Dynamic NAT
object network my-range-obj
range 10.2.2.1 10.2.2.10
object network my-inside-net
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic my-range-obj
-------------------------------------------------------------
Dynamic NAT with dynamic PAT backup!!
object network nat-range1
range 10.10.10.10 10.10.10.20
object network pat-ip1
host 10.10.10.21
object-group network nat-pat-grp
network-object object nat-range1
network-object object pat-ip1
object network my_net_obj5
subnet 10.76.11.0 255.255.255.0
nat (inside,outside) dynamic nat-pat-grp interface
--------------------------------------------------------------
Dynamic PAT!!
object network my-inside-net
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic 10.2.2.2
Dynamic PAT,Interface!!
object network my-inside-net
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
--------------------------------------------------------------
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the
outside with DNS rewrite enabled.
object network my-host-obj1
host 10.1.1.1
nat (inside,outside) static 10.2.2.2 dns
--------------------------------------------------------------
The following example configures static NAT for the real host 10.1.1.1 on the inside to 2.2.2.2 on the
outside using a mapped object.
object network my-mapped-obj
host 10.2.2.2
object network my-host-obj1
host 10.1.1.1
nat (inside,outside) static my-mapped-obj
---------------------------------------------------------------
The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the
outside interface at port 2121.
object network my-ftp-server
host 10.1.1.1
nat (inside,outside) static interface service tcp 21 2121
---------------------------------------------------------------
Identity NAT:
object network my-host-obj1
host 10.1.1.1
nat (inside,outside) static 10.1.1.1
object network my-host-obj1-identity
host 10.1.1.1
object network my-host-obj1
host 10.1.1.1
nat (inside,outside) static my-host-obj1-identity
---------------------------------------------------------------
L2TP Over IPSec:
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
ip local pool sales_addresses 209.165.202.129-209.165.202.158
tunnel-group DefaultRAGroup general-attributes
default-group-policy sales_policy
address-pool sales_addresses
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
group-policy sales_policy internal
group-policy sales_policy attributes
wins-server value 209.165.201.3 209.165.201.4
dns-server value 209.165.201.1 209.165.201.2
***-tunnel-protocol l2tp-ipsec
crypto dynamic-map dyno 10 set ikev1 transform-set trans
crypto map *** 20 ipsec-isakmp dynamic dyno
crypto map *** interface outside
---------------------------------------------------------------
Romote ×××:
interface ethernet0
ip address 10.10.4.200 255.255.0.0
nameif outside
no shutdown
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 outside
ip local pool testpool 192.168.0.10-192.168.0.15
username testuser password 12345678
crypto ipsec ikev1 transform set FirstSet esp-3des esp-md5-hmac
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key 44kkaol59636jnfx
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
write memory
转载于:https://blog.51cto.com/72297/1062822