本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本檔案介紹如何在Firepower威脅防禦(FTD)上設定和驗證基本網路位址轉譯(NAT)。
本文件沒有特定需求。
本文中的資訊係根據以下軟體和硬體版本:
實驗完成時間:1小時
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
FTD支援的NAT組態選項與經典調適型安全裝置(ASA)相同:
由於FTD配置是從FMC中完成,因此對於NAT配置,必須熟悉FMC GUI和各種配置選項。
根據以下要求配置NAT:
NAT策略名稱 |
FTD裝置的名稱 |
NAT規則 |
手動NAT規則 |
NAT型別 |
靜態 |
插入 |
第1部分 |
源介面 |
inside* |
目標介面 |
dmz* |
原始源 |
192.168.75.14 |
轉換後的源 |
192.168.76.100 |
*為NAT規則使用安全區域
靜態NAT
解決方案:
在傳統ASA上,必須在NAT規則中使用nameif。在FTD上,您需要使用安全區域或介面群組。
步驟1.將介面分配給安全區域/介面組。
在本任務中,決定將用於NAT的FTD介面分配到安全區域。或者,您可以將其指定給介面組,如下圖所示。
步驟2.結果如下圖所示。
步驟3.您可以從Objects > Object Management頁面建立/編輯介面組和安全區域,如下圖所示。
安全區域與介面組
Security Zones(安全區域)和Interface Groups(介面組)之間的主要區別是,一個介面只能屬於一個安全區域,但可以屬於多個介面組。因此,實際上,介面組提供了更大的靈活性。
您可以看到內部介面屬於兩個不同的介面組,但只有一個安全區域,如下圖所示。
步驟4.在FTD上配置靜態NAT。
導覽至Devices > NAT,然後建立NAT策略。選擇New Policy > Threat Defense NAT,如下圖所示。
步驟5.指定策略名稱並將其分配給目標設備,如下圖所示。
步驟6.將NAT規則新增到策略中,按一下Add Rule。
根據任務要求指定這些要求,如下圖所示。
主機A = 192.168.75.14
主機B = 192.168.76.100
firepower# show run object object network Host-A host 192.168.75.14 object network Host-B host 192.168.76.100
警告:如果配置靜態NAT並將介面指定為轉換源,則所有目的地為介面IP地址的流量都會被重定向。使用者無法訪問對映介面上啟用的任何服務。此類服務的示例包括OSPF和EIGRP等路由協定。
步驟7.結果如下圖所示。
步驟8.確儲存在允許主機B訪問主機A的訪問控制策略,反之亦然。請記住,靜態NAT在預設情況下是雙向的。與傳統ASA類似,請參閱實際IP的使用情況。這是預期情況,因為在本實驗中,LINA運行9.6.1.x代碼,如下圖所示。
驗證:
在LINA CLI上:
firepower# show run nat nat (inside,dmz) source static Host-A Host-B
NAT規則已按預期插入第1部分:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 0, untranslate_hits = 0
附註:在後台建立的2個輸出。
firepower# show xlate 2 in use, 4 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 0:41:49 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:41:49 timeout 0:00:00
ASP NAT表:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Output Table: L2 - Output Table: L2 - Input Table: Last clearing of hits counters: Never
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz L2 - Output Table: L2 - Input Table: Last clearing of hits counters: Never
啟用含有FTD上追蹤詳細資訊的擷取,並從主機B對主機A執行ping,如下圖所示。
firepower# capture DMZ interface dmz trace detail match ip host 192.168.76.14 host 192.168.76.100 firepower# capture INSIDE interface inside trace detail match ip host 192.168.76.14 host 192.168.75.14
命中計數在ASP表中:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=4, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=4, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz
封包擷取顯示:
firepower# show capture DMZ 8 packets captured 1: 17:38:26.324812 192.168.76.14 > 192.168.76.100: icmp: echo request 2: 17:38:26.326505 192.168.76.100 > 192.168.76.14: icmp: echo reply 3: 17:38:27.317991 192.168.76.14 > 192.168.76.100: icmp: echo request 4: 17:38:27.319456 192.168.76.100 > 192.168.76.14: icmp: echo reply 5: 17:38:28.316344 192.168.76.14 > 192.168.76.100: icmp: echo request 6: 17:38:28.317824 192.168.76.100 > 192.168.76.14: icmp: echo reply 7: 17:38:29.330518 192.168.76.14 > 192.168.76.100: icmp: echo request 8: 17:38:29.331983 192.168.76.100 > 192.168.76.14: icmp: echo reply 8 packets shown
封包的追蹤軌跡(重要點突出顯示)。
附註:NAT規則的ID及其與ASP表的關聯。
firepower# show capture DMZ packet-number 3 trace detail 8 packets captured 3: 17:38:27.317991 000c.2998.3fec d8b1.90b7.32e0 0x0800 Length: 74 192.168.76.14 > 192.168.76.100: icmp: echo request (ttl 128, id 9975) Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602c72be0, priority=13, domain=capture, deny=false hits=55, user_data=0x7ff602b74a50, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=dmz, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7ff603612200, priority=1, domain=permit, deny=false hits=1, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=dmz, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: NAT divert to egress interface inside Untranslate 192.168.76.100/0 to 192.168.75.14/0 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.76.14 host 192.168.75.14 rule-id 268434440 access-list CSM_FW_ACL_ remark