ASA防火墙新版本8.4-各种NAT场景

ASA防火墙新版本8.4-工程实用手册
注意，现在思科ASA防火墙已经升级到8.4，从8.3开始很多配置都有颠覆性的不同，特别是NAT配置很不一样，使用了object /object-group的新方式
这里为了大家工程实施起来方便，特别总结了如下NAT应用，希望能够帮助大家。
ASA 8.3 NAT 转化新语法：
Topology ：

L100 200.0.9.10 R1 ---.2----192.168.1.0----.1---ASA----.1----10.10.10.0---.2---R2 L100 100.1.64.1

The order of operations works as configured by each section. In order:
1. Manual Nat
2. Auto Nat
3. After Auto

Dynamic NAT/PAT场景一：

所有内网流量访问外网时都转换为接口的公网地址，此环境适用于仅有一个公网地址的小型办公室。

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic interface

原有的语法
nat (inside) 1 0 0 global (outside) 1 interface

验证：

ciscoasa(config)# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic inside-outside-all interface

translate_hits = 1, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 10.10.10.1/24

ciscoasa(config)# show xlate

1 inuse, 4 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:192.168.1.2/18523 to outside:10.10.10.1/18124 flags ri idle 0:00:20 timeout 0:00:30

ciscoasa(config)# show conn

1 inuse, 1 most used

TCP outside 100.1.64.1:23 inside 192.168.1.2:18523, idle 0:00:00, bytes 117, flags UIO

场景二

所有内网流量访问外网时都转换为特定的公网地址，此环境适用于的小型办公室或分支办公室。

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic 10.10.10.3

原有的语法
nat (inside) 1 0 0
global (outside) 1 10.10.10.3

验证

ciscoasa(config)# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic inside-outside-all 10.10.10.3

translate_hits = 3, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 10.10.10.3/32

ciscoasa(config)# show xlate

2 inuse, 4 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:192.168.1.2/33470 to outside:10.10.10.3/46897 flags ri idle 0:00:10 timeout 0:00:30

ICMP PAT from inside:192.168.1.2/33 to outside:10.10.10.3/50079 flags ri idle 0:00:15 timeout 0:00:30

ciscoasa(config)# show conn

1 inuse, 1 most used

TCP outside 100.1.64.1:23 inside 192.168.1.2:33470, idle 0:00:12, bytes 99, flags UIO

场景三
对于有大量公网地址用户，常应用在运营商或者公司内网

Object network inside-outside-trans

Range 10.10.10.100 10.10.10.200

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) static inside-outside-trans

原

有的语法

nat (inside) 1 0 0
global (outside) 1 10.10.10.100 10.10.10.200

验证

ciscoasa(config)# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static inside-outside-all inside-outside-trans

translate_hits = 1, untranslate_hits = 0

Source - Origin: 0.0.0.0/0, Translated: 10.10.10.100-10.10.10.200


ciscoasa(config)# show xlate

1 inuse, 4 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from inside:0.0.0.0/0 to outside:10.10.10.100/30, 10.10.10.104/29,

10.10.10.112/28, 10.10.10.128/26, 10.10.10.192/29,

10.10.10.200

flags s idle 0:00:54 timeout 0:00:00

ciscoasa(config)# show conn

1 inuse, 1 most used

TCP outside 100.1.64.1:23 inside 192.168.1.2:51245, idle 0:00:07, bytes 100, flags UIO
场景四
对于有大量公网地址用户，常应用在运营商或者公司内网，为防止地址用完可以配置一个PAT和interface (推荐)

Object network inside-outside-trans

Range 10.10.10.100 10.10.10.200

Object network inside-outside-PAT

Host 10.10.10.201

Object-group network nat-pat-grp

Network-object object inside-outside-trans

Network-object object inside-outside-PAT

Object network inside-outside-all

Subnet 0.0.0.0 0.0.0.0

Nat (inside,outside) dynamic nat-pat-grp interface

原有的语法

nat (inside) 1 0 0
global (outside) 1 10.10.10.100 10.10.10.200

global (outside) 1 interface

验证方法和结果请查看场景三

Static NAT/PAT场景五
内网有邮件和Web服务器为远程办公用户提供访问，此环境适用于HQ和分支办公室

object network server-static

host 10.10.10.3 （外网IP）

object network inside-server

host 200.0.9.10 （内网IP）

nat (inside,outside) static server-static

以此类推

object network server-static2

host 27.148.144.149

object network inside-server2

host 192.168.81.10

nat (inside,outside) static server-static2



原有语法
static (inside,outside) 10.10.10.3 200.0.9.10 netmask 255.255.255.255

验证：

Ciscoasa(config)# show xlate

1 inuse, 17 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from inside:200.0.9.10 to outside:10.10.10.3

