��CiscoPIX��ǽ��ת��_�й�IT��ά��www.cnitom.com

1.ASA��ȫ�ȼ�
Ĭ��£�Cisco PIX��ǽ��ȫ�ȼ�Ӧ�õ�ÿһ��ӿڡ�Խ��ȫ��Σ��ȫ��Խ�ߡ��ȫ�ȼ��ķ�Χ��0~100,Ĭ��£��ȫ�ȼ�0��Ӧ��e0,��Ĭ��ⲿ(outside),��ȫ�ȼ�100��Ӧ��e1.��

Ĭ��inside.
ʹ��name if ��ø��ӵ��κνӿڣ��ȫ�ȼ��1~99֮��
e.g:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

1.1��Ӧ��ȫ�㷨(ASA)��Ӹ߰�ȫ�ȼ��Ͱ�ȫ�ȼ��Σ��Ҫ�ڰ�ȫ��ʹ��ض��Щ��ӣ��ֻҪ��һ��nat

/global��Щ�ӿھ��ˡ�

1.2ͬʱ��Ҫ�Ͱ�ȫ�ȼ��һ��߰�ȫ�ȼ��ε��뾭��ȫ��(��acl��conduit).

1.3��ӿڵİ�ȫ�ȼ��Ϊһ��Щ�ӿ�

��ǵ�ASA��cisco pix��ǽ��״̬��ӿ��ƵĹؼ��

2.��Э��
2.1��һ��OSI��7��ģ�ͣ�˵ʵ��Ҫ��IT,��ô��OSI��7��ģ��һ��Ҫ�㶮��Ҳ��windows ��DNSһ��һ��Ҫ��档��1~7�Ǵ��ģ��Ϊ��һ�㣬Ӧ�ò�Ϊ��߲㡣
Ӧ�ò㡡��
��ʾ�㡡��
�Ự�㡡��
��㡡Segment
��㡡Packet
��·�� Frame
��㡡Bit

2.2�˽�һ��TCP/IP
ͨ�׵Ľ�TCP/IP��Э��TCP,UDP,��Ȼ��TCP/IP��һ��Э��壬�Ƕ�OSI��۵�һ��ʵ�֣��Ӧ�õ��е�һ��

��ҵЭ��塣
TCP-��һ��ӵĴ��Э�飬��ڵ��ͨ�ŵĿɿ��Ժ�Ч��,ͨ��virtual circuits��Դ�˺�Ŀ�Ķ˵��˫��ͨ��Щ��ڿ��ܴ��Դ��ٶȱ��
UDP-��һ��ӵĴ��Э�飬��Ŀ�Ķ˷��

��û��PIX�Ľڵ��TCPͨ��(��)
��һ��PIX�Ľڵ��TCPͨ��

2.3ע��Ĭ�ϵİ�ȫ��UDP��һ��߰�ȫ�ȼ��͵�һ��Ͱ�ȫ�ȼ��Ρ�
cisco pix ��ǽ��еķ��UDP��:
2.3.1Դ��俪ʼUDP��ӣ�Cisco pix��ǽ��ӣ��·�ɵ�Ŀ�Ķˡ�PixӦ��Ĭ�Ϲ��κ��Ҫ��ת��״̬��д��һ��Ự��󣬲��ͨ��ⲿ�ӿ�
2.3.2�κη��Ҫ��滭��ƥ�䣬��Ӧ�ûỰ��ʱ��Ĭ�ϵĻỰ��ʱ��2��.��Ӧ��ƥ��Ự��,��߳�ʱ,��ͻᱻ��,��һ��ƥ��,�ͻ��Ӧ�źŴ��͵��Դ��
2.3.3�κδ�һ��Ͱ�ȫ�ȼ��ε�һ��߰�ȫ�ȼ��ε��վ��UDP�Ự��뾭��ȫ��,��ж��.

