源NAT
#
nat address-group addgroup1 0
mode pat
route enable
section 0 198.51.100.10 198.51.100.11
#
nat address-group addgroup2 1
mode pat
route enable
section 0 203.0.113.10 203.0.113.11
nat策略:
rule name policy_nat1
source-zone trust
destination-zone ISP1
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup1
#
rule name policy_nat2
source-zone trust
destination-zone ISP2
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup2
安全策略:
rule name NAPT1
source-zone trust
destination-zone ISP1
destination-zone ISP2
source-address 192.168.1.0 mask 255.255.255.0
action permit
notice: 不要把两个出口的安全区域全部划分到同一个名称的区域下,如果这样,nat-policy 永远会被执行第一条。如下所示:
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup1
rule name policy_nat2
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup2
如果出接口就在相同的安全区域,nat-policy的配置,要用出接口来区分,不要使用zone来区分:
nat-policy
rule name policy_nat1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup1
#
rule name policy_nat2
source-zone trust
egress-interface GigabitEthernet1/0/2
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addgroup2
最后得到的会话表信息如下:
icmp VPN: public --> public 192.168.1.2:15493[203.0.113.11:2066] --> 203.0.113.2:2048
icmp VPN: public --> public 192.168.1.2:15237[203.0.113.11:2065] --> 203.0.113.2:2048
---------------------------------------------------------------------------------------------------------
icmp VPN: public --> public 192.168.1.2:18565[198.51.100.11:2062] --> 202.1.1.1:2048
icmp VPN: public --> public 192.168.1.2:17797[198.51.100.11:2059] --> 202.1.1.1:2048
目的NAT
配置NAT Server
方法1: 配置NAT Server 带上 Zone 参数(两个出接口不在相同的安全区域)
nat server 0 zone ISP1 protocol tcp global 198.51.100.10 9980 inside 192.168.10.1 www no-reverse unr-route
nat server 1 zone ISP2 protocol tcp global 203.0.113.10 9980 inside 192.168.10.1 www no-reverse unr-route
对应的安全策略:
#
rule name Inter_dmz
source-zone ISP1
source-zone ISP2
destination-zone dmz
destination-address 192.168.10.1 mask 255.255.255.255
service http
action permit
方法2:两个出接口在相同安全区域,不必带 zone参数,但是要有 no-reverse
nat server 0 protocol tcp global 198.51.100.10 9980 inside 192.168.10.1 www no-reverse
nat server 1 protocol tcp global 203.0.113.10 9980 inside 192.168.10.1 www no-reverse
安全策略
#
rule name Inter_dmz
source-zone ISP1
source-zone ISP2
destination-zone dmz
destination-address 192.168.10.1 mask 255.255.255.255
service http
action permit
配置源进源出:
interface GigabitEthernet1/0/1
gateway 198.51.100.2
redirect-reverse next-hop 198.51.100.2
interface GigabitEthernet1/0/2
gateway 203.0.113.2
redirect-reverse next-hop 203.0.113.2