source dynamic TEST_1 Host_1   destination static Host_2 Host_3

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 172.16.10.1/32, Translated: 192.168.11.1/32

    Destination - Origin: 192.168.12.2/32, Translated: 192.168.13.3/32

 

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Host_Object 172.16.10.130

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.4/32, Translated: 172.16.10.130/32

 

********* after-auto パラメータを使用*********

nat (outside,inside) after-auto source dynamic TEST_1 Host_1 destination static Host_2 Host_3

 

ciscoasa# show nat detail

 

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static Host_Object 172.16.10.130

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.4/32, Translated: 172.16.10.130/32

 

Manual NAT Policies (Section 3)

1 (outside) to (inside) source dynamic TEST_1 Host_1   destination static Host_2 Host_3

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 172.16.10.1/32, Translated: 192.168.11.1/32

    Destination - Origin: 192.168.12.2/32, Translated: 192.168.13.3/32

 

 

NAT Rule Order

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1118157

 

779
閲覧回数
0
いいね!
0
コメント