对于switch0、switch1,如果是三层交换机,则需要写路由,如果为二层交换机,则需要写网关。
静态NAT地址转换
object network waiwang
host 192.168.1.2
nat (inside,outside) static 10.99.121.141 理解为:从inside到outside方向,192.168.1.2这个 源地址转换为10.99.121.141这个地址
静态NAT地址转换特点:
1.数据包从outside进入inside,也就是从低优先级到高优先级的访问,在访问控制列表里要放过
2. host要真是存在
3.首先要考虑会话的发起者,并确定是单向访问,还是双向访问。
Static
(inside,outside) 10.99.216.202 192.168.0.2
Object
network yelian
Host
10.99.216.205
Nat
(outside,inside) static 192.168.1.2
1.数据包从inside进入outside,也就是从高优先级到低优先级的访问,然后从outside到inside返回,理论上在防火墙上有session,数据包从outside到inside能正常返回。但测试的时候,不能ping通192.168.1.2,FTP访问正常。防火墙有一个inspect机制,配置命令:
inspcet icmp。或者在outside端的in方向的访问控制列表放过icmp。
官方文档:
In routed mode,
hosts on the inside (Business and Home VLANs) count towards the limit only when
they communicate with the outside (Internet VLAN). Internet hosts are not
counted towards the limit. Hosts that initiate traffic between Business and
Home are also not counted towards the limit. The interface associated with the
default route is considered to be the Internet interface. If there is no
default route, hosts on all interfaces are counted toward the limit. In
transparent mode, the interface with the lowest number of hosts is counted
towards the host limit. See the show local-host command to view the host
limits.
实验总结:
1.在防火墙outside接口配置default-route,那么其他别的接口的主机数将受到限制。
2.在防火墙inside接口配置default-route,其他接口的主机数也受到限制。8.2(1)以下的版本相对混乱。(认为是低版本的BUG)
3.如果接口不配置默认路由,那么其他接口的主机数不受限制。