rule-id 268434440: ACCESS POLICY: FTD5506-1 - Mandatory/2 access-list CSM_FW_ACL_ remark rule-id 268434440: L4 RULE: Host-B to Host-A Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x7ff602b72610, priority=12, domain=permit, deny=false hits=1, user_data=0x7ff5fa9d0180, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.76.14, mask=255.255.255.255, port=0, tag=any, ifc=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, ifc=any, vlan=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7ff60367cf80, priority=7, domain=conn-set, deny=false hits=1, user_data=0x7ff603677080, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: Static translate 192.168.76.14/1 to 192.168.76.14/1 Forward Flow based lookup yields rule: in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=1, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602220020, priority=0, domain=nat-per-session, deny=true hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff6035c0af0, priority=0, domain=inspect-ip-options, deny=true hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602b5f020, priority=70, domain=inspect-icmp, deny=false hits=2, user_data=0x7ff602be7460, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602b3a6d0, priority=70, domain=inspect-icmp-error, deny=false hits=2, user_data=0x7ff603672ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: Forward Flow based lookup yields rule: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=2, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ff602220020, priority=0, domain=nat-per-session, deny=true hits=4, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ff602c56d10, priority=0, domain=inspect-ip-options, deny=true hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 5084, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_snort snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_inspect_icmp snp_fp_snort snp_fp_adjacency snp_fp_fragment snp_ifc_stat Phase: 15 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 16 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (pass-packet) allow this packet Phase: 17 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.75.14 using egress ifc inside Phase: 18 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 000c.2930.2b78 hits 140694538708414 Phase: 19 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7ff6036a94e0, priority=13, domain=capture, deny=false hits=14, user_data=0x7ff6024aff90, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside, output_ifc=any Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow 1 packet shown
根據以下要求配置NAT:
NAT規則 |
手動NAT規則 |
NAT型別 |
動態 |
插入 |
第1部分 |
源介面 |
inside* |
目標介面 |
outside* |
原始源 |
192.168.75.0/24 |
轉換後的源 |
外部介面(PAT) |
*為NAT規則使用安全區域
靜態NAT
PAT
解決方案:
步驟1.新增第二個NAT規則並根據任務要求進行配置,如下圖所示。
步驟2.如下圖所示的PAT配置方式。
步驟3.結果如下圖所示。
步驟4.在本實驗的其餘部分,配置訪問控制策略以允許所有流量通過。
驗證:
NAT配置:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 2 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 0, untranslate_hits = 0
在LINA CLI中,注意新專案:
firepower# show xlate 3 in use, 19 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 1:15:14 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 1:15:14 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:04:02 timeout 0:00:00
在內部和外部介面上啟用捕獲。在內部捕獲時,啟用跟蹤:
firepower# capture CAPI trace interface inside match ip host 192.168.75.14 host 192.168.77.1 firepower# capture CAPO interface outside match ip any host 192.168.77.1
從主機A(192.168.75.14)對IP 192.168.77.1執行Ping,如下圖所示。
在LINA擷取中,您可以看到PAT轉譯:
firepower# show cap CAPI 8 packets captured 1: 18:54:43.658001 192.168.75.14 > 192.168.77.1: icmp: echo request 2: 18:54:43.659099 192.168.77.1 > 192.168.75.14: icmp: echo reply 3: 18:54:44.668544 192.168.75.14 > 192.168.77.1: icmp: echo request 4: 18:54:44.669505 192.168.77.1 > 192.168.75.14: icmp: echo reply 5: 18:54:45.682368 192.168.75.14 > 192.168.77.1: icmp: echo request 6: 18:54:45.683421 192.168.77.1 > 192.168.75.14: icmp: echo reply 7: 18:54:46.696436 192.168.75.14 > 192.168.77.1: icmp: echo request 8: 18:54:46.697412 192.168.77.1 > 192.168.75.14: icmp: echo reply
