205实验指导NAT.docx
- 文档编号:9000292
- 上传时间:2023-02-02
- 格式:DOCX
- 页数:27
- 大小:54.27KB
205实验指导NAT.docx
《205实验指导NAT.docx》由会员分享,可在线阅读,更多相关《205实验指导NAT.docx(27页珍藏版)》请在冰豆网上搜索。
205实验指导NAT
实验指导(NAT)
一、实验任务
●任务:
1.从内网Inside能主动访问外网Outside,以outside接口地址进行nat
2.从内网Inside能主动访问DMZ,IP地址不做转换
3.DMZ区的服务器能把电子邮件和DNS请求转发到Outside,除此不能访问Outside,以outside接口地址进行nat
4.DMZ区有telnet服务器(10.35.35.3),www服务器(10.35.35.4),POP3和SMTP服务器(10.35.35.5),DNS服务器(10.35.35.6)需要让Outside的用户进行访问;这些服务器的公网地址为15.15.15.100
二、实验步骤
1.预配:
-------------------------
R1:
En
Conft
hostnameOutside
interfacee0/0
noshutdown
duplexfull
ipaddress15.15.15.1255.255.255.0
interfaceloo0
ipaddress1.1.1.1255.255.255.0
linevty04
passwordcisco
login
end
-------------------------
R2:
En
Conft
hostnameInside
interfacee0/0
noshutdown
duplexfull
ipaddress10.25.25.2255.255.255.0
interfaceloo0
ipaddress10.2.2.2255.255.255.0
routerrip
network10.0.0.0
linevty04
passwordcisco
login
end
-------------------------
R3:
En
Conft
hostnameDMZ
interfacee0/0
noshutdown
duplexfull
ipaddress10.35.35.3255.255.255.0
interfaceloo0
ipaddress10.3.3.3255.255.255.0
routerrip
network10.0.0.0
linevty04
passwordcisco
login
end
S1:
(在“#”下执行以下命令)
En
vlandatabase
vlan2
vlan3
exit
conft
hostnameSwitch
interfaceFastEthernet0/0
shutdown
interfaceFastEthernet0/5
noshutdown
switchporttrunknativevlan1000
switchporttrunkendot
switchportmodetrunk
duplexfull
speed10
interfaceFastEthernet0/2
switchportmodeaccess
switchportaccessvlan2
interfaceFastEthernet0/3
switchportmodeaccess
switchportaccessvlan3
end
2.基本配置(PIX上):
pixfirewall(config)#hostnameFireWall
FireWall(config)#interfaceEthernet0
FireWall(config-if)#noshutdown
FireWall(config)#interfaceEthernet0.1
FireWall(config-subif)#vlan1
FireWall(config-subif)#nameifOutside
FireWall(config-subif)#ipaddress15.15.15.5255.255.255.0
FireWall(config)#interfaceEthernet0.2
FireWall(config-subif)#vlan2
FireWall(config-subif)#nameifInside
FireWall(config-subif)#ipaddress10.25.25.5255.255.255.0
FireWall(config)#interfaceEthernet0.3
FireWall(config-subif)#vlan3
FireWall(config-subif)#nameifDMZ
FireWall(config-subif)#ipaddress10.35.35.5255.255.255.0
FireWall(config-subif)#routeoutside0015.15.15.1
FireWall(config)#routerrip
FireWall(config-router)#network10.0.0.0
FireWall(config-router)#redistributestatic
FireWall(config)#interfaceEthernet0.1
FireWall(config-subif)#security-level0
FireWall(config-)#interfaceEthernet0.2
FireWall(config-subif)#security-level100
FireWall(config)#interfaceEthernet0.3
FireWall(config-subif)#security-level50
测试:
从R2和R3telnet1.1.1.1,检测没有进行NAT前防火墙的工作情况
3.配置Inside和DMZ区访问外网的PAT:
FireWall(config)#nat-control
FireWall(config)#nat(inside)110.0.0.0255.0.0.0
FireWall(config)#nat(dmz)110.0.0.0255.0.0.0
FireWall(config)#global(outside)1interface
测试:
从R2和R3telnet1.1.1.1,查看是以什么地址连接到R1的?
R2#telnet1.1.1.1
Trying1.1.1.1...Open
UserAccessVerification
Password:
R1>showusers
LineUserHost(s)IdleLocation
0con0idle00:
04:
58
*130vty0idle00:
00:
0015.15.15.5
131vty1idle00:
00:
0115.15.15.5
在PIX上,查看连接和转换项:
PIX1(config)#showxlate
2inuse,2mostused
PATGlobal15.15.15.5(1025)Local10.35.35.3(42895)
PATGlobal15.15.15.5(1024)Local10.25.25.2(51483)
PIX1(config)#showconn
6inuse,6mostused
TCPout1.1.1.1:
23in10.35.35.3:
42895idle0:
00:
18bytes102flagsUIO
TCPout1.1.1.1:
23in10.25.25.2:
51483idle0:
00:
06bytes482flagsUIO
4.限制DMZ的服务器只能转发电子邮件和DNS到Internet(PIX上):
FireWall(config)#access-listDMZ_INextendedpermittcpanyanyeqsmtp
FireWall(config)#access-listDMZ_INextendedpermittcpanyanyeqpop3
FireWall(config)#access-listDMZ_INextendedpermittcpanyanyeqdomain
FireWall(config)#access-listDMZ_INextendedpermitudpanyanyeqdomain
FireWall(config)#access-groupDMZ_INininterfaceDMZ
测试能否从R3telnet1.1.1.1(R1)?