flags s idle 0:13:41 timeout 0:00:00

ciscoasa(config)# show conn

1 inuse, 8 most used

TCP outside 10.10.10.2:57990 inside 200.0.9.10:23, idle 0:00:10, bytes 234, flags UIOB

ciscoasa(config)# show nat de

ciscoasa(config)# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static inside-server server-static

translate_hits = 0, untranslate_hits = 11

Source - Origin: 200.0.9.10/32, Translated: 10.10.10.3/32


场景六
此环境用户的需求比较复杂，客户在低安全区域有很多提供业务服务的小型机，他需要隐藏被访问的服

务器地址，同时要求对外网server的访问进行Static方式一对一的映射。

object network outside-inside-waiguanju-trans69

host 100.1.64.40

object network waihuiju-des-add3

host 197.0.244.3

object network outside-inside-waiguanju-shouzhi-shenbaoxitong

host 100.1.95.1

object network waihuiju-des-add4

host 197.0.244.4

object network outside-inside-waiguanju-trans63

host 100.1.95.2

object network waihuiju-des-add5

host 197.0.244.5

object network outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong-hz

host 100.1.64.30

object network waihuiju-des-add6

host 197.0.244.6

object network outside-inside-waihuiju-aoyunyingji-fabuwangzhan

host 100.1.248.40

object network waihuiju-des-add7

host 197.0.244.7

object network outside-inside-waihuiju-geren-gouhui

host 100.1.248.20

object network waihuiju-des-add8

host 197.0.244.8

object network outside-inside-waihuiju-jieshouhui-ceshixitong

host 100.1.248.26

object network waihuiju-des-add9

host 197.0.244.9

object network outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong1

host 100.1.64.1

object network waihuiju-des-add10

host 197.0.244.10

object network outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong2

host 100.1.64.21

object network waihuiju-des-add11

host 197.0.244.11

object network outside-inside-waiguanju-trans12

host 100.1.1.1

object network waihuiju-des-add12

host 197.0.244.12

object network outside-inside-waiguanju-jieshouhui-tongjixitong

host 100.1.248.17

object network waihuiju-des-add13

host 197.0.244.13

object network outside-inside-ITSxitongceshi

host 100.1.95.4

object network waihuiju-des-add14

host 197.0.244.14

object network outside-inside-waiguanju-trans91

host 100.1.95.5

object network waihuiju-des-add15

host 197.0.244.15

object network waihuiju-tran-add

host 29.2.7.254

object-group network waihuiju-des-add

network-object object waihuiju-des-add3

network-object object waihuiju-des-add4

network-object object waihuiju-des-add5

network-object object waihuiju-des-add6

network-object object waihuiju-des-add7

network-object object waihuiju-des-add8

network-object object waihuiju-des-add9

network-object object waihuiju-des-add10

network-object object waihuiju-des-add11

network-object object waihuiju-des-add12

network-object object waihuiju-des-add13

network-object object waihuiju-des-add14

network-object object waihuiju-des-add15

object-group network outside-inside-Map

network-object object outside-inside-waiguanju-trans69

network-object object outside-inside-waiguanju-shouzhi-shenbaoxitong

network-object object outside-inside-waiguanju-trans63

network-object object outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong-hz

network-object object outside-inside-waihuiju-aoyun

yingji-fabuwangzhan

network-object object outside-inside-waihuiju-geren-gouhui

network-object object outside-inside-waihuiju-jieshouhui-ceshixitong

network-object object outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong1

network-object object outside-inside-waihuiju-zhijietouzi-waihuiyewu-xinxixitong2

network-object object outside-inside-waiguanju-trans12

network-object object outside-inside-waiguanju-jieshouhui-tongjixitong

network-object object outside-inside-ITSxitongceshi

network-object object outside-inside-waiguanju-trans91

nat (inside,outside) source dynamic any waihuiju-tran-add destination static waihuiju-des-add outside-inside-Map
验证 ：

ciscoasa# show xlate

7 in use, 17 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from outside:100.1.64.40, 100.1.95.1, 100.1.95.2,

100.1.64.30, 100.1.248.40, 100.1.248.20,

100.1.248.26, 100.1.64.1, 100.1.64.21,

100.1.1.1, 100.1.248.17, 100.1.95.4,

100.1.95.5 to inside:197.0.244.3, 197.0.244.4,

197.0.244.5, 197.0.244.6, 197.0.244.7,

197.0.244.8, 197.0.244.9, 197.0.244.10,

197.0.244.11, 197.0.244.12, 197.0.244.13,

197.0.244.14, 197.0.244.15

flags sT idle 0:10:32 timeout 0:00:00

TCP PAT from inside:192.168.1.2/29060 to outside:29.2.7.254/14832 flags ri idle 0:10:47 timeout 0:00:30

TCP PAT from inside:192.168.1.2/20099 to outside:29.2.7.254/50442 flags ri idle 0:11:02 timeout 0:00:30

