通过如下命令查看nat的状态:
showxlate
ASA842(config-if)#show xlate
1 in use, 1 mostused
Flags: D - DNS,i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT frominside:172.16.1.3 to outside:10.10.10.4
flags s idle0:14:10 timeout 0:00:00
show nat detail
ASA842(config-if)#show nat detail
Auto NATPolicies (Section 2)
1 (inside) to(outside) source static inside_static outside_static
translate_hits = 15, untranslate_hits = 33
Source - Origin: 172.16.1.3/32, Translated:10.10.10.4/32
在R2上telnet10.10.10.3:
R2#telnet10.10.10.3
Trying10.10.10.3 ... Open
User AccessVerification
Username: ccie
Password:
R1>en
Password:
R1#show users
Line User Host(s) Idle Location
0 con 0 idle 00:13:58
* 98 vty 0 ccie idle 00:00:00 10.10.10.4
Interface User Mode Idle Peer Address
3. R2的loo0地址段访问外网时,转换成10.10.10.50-10.10.10.60地址池中的一个地址
ASA:
object network pat-pool //定义地址池名称
range 10.10.10.50 10.10.10.60 //定义映射后的地址池范围
object network inside_client //定义内网子网段名称
sunet 2.2.2.0 255.255.255.0 //定义内网子网段
nat (inside,outside) dynamic pat_pool pat-pool round-robin//按照地址池转换成地址池对象中的地址
在R2上telnetR1的地址10.10.10.3:
R2#telnet10.10.10.3 /source-interface loo0
Trying10.10.10.3 ... Open
UserAccess Verification
Username:ccie
Password:
R1>en
Password:
R1#showusers
Line User Host(s) Idle Location
0 con 0 idle 00:34:38
* 98 vty0 ccie idle 00:00:00 10.10.10.60
Interface User Mode Idle Peer Address
在ASA上查看:
ASA842(config)#show xlate
1 in use,6 most used
Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:2.2.2.2/11038 tooutside:10.10.10.60/11038 flags ri idle 0:04:40 timeout 0:00:30
ASA842(config)#show nat detail
Auto NATPolicies (Section 2)
1 (inside) to (outside) source dynamic inside_subnet pat-poolpat-pool round-robin
translate_hits =26, untranslate_hits = 1
Source - Origin: 2.2.2.0/24, Translated (PAT):10.10.10.50-10.10.10.60
在ASA上开启logging功能,查看有这么一条记录:
%ASA-6-302013: Built outbound TCP connection 236for outside:10.10.10.3/23 (10.10.10.3/23) to inside:2.2.2.2/11041(10.10.10.52/11041)//这条记录说明pat转换时,轮询功能起了作用
4. R2上的172.16.1.3地址访问外网时,转换成ASA的出接口地址:
ASA:
object network inside_client
host 172.16.1.3
nat (inside,outside) dynamic interface
在R2上telnetR1的10.10.10.3:
R2#telnet10.10.10.3
Trying10.10.10.3 ... Open
User AccessVerification
Username:ccie
Password:
R1>en
Password:
R1#showuse
R1#showusers
Line User Host(s) Idle Location
0 con 0 idle 00:00:38
* 98 vty0 ccie idle 00:00:00 10.10.10.2
ASA842(config-network-object)#show xlate
1 in use,6 most used
Flags: D- DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:172.16.1.3/11043 to outside:10.10.10.2/53962flags ri idle 0:08:26 timeout 0:00:30