一.测试拓扑

   R1---Outside----ASA842----Inside-----R2

                                    |

                                  DMZ

                                    |

                                  R3

二.测试思路

  利用ASA的twice nat实现访问DMZ的公网地址时转向DMZ的真实地址。

三.基本配置

A.R1:

interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 no shut

B.R2:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10

C.R3:

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

line vty 0 4

 password cisco

 login

D.ASA842:

interface GigabitEthernet0
 nameif Outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0 
 no shut
interface GigabitEthernet1
 nameif DMZ
 security-level 50
 ip address 192.168.1.10 255.255.255.0 
 no shut
interface GigabitEthernet2
 nameif Inside
 security-level 100
 ip address 10.1.1.10 255.255.255.0 
 no shut

四.ASA静态NAT,twice-NAT和策略配置

A.定义对象：

object network R3-dmz
 host 192.168.1.1
object network R3-outside
 host 202.100.1.8
object network Inside-net
 subnet 10.1.1.0 255.255.255.0

B.配置DMZ到Outside的静态NAT:

object network R3-dmz
    nat (DMZ,Outside) static R3-outside

C.配置inside到DMZ的的twice-nat：

nat (Inside,DMZ) source static Inside-net Inside-net destination static R3-outside R3-dmz

D.配置并应用outside接口策略:

-----Inside访问DMZ默认放行

access-list Outside extended permit ip any object R3-dmz 
access-group Outside in interface Outside

五.验证：

A.从Ouside访问DMZ的公网地址：

R1#telnet 202.100.1.8
Trying 202.100.1.8 ... Open


User Access Verification

Password: 
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:14:22   
*  2 vty 0                idle                 00:00:00 202.100.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

B.从Inside访问DMZ的公网地址：

R2#telnet 202.100.1.8
Trying 202.100.1.8 ... Open


User Access Verification

Password: 
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:16:37   
*  2 vty 0                idle                 00:00:00 10.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

C.从Inside访问DMZ真实地址：

R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Password: 
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:17:03   
*  2 vty 0                idle                 00:00:00 10.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/1604895，如需转载请自行联系原作者