TCP PAT from inside:192.168.1.2/32652 to outside:29.2.7.254/19035 flags ri idle 0:11:19 timeout 0:00:30

TCP PAT from inside:192.168.1.2/64367 to outside:29.2.7.254/16920 flags ri idle 0:11:27 timeout 0:00:30

TCP PAT from inside:192.168.1.2/46218 to outside:29.2.7.254/62293 flags ri idle 0:11:34 timeout 0:00:30

TCP PAT from inside:192.168.1.2/33598 to outside:29.2.7.254/58119 flags ri idle 0:11:50 timeout 0:00:30

ciscoasa# show conn

6 in use, 8 most used

TCP outside 197.0.244.6(100.1.64.30):23 inside 192.168.1.2:20099, idle 0:01:02, bytes 139, flags UFRIO

TCP outside 197.0.244.6(100.1.64.30):23 inside 192.168.1.2:32652, idle 0:01:17, bytes 145, flags UFRIO

TCP outside 197.0.244.8(100.1.248.20):23 inside 192.168.1.2:46218, idle 0:01:35, bytes 121, flags UFRIO

TCP outside 197.0.244.10(100.1.64.1):23 inside 192.168.1.2:33598, idle 0:01:51, bytes 121, flags UFRIO

TCP outside 197.0.244.3(100.1.64.40):23 inside 192.168.1.2:29060, idle 0:00:48, bytes 121, flags UFRIO

TCP outside 197.0.244.7(100.1.248.40):23 inside 192.168.1.2:64367, idle 0:01:28, bytes 132, flags UFRIO

ciscoasa# show nat detail

ciscoasa# show nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic any waihuiju-tran-add destination static waihuiju-des-add outside-inside-Map

translate_hits = 8, untranslate_hits = 8

Source - Origin: 0.0.0.0/0, Translated: 29.2.7.254/32

De

stination - Origin: 197.0.244.3/32, 197.0.244.4/32, 197.0.244.5/32, 197.0.244.6/32

197.0.244.7/32, 197.0.244.8/32, 197.0.244.9/32, 197.0.244.10/32

197.0.244.11/32, 197.0.244.12/32, 197.0.244.13/32, 197.0.244.14/32

197.0.244.15/32, Translated: 100.1.64.40/32, 100.1.95.1/32, 100.1.95.2/32, 100.1.64.30/32

100.1.248.40/32, 100.1.248.20/32, 100.1.248.26/32, 100.1.64.1/32

100.1.64.21/32, 100.1.1.1/32, 100.1.248.17/32, 100.1.95.4/32

100.1.95.5/32

场景七
对通过防火墙的业务流量，不更改源地址，也就是将源地址NAT自己，我们称为identity NAT。

object network inside-nonat

host 192.168.1.2

nat (inside,outside) static 192.168.1.2

验证：

ciscoasa(config)# show xlate

1 in use, 17 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from inside:192.168.1.2 to outside:192.168.1.2

flags sI idle 0:02:09 timeout 0:00:00

ciscoasa(config)# show conn

1 in use, 8 most used

TCP outside 100.1.64.1:23 inside 192.168.1.2:65450, idle 0:00:12, bytes 115, flags UIO

ciscoasa(config)# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static inside-nonat 192.168.1.2

translate_hits = 3, untranslate_hits = 0

Source - Origin: 192.168.1.2/32, Translated: 192.168.1.2/32

Router# who

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

6 vty 0 idle 00:00:07 192.168.1.2

注意：
Nat-control 不在使用

如果要开启需要使用下面的语法：
object network obj_any subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
nat (inside,mgmt) dynamic obj-0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
nat (inside,dmz) dynamic obj-0.0.0.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
nat (mgmt,outside) dynamic obj-0.0.0.0
object network obj_any-04
subnet 0.0.0.0 0.0.0.0
nat (dmz,outside) dynamic obj-0.0.0.0
object network obj_any-05
subnet 0.0.0.0 0.0.0.0
nat (dmz,mgmt) dynamic obj-0.0.0.0

ASA 8.3 后需要使用真实IP 作为ACL 条目.
ASA 8.3 NAT need real ip address on access-list .Please refer to new migrate on ASA 8.3 NAT commands. For example:

Old Configuration
static (inside,outside) 172.23.57.1 10.50.50.50 netmask 255.255.255.255

access-list 1 permit ip any host 172.23.57.1
access-group 1 in interface outside

Migrated Configuration

access-list 1 permit ip any host 10.50.50.50
access-group 1 in interface outside
注意事项:
更新ASA 8.3 NAT 新注意事项 如果做多公网IP 对 一个内网IP的时候SNAT 请大家打开inspect icmp. 切记

常用排错命令：
show run nat
show run object-network
show run obj

ect-group
show nat detail
show xlate
show conn
show nat pool
debug nat 255


1111