这个LAB的主要目标就是防火墙下的私有地址能PING通自己的公网地址,
这个在一些特殊的场合会用掉,当数据包到了防火墙之后,防火墙看到是这台机器的公网地址,然后U转了一个弯,再回到这台机器。
私有地址:192.168.1.100
公网地址:10.10.10.2
Linux(192.168.1.100) ---inside(192.168.1.1)-outside(10.10.10.1)-R10(10.10.10.10)
router R10 - 10.10.10.10 (DNS server)
ip dns server
ip host test1 10.10.10.2
ip host test2 10.10.10.2
ip host test3 10.10.10.2
ASA
object network LAN
subnet 192.168.1.0 255.255.255.0
object network PUBLIC <---公网地址 10.10.10.2
host 10.10.10.2
object network LOCAL
host 192.168.1.100
GigabitEthernet0/0 outside 10.10.10.1 255.255.255.0 manual
GigabitEthernet0/1 inside 192.168.1.1 255.255.255.0 manual
ciscoasa# sh run nat
nat (inside,inside) source dynamic LAN interface destination static PUBLIC LOCAL
nat (inside,outside) source static 192.168.1.100 10.10.10.2
nat (inside,outside) source static 192.168.1.101 10.10.10.3
ciscoasa# sh run same-security-traffic
same-security-traffic permit intra-interface