5.配置Inside访问DMZ区NAT0(PIX上):
FireWall(config)#access-listNONATextendedpermitip10.0.0.0255.0.0.010.0.0.0255.0.0.0
FireWall(config)#nat(Inside)0access-listNONAT
测试:
从R2telnetR3(10.3.3.3),查看是以什么地址连接到R3的?
R2#telnet10.3.3.3
Trying10.3.3.3...Open
UserAccessVerification
Password:
R3>showuser
R3>showusers
LineUserHost(s)IdleLocation
0con0idle00:
02:
36
*130vty0idle00:
00:
0010.25.25.2
PIX1(config)#showxlate
0inuse,2mostused
PIX1(config)#showconn
5inuse,6mostused
TCPout10.3.3.3:
23in10.25.25.2:
37873idle0:
00:
09bytes90flagsUIO
//注:
“nat0+ACL”是没有xlate项的,这和“nat0”是不一样的
6.配置Outside访问DMZ区上的服务器—静态NAT(PIX上):
FireWall(config)#access-listOUTSIDE_INextendedpermittcpanyhost15.15.15.100eqtelnet
FireWall(config)#access-listOUTSIDE_INextendedpermittcpanyhost15.15.15.100eqwww
FireWall(config)#access-listOUTSIDE_INextendedpermittcpanyhost15.15.15.100eqpop3
FireWall(config)#access-listOUTSIDE_INextendedpermittcpanyhost15.15.15.100eqsmtp
FireWall(config)#access-listOUTSIDE_INextendedpermitudpanyhost15.15.15.100eqdomain
FireWall(config)#access-listOUTSIDE_INextendedpermittcpanyhost15.15.15.100eqdomain
FireWall(config)#access-groupOUTSIDE_INininterfaceOutside
FireWall(config)#static(DMZ,Outside)tcp15.15.15.100telnet10.35.35.3telnetnetmask255.255.255.255
FireWall(config)#static(DMZ,Outside)tcp15.15.15.100www10.35.35.4wwwnetmask255.255.255.255
FireWall(config)#static(DMZ,Outside)tcp15.15.15.100pop310.35.35.5pop3netmask255.255.255.255
FireWall(config)#static(DMZ,Outside)tcp15.15.15.100smtp10.35.35.5smtpnetmask255.255.255.255
FireWall(config)#static(DMZ,Outside)udp15.15.15.100domain10.35.35.6domainnetmask255.255.255.255
FireWall(config)#static(DMZ,Outside)tcp15.15.15.100domain10.35.35.6domainnetmask255.255.255.255
测试:
从R1telnetR3(15.15.15.100是其公网地址),查看是以什么地址连接到R3的?
R1#15.15.15.100
Trying15.15.15.100...Open
UserAccessVerification
Password:
R3>showuser
R3>showusers
LineUserHost(s)IdleLocation
0con0idle00:
01:
00
*130vty0idle00:
00:
0015.15.15.1
PIX1(config)#showxlate
5inuse,5mostused
PATGlobal15.15.15.100(23)Local10.35.35.3(23)
PATGlobal15.15.15.100(80)Local10.35.35.4(80)
PATGlobal15.15.15.100(110)Local10.35.35.5(110)
PATGlobal15.15.15.100(25)Local10.35.35.5(25)
PATGlobal15.15.15.100(53)Local10.35.35.6(53)
三、完整配置
-----------------------------R1------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress1.1.1.1255.255.255.0
!
interfaceEthernet0/0
ipaddress15.15.15.1255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
iphttpserver
noiphttpsecure-server
!
iproute10.0.0.0255.0.0.015.15.15.5
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
!
!
End
-----------------------------R2------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR2
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.2.2.2255.255.255.0
!
interfaceEthernet0/0
ipaddress10.25.25.2255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
network10.0.0.0
!
iphttpserver
noiphttpsecure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
linecon0
lineaux0
linevty04
passwordcisco
login
!
!
End
-----------------------------R3------------------------
!
version12.4
servicetimestampsdebugdatetimemsec
servicetimestampslogdatetimemsec
noservicepassword-encryption
!
hostnameR3
!
boot-start-marker
boot-end-marker
!
!
noaaanew-model
memory-sizeiomem5
!
!
ipcef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interfaceLoopback0
ipaddress10.3.3.3255.255.255.0
!
interfaceEthernet0/0
ipaddress10.35.35.3255.255.255.0
full-duplex
!
interfaceEthernet0/1
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/2
noipaddress
shutdown
half-duplex
!
interfaceEthernet0/3
noipaddress
shutdown
half-duplex
!
interfaceSerial1/0
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/1
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/2
noipaddress
shutdown
serialrestart-delay0
!
interfaceSerial1/3
noipaddress
shutdown
serialrestart-delay0
!
routerrip
network10.0.0.0
!
iphttpserver
noi
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 205 实验 指导 NAT