ASA Version 8.4(2)、NAT與HOST

對于switch0、switch2，如果是三層交換機，則需要寫路由，如果為二層交換機，則需要寫網關。

靜態NAT地址轉換

 object network waiwang

 host 192.168.1.2

 nat (inside,outside) static 10.99.121.141 理解為：從inside到outside方向，192.168.1.2這個     源地址轉換為10.99.121.141這個地址

靜態NAT地址轉換特點：

 1.數據包從outside進入inside,也就是從低優先級到高優先級的訪問，在訪問控制列表里要放過

  2. host要真是存在

  3.首先要考慮會話的發起者，并確定是單向訪問，還是雙向訪問。

Static (inside,outside) 10.99.216.202 192.168.0.2

Object network yelian

Host 10.99.216.205

Nat (outside,inside) static 192.168.1.2

1.數據包從inside進入outside,也就是從高優先級到低優先級的訪問，然后從outside到inside返回，理論上在防火墻上有session,數據包從outside到inside能正常返回。但測試的時候，不能ping通192.168.1.2，FTP訪問正常。防火墻有一個inspect機制，配置命令: inspcet icmp?；蛘咴?/span>outside端的in方向的訪問控制列表放過icmp。

官方文檔：

In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.

實驗總結：

  1.在防火墻outside接口配置default-route,那么其他別的接口的主機數將受到限制。

 2.在防火墻inside接口配置default-route,其他接口的主機數也受到限制。8.2（1）以下的版本相對混亂。（認為是低版本的BUG)

 3.如果接口不配置默認路由，那么其他接口的主機數不受限制。