firepower# show cap CAPO 8 packets captured 1: 18:54:43.658672 192.168.77.6 > 192.168.77.1: icmp: echo request 2: 18:54:43.658962 192.168.77.1 > 192.168.77.6: icmp: echo reply 3: 18:54:44.669109 192.168.77.6 > 192.168.77.1: icmp: echo request 4: 18:54:44.669337 192.168.77.1 > 192.168.77.6: icmp: echo reply 5: 18:54:45.682932 192.168.77.6 > 192.168.77.1: icmp: echo request 6: 18:54:45.683207 192.168.77.1 > 192.168.77.6: icmp: echo reply 7: 18:54:46.697031 192.168.77.6 > 192.168.77.1: icmp: echo request 8: 18:54:46.697275 192.168.77.1 > 192.168.77.6: icmp: echo reply
突出顯示重要部分的資料包的跟蹤:
firepower# show cap CAPI packet-number 1 trace 8 packets captured 1: 18:54:43.658001 192.168.75.14 > 192.168.77.1: icmp: echo request Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Dynamic translate 192.168.75.14/1 to 192.168.77.6/1 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 6981, packet dispatched to next module Phase: 15 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 16 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (pass-packet) allow this packet Phase: 17 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 18 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address c84c.758d.4980 hits 140694538709114 Phase: 19 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow 1 packet shown
已建立動態xlate(請注意ri旗標):
firepower# show xlate 4 in use, 19 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 1:16:47 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 1:16:47 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:05:35 timeout 0:00:00 ICMP PAT from inside:192.168.75.14/1 to outside:192.168.77.6/1 flags ri idle 0:00:30 timeout 0:00:30
在LINA記錄中,您會看到:
firepower# show log May 31 2016 18:54:43: %ASA-7-609001: Built local-host inside:192.168.75.14 May 31 2016 18:54:43: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.75.14/1 to outside:192.168.77.6/1 May 31 2016 18:54:43: %ASA-7-609001: Built local-host outside:192.168.77.1 May 31 2016 18:54:43: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.75.14/1 gaddr 192.168.77.1/0 laddr 192.168.77.1/0 May 31 2016 18:54:43: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.75.14/1 gaddr 192.168.77.1/0 laddr 192.168.77.1/0 May 31 2016 18:54:43: %ASA-7-609002: Teardown local-host outside:192.168.77.1 duration 0:00:00 May 31 2016 18:55:17: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.75.14/1 to outside:192.168.77.6/1 duration 0:00:34
NAT部分:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 2 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 94, untranslate_hits = 138
ASP表顯示:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=4, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside in id=0x7ff602c75f00, priority=6, domain=nat, deny=false hits=94, user_data=0x7ff6036609a0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside in id=0x7ff603681fb0, priority=6, domain=nat, deny=false hits=276, user_data=0x7ff60249f370, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.77.6, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=4, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz out id=0x7ff60361bda0, priority=6, domain=nat-reverse, deny=false hits=138, user_data=0x7ff6036609a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside out id=0x7ff60361c180, priority=6, domain=nat-reverse, deny=false hits=94, user_data=0x7ff60249f370, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside
根據以下要求配置NAT:
NAT規則 |
手動NAT規則 |
NAT型別 |
靜態 |
插入 |
第1節所有現有規則 |
源介面 |
inside* |
目標介面 |
outside* |
原始源 |
192.168.75.0/24 |
轉換後的源 |
192.168.75.0/24 |
原始目標 |
10.1.1.0/24 |
轉換後的目標 |
10.1.1.0/24 |
*為NAT規則使用安全區域
靜態NAT
PAT
NAT免除
解決方案:
步驟1.新增第三個NAT規則並按任務要求進行配置,如下圖所示。
步驟2.執行路由查詢以確定輸出介面。
