利用ASA的Twice NAT解决内网无法访问映射后的公网地址

一.概述： 默认情况下，不管是Inside还是DMZ区映射到Outside区的地址或服务，Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice

.

.一.概述：.    默认情况下，不管是Inside还是DMZ区映射到Outside区的地址或服务，Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice-NAT,它可以在一个NAT语句中既匹配源地址，又匹配目标地址，并且可以对源地址、目标地址，端口号，三个参数中一~三个参数的转换。..二.基本思路：..A.Inside区映射到Outside区..①Outside区访问Inside区映射后的地址没有问题..②Inside区访问Inside区映射后的地址，通过Twice NAT做源地址和目标地址转换..---将源地址转换为Inside接口地址，目标地址转换为Inside设备实际地址..---如果不做源地址，因为访问的数据流来回路径不同，无法建立会话..③DMZ区访问Inside区映射后的地址，通过Twice NAT做目标地址转换..---将目标地址转换为Inside设备的实际地址..---因为两边都是实际地址，因此需要Inside和DMZ互相有对方的路由..---也可以同时做源地址转换，将源地址转换为Iniside接口地址，为了便于审计，不建议这样做..
..B.DMZ区映射到Outside区..①Outside区访问DMZ区映射后的地址没有问题..②Inside区访问DMZ区映射后的地址，通过Twice NAT做目标地址转换..---将目标地址转换为DMZ区设备的实际地址..---因为两边都是实际地址，因此需要Inside和DMZ互相有对方的路由..---也可以同时做源地址转换，将源地址转换为DMZ接口地址，为了便于审计，不建议这样做..---实际用模拟器测试，却发现不做源地址转换，经常报 -- bad sequence number的错误..---想不来为什么会报序列号错误，即使用MPF设置set connection random-sequence-number disable，也只是缓解，还是会偶尔出现，觉得可能是模拟器的缘故..③DMZ区访问DMZ区映射后的地址，通过Twice NAT做源地址和目标地址转换..---将源地址转换为DMZ接口地址，目标地址转换为DMZ区设备实际地址..---如果不做源地址，因为访问的数据流来回路径不同，无法建立会话..三.测试拓扑：..R1-----SW--(Inside)----ASA---（Outside）----R4..             |                     |..             |                     | ..            R2                 R3（DMZ)..四.测试需求：..A.将R2的TCP23端口映射到ASA的Outside接口的23端口上..----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口..B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上..----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口..五.基本配置：..A.R1：..interface FastEthernet0/0
     ip address 10.1.1.1 255.255.255.0..      no shut..ip route 0.0.0.0 0.0.0.0 10.1.1.10..B.R2..interface FastEthernet0/0
     ip address 10.1.1.2 255.255.255.0..      no shut..ip route 0.0.0.0 0.0.0.0 10.1.1.10..line vty 0 4
     password cisco
     login..C.ASA:..interface GigabitEthernet0
     nameif Inside
     security-level 100
     ip address 10.1.1.10 255.255.255.0
.      no shut.interface GigabitEthernet1
     nameif DMZ
     security-level 50
     ip address 192.168.1.10 255.255.255.0
.      no shut.interface GigabitEthernet2
     nameif Outside
     security-level 0..      ip address 202.100.1.10 255.255.255.0 ..      no shut..D.R3:..interface FastEthernet0/0
     ip address 192.168.1.3 255.255.255.0...      no shut.ip route 0.0.0.0 0.0.0.0 192.168.1.10..line vty 0 4
     password cisco
     login..E.R4:..interface FastEthernet0/0
     ip address 202.100.1.4 255.255.255.0..      no shut..五.ASA的NAT及策略配置：..A.动态PAT允许Inside和DMZ区能访问公网..object network Inside-NET
     subnet 10.1.1.0 255.255.255.0...      nat (Inside,Outside) dynamic interface.object network DMZ-NET
     subnet 192.168.1.0 255.255.255.0..      nat (DMZ,Outside) dynamic interface..B.静态PAT将R2和R3映射出去：..object network Inside-R2..      host 10.1.1.2
     nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3..      host 192.168.1.3
     nat (DMZ,Outside) static interface service tcp 23 2323 ..C.防火墙策略：..①开启icmp审查：..policy-map global_policy
     class inspection_default
           inspect icmp ..②Outside口放行策略：..access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet ..access-group OUTSIDE in interface Outside..③DMZ口放行策略：..access-list DMZ extended permit tcp any object Inside-R2 eq telnet..access-list DMZ extended permit icmp any any..access-list DMZ extended deny ip any object Inside-NET..access-list DMZ extended permit ip any any..access-group DMZ in interface DMZ..---备注：这里只是测试，实际除非必要，尽量不要放行DMZ到Inside的访问，要放行也需要针对主机放行..D.测试：..①Inside区和DMZ区能访问公网：..R1#PING 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 ms..R2#ping 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 ms..R3#ping 202.100.1.4          

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms..②被映射后的端口只能被Outside区访问：..R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users  
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:55:06  
* 66 vty 0                idle                 00:00:00 202.100.1.4

 Interface    User               Mode         Idle     Peer Address

R2>..
..R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:51:12  
* 66 vty 0                idle                 00:00:00 202.100.1.4

 Interface    User               Mode         Idle     Peer Address

R3>..R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding..六.ASA的Twice NAT配置：..A.使得Inside区访问Inside区映射后的地址时，既做源地址转换，又做目标地址转换..①配置对象：..object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:..nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23..③允许相同接口的访问：..same-security-traffic permit intra-interface..---因为访问时，既从Inside口进，又从Inside出，所以需要这条..④测试：..R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 01:07:35  
* 66 vty 0                idle                 00:00:0010.1.1.10

 Interface    User               Mode         Idle     Peer Address

R2>..
..R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:00:00
* 66 vty 0                idle                 00:00:0010.1.1.10

 Interface    User               Mode         Idle     Peer Address
..
..B.使得Inside区访问DMZ区映射后的地址时，只做目标地址转换..①配置对象：..object network Public-R3
     host 202.100.1.10..object network DMZ-R3
     host 192.168.1.3
object service tcp2323
     service tcp destination eq 2323 ..②配置twice-NAT:..nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23..③测试：..R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
..
..R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar  1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
       OPTS 4 SYN  WIN 4128
*Mar  1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
       OPTS 4 ACK 1568429505 SYN  WIN 4128
*Mar  1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
       OPTS 4 SYN  WIN 4128
*Mar  1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
       ACK 1568429505  WIN 4128
*Mar  1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0..④解决方法：..---修改NAT，做源地址转换..nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23..⑤再次测试：..R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:02:15  
* 66 vty 0                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>..R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:03:13  
 66 vty 0                idle                 00:00:58 192.168.1.10
* 67 vty 1                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>..C.使得DMZ区访问Inside区映射后的地址时，只做目标地址转换..①配置对象：..---前面已经定义..②配置twice-NAT:..nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23..③测试：..R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:02:49
* 66 vty 0                idle                 00:00:00192.168.1.3

 Interface    User               Mode         Idle     Peer Address

R2>..D.使得DMZ区访问DMZ区映射后的地址时，既做源地址转换，又做目标地址转换...①配置对象：..---前面已经定义..②配置twice-NAT:....nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23....③允许相同接口的访问：...---前面已经配置:same-security-traffic permit intra-interface..④测试：..R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:00:00
 66 vty 0                idle                 00:07:01 192.168.1.10
 67 vty 1                idle                 00:06:02 192.168.1.10
* 68 vty 2                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>..

.