DNS Doctoring NAT NAT-Hairping
這個LAB的主要目標就是防火牆下的私有地址能PING通自己的公網地址,
這個在一些特殊的場合會用掉,當資料包到了防火牆之後,防火牆看到是這臺機器的公網地址,然後U轉了一個彎,再回到這臺機器。
私有地址:192.168.1.100
公網地址:10.10.10.2
Linux(192.168.1.100) ---inside(192.168.1.1)-outside(10.10.10.1)-R10(10.10.10.10)
router R10 - 10.10.10.10 (DNS server)
ip dns server
ip host test1 10.10.10.2
ip host test2 10.10.10.2
ip host test3 10.10.10.2
ASA
object network LAN
subnet 192.168.1.0 255.255.255.0
object network PUBLIC <---公網地址 10.10.10.2
host 10.10.10.2
object network LOCAL
host 192.168.1.100
GigabitEthernet0/0 outside 10.10.10.1 255.255.255.0 manual
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 manual
ciscoasa# sh run nat
nat (inside,inside) source dynamic LAN interface destination static PUBLIC LOCAL
nat (inside,outside) source static 192.168.1.100 10.10.10.2
nat (inside,outside) source static 192.168.1.101 10.10.10.3
ciscoasa# sh run same-security-traffic
same-security-traffic permit intra-interface