3.��ַת��
��RFC1918��ַ�ռ�:
10.0.0.0~10.255.255.255
172.16.0.0~172.16.255.255
192.168.0.0~192.168.255.255
��ַת��cisco pix��ǽΪ�ڲ��ڵ��ṩ��ʹ��ר��IP��ַ��internet��һ�ַ��.��ת��ĵ�ַ��Ϊ�ڲ��ַ,ת��ĵ�ַ��Ϊȫ�ֵ�ַ.
��һ�仰Ҫ��ס:��һ��ӿڵ��κε�ַת��κε�ַ�ӿڵ��һ��ַ�ǿ��ܵ�,��仰��˼��ڲ��ַ��ת��outside�ĵ�ַ,Ҳ��ת��DMZ�ĵ�ַ,ֻҪ��ȷ��ʹ��nat��global��.
��:global (outside) 1 interface
global (dmz) 1 xxx.xxx.xxx.xxx
nat (inside) 1 192.168.6.0 255.255.255.0 0 0

��̬��ַת��漰��NAT��PAT,��̬��ַҲ��ͨ��˵�ĸ�DMZ�ӿڵĵ�ַ��һ��̬��,ͨ��web site��mail server��Թؼ��ҵ��.�Ա�Internet�ϵ��û��ͨ��ǵ�ȫ�ֵ�ַ��Щ��.

NAT��
pix(config)#nat inside 1 192.168.6.0 255.255.255.0
pix(config)#global (outside) 1 10.0.0.1~10.0.0.255 netmask 255.0.0.0
ע��е�1��nat��global��ͬ,��ָ��ض��ĵ�ַ��ת��.
��1��ܻ�0,��Ի��,��Ϊnat 0��pix��ض��ĺ��,nat 0��ʾ��pix��ڼ�ⲻ�ܱ�ת��ĵ�ַ,��ͨ��aclת��ҲӦ�õ��.

PAT��:
PAT��ص�ַת��

��һ��һ��ȫ�ֵ�ַ,ִ��NAT��PAT��,��ͬ��PAT�Ƕ��һ��һ��ȫ�ֵ�ַ��NATһ��һ��Χ�ĵ�ַ.
pix(config)#nat (inside) 1 0.0.0.0 0.0.0.0 ��ʾת��е��Ե�ַ
pix(config)#global (inside) 10.0.0.1 255.0.0.0

��̬��ַ:
ͨ��static��conduit��һ��ʹ��,��߿��ʹ��acl��conduit
static��ֻ��õ�ַת��,Ϊ��һ��ӵͰ�ȫ�ȼ��ӿڶԱ��ؽڵ�ķ��,��ǰ�潲��,��Ҫ��ACL��߽��һ��ͨ��.
pix(config)#static (inside,outside) 10.0.0.1 192.168.0.9
pix(config)#conduit permit tcp host 192.168.0.9 eq www any
(��host��ʾ��ָһ��ض��host 192.168.0.9��ʾ 192.168.0.9 255.255.255.255ΪʲôҪ��255.255.255.255,��Ϊsubnet mask,��wildcard,Ҳ��ͨ��,any��ʾ�κ�Դ��ַ��Ŀ�ĵ�ַ,0.0.0.0 255.255.255.255.eq is mean the match only packets on a given port number.)
��ǿ��԰�conduitת��ACL
pix(config)#access-list 101 permit tcp any host 192.168.0.9 eq www
pix(config)#access-group 101 in interface outside

ʹ��static��ʵ�ֶ˿��ض��
pix(config)#static (inside,outside) tcp 192.168.0.9 ftp 10.10.10.9 2100 netmask 255.255.255.255. 0.0
��ftp��21��ʾ,��ķ��ǰ��Э��Ӧ,��tcp ��udp,ftp��Ȼ��Ӧtcp.
��˼��ͨ��ڵͰ�ȫ�ȼ��192.168.0.9��21�˿�,��Զ�ת��10.10.10.9 2100��˿��.

��6.2�汾��֧��˫��ַת��,�Ҳ�֪��ʲô��˼?
��˵��Զ��ⲿԴIP��ַ��NAT,�Ա㽫�ⲿ�ӿڵķ��鷢�͵�һ��ڲ��ӿ��Ҫ��:
show xlate�鿴ת��
show conn�鿴��״��
�кܶ��ѡ��,��ҿ��cli��show xlate ?�鿴һ��,��㴦��Ϸǳ��.

5.��DNS֧��
��Ĭ��,PIX��ÿ��DNS��,��ֻ��һ��Щ��Ӧ.��ж�ԭʼ��ѯ��Ӧ�ᱻ��.
��ʱ��pixʹ��show conn��кܶ�ȥDNS��Ӧ��,��Ǻ��.

����CiscoPIX����ǽ��ת��������

��CiscoPIX��ǽ��ת��