Cisco ASA NAT: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| (13 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 3: | Zeile 3: | ||
*ciscoasa(config-network-object)# subnet 172.18.122.0 255.255.255.0 | *ciscoasa(config-network-object)# subnet 172.18.122.0 255.255.255.0 | ||
*ciscoasa(config-network-object)# nat (if-inside,if-outside) dynamic interface | *ciscoasa(config-network-object)# nat (if-inside,if-outside) dynamic interface | ||
| + | ==Copy and Paste== | ||
| + | <pre> | ||
| + | configure terminal | ||
| + | object network obj-lan | ||
| + | subnet 172.18.122.0 255.255.255.0 | ||
| + | nat (if-inside,if-outside) dynamic interface | ||
| + | end | ||
| + | |||
| + | </pre> | ||
=Nat auf einen Rechner im Lan (Regular Static NAT)= | =Nat auf einen Rechner im Lan (Regular Static NAT)= | ||
| − | *ciscoasa(config)# object network obj- | + | =Portforwarding auf internen Bastion Host= |
| + | ;Webserver | ||
| + | *ciscoasa(config)# object network obj-www | ||
*ciscoasa(config-network-object)# host 172.18.122.101 | *ciscoasa(config-network-object)# host 172.18.122.101 | ||
| − | *ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface tcp www www | + | *ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp www www |
| − | + | ;Smtp | |
| − | + | *ciscoasa(config)# object network obj-smtp | |
| − | *ciscoasa(config)# access-list acl- | + | *ciscoasa(config-network-object)# host 172.18.122.101 |
| − | *ciscoasa(config)# access-group acl- | + | *ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp smtp smtp |
| + | ;Ssh von 8472 auf 22 | ||
| + | *ciscoasa(config)# object network obj-ssh | ||
| + | *ciscoasa(config-network-object)# host 172.18.122.101 | ||
| + | *ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp ssh 8472 | ||
| + | =Acls bilden= | ||
| + | *ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-www eq www | ||
| + | *ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-smtp eq smtp | ||
| + | *ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-ssh eq ssh | ||
| + | =Acl anwenden= | ||
| + | *ciscoasa(config)# access-group acl-bastion in interface if-outside | ||
Aktuelle Version vom 17. Februar 2016, 09:58 Uhr
Maskieren auf ausgehende Interface (Regular Dynamic PAT)
- ciscoasa(config)# object network obj-lan
- ciscoasa(config-network-object)# subnet 172.18.122.0 255.255.255.0
- ciscoasa(config-network-object)# nat (if-inside,if-outside) dynamic interface
Copy and Paste
configure terminal
object network obj-lan
subnet 172.18.122.0 255.255.255.0
nat (if-inside,if-outside) dynamic interface
end
Nat auf einen Rechner im Lan (Regular Static NAT)
Portforwarding auf internen Bastion Host
- Webserver
- ciscoasa(config)# object network obj-www
- ciscoasa(config-network-object)# host 172.18.122.101
- ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp www www
- Smtp
- ciscoasa(config)# object network obj-smtp
- ciscoasa(config-network-object)# host 172.18.122.101
- ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp smtp smtp
- Ssh von 8472 auf 22
- ciscoasa(config)# object network obj-ssh
- ciscoasa(config-network-object)# host 172.18.122.101
- ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp ssh 8472
Acls bilden
- ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-www eq www
- ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-smtp eq smtp
- ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-ssh eq ssh
Acl anwenden
- ciscoasa(config)# access-group acl-bastion in interface if-outside