附註:對於標識NAT規則(如您新增的規則),您可以更改輸出介面的確定方式並使用常規路由查詢,如圖所示。
驗證:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 0, untranslate_hits = 0 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 96, untranslate_hits = 138
對源自內部網路的非VPN流量運行Packet Tracer。PAT規則按預期使用:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 192.168.77.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Dynamic translate 192.168.75.14/1111 to 192.168.77.6/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7227, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
對必須通過VPN隧道的流量運行Packet Tracer(由於第一次嘗試使VPN隧道啟動,請運行兩次)。
附註:您必須選擇NAT免除規則。
第一次Packet Tracer嘗試:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 10.1.1.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: NAT divert to egress interface outside Untranslate 10.1.1.1/80 to 10.1.1.1/80 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Static translate 192.168.75.14/1111 to 192.168.75.14/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
第二次Packet Tracer嘗試:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 10.1.1.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: NAT divert to egress interface outside Untranslate 10.1.1.1/80 to 10.1.1.1/80 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Static translate 192.168.75.14/1111 to 192.168.75.14/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Phase: 11 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7226, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
NAT命中計數驗證:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138
根據以下要求配置NAT:
NAT規則 |
自動NAT規則 |
NAT型別 |
靜態 |
插入 |
第2部分 |
源介面 |
inside* |
目標介面 |
dmz* |
原始源 |
192.168.75.99 |
轉換後的源 |
192.168.76.99 |
轉換與此規則匹配的DNS應答 |
已啟用 |
*為NAT規則使用安全區域
解決方案:
步驟1.根據任務要求配置規則,如下圖所示。
步驟2.結果如下圖所示。
驗證:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface ! object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source static obj-192.168.75.99 obj-192.168.76.99 dns translate_hits = 0, untranslate_hits = 0
使用Packet Tracer進行驗證:
firepower# packet-tracer input inside tcp 192.168.75.99 1111 192.168.76.100 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.76.100 using egress ifc dmz Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns Additional Information: Static translate 192.168.75.99/1111 to 192.168.76.99/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7245, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow
根據以下要求配置NAT:
NAT規則 |
手動NAT規則 |
NAT型別 |
動態 |
插入 |
在第3部分 |
源介面 |
inside* |
目標介面 |
dmz* |
原始源 |
192.168.75.0/24 |
轉換後的源 |
192.168.76.20-22 |
使用整個範圍(1-65535) |
已啟用 |
*為NAT規則使用安全區域
解決方案:
步驟1.根據任務要求配置規則,如下圖所示。
步驟2.使用Include Reserver Ports 啟用Flat Port Range ,此命令允許使用整個範圍(1-65535),如下圖所示。
步驟3.結果如下圖所示。
驗證:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface ! object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns ! nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve
准則見第3節:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source static obj-192.168.75.99 obj-192.168.76.99 dns translate_hits = 1, untranslate_hits = 0 Manual NAT Policies (Section 3) 1 (inside) to (dmz) source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve translate_hits = 0, untranslate_hits = 0
Packet Tracer驗證:
firepower# packet-tracer input inside icmp 192.168.75.15 8 0 192.168.76.5 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.76.5 using egress ifc dmz Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve Additional Information: Dynamic translate 192.168.75.15/0 to 192.168.76.20/11654 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7289, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow
使用本節內容,確認您的組態是否正常運作。
已在各個任務部分中說明驗證過程。
本節提供的資訊可用於對組態進行疑難排解。
開啟FMC上的Advanced Troubleshooting頁面,運行packet-tracer,然後運行show nat pool 命令。
附註:使用整個範圍的條目,如下圖所示。
修訂 | 發佈日期 | 意見 |
---|---|---|
3.0 |
19-Dec-2024 |
已將思科內部資訊框代碼更新為紅色和格式設定。 |
2.0 |
02-Aug-2023 |
已新增Alt文本。更新的SEO、機器翻譯、樣式要求和格式。 |
1.0 |
29-Jan-2018 |
初始版本 |