最後更新: 2016-09-13

Cisco ASA 的 NAT 方式

一共有4種: (Static, Dynamic) x (NAT, PAT)

• Static NAT
• Static PAT
• Dynamic PAT
• Dynamic NAT

Static vs Dynamic

Static translation

The post-translation attributes are explicitly defined by the administrator.

Referred to as a One-to-One translation

i.e. Static NAT

Pri-IP1 -> Pub-IP1
Pri-IP2 -> Pub-IP2
...

 * Pri-IP2 不可以轉用 Pub-IP1

Dynamic translation

The post-translation attributes are selected by the router at the time that the packet is received

Referred to as a One-to-Many / Many-to-One translation

i.e. Dynamic PAT (上網)

PC1 \
PC2 -> Internet 
PC3 /

Cisco ASA 的 NAT Config Syntax

它一共有 2 種 Config Syntax

• Auto NAT Syntax
• Manual NAT Syntax

 * 不建議混合使用

Auto NAT vs Manual NAT

Auto NAT Syntax

* Based upon only the Source of traffic

* NAT Settings in "object"

object network WEB-SERVER
  host 192.168.0.11
  nat (inside,outside) static x.x.x.x

Manual NAT

It can make a NAT decision based upon the Source, or upon both the Source and Destination.

=> Manual NAT can do everything that Auto NAT can, and a little extra

Tips

Useful command

• show nat
• show run nat
• show run object
• show run object in-line

Manual NAT Syntax – Source

由於不混合使用, 所以只寫 "Manual NAT"

NAT Precedence

 * Every Manual NAT statement takes precedence over every Auto NAT statement.
 * The priority is determined by the order they appear in the configuration. (Manual NAT)

Using the line number

# we can specify a particular Manual NAT statement to occur at Line 2:

nat (inside,outside) 2 source ...

after-auto

Manual NAT statements to occur after the Auto NAT statements

i.e.

nat (inside,outside) after-auto source dynamic ...