host 202.100.1.1 object network pat-1 host 202.100.1.101 object network pat-2 host 202.100.1.102
object network Inside-Network subnet 10.1.1.0 255.255.255.0 object service telnet23
service tcp destination eq telnet object service telnet3032 service tcp destination eq 3032
nat (Inside,Outside) source dynamic Inside-Network pat-1 destination static dst-1 dst-1 service telnet23 telnet23 nat (Inside,Outside) source dynamic Inside-Network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032
Main Differences Between Network Object NAT and Twice NAT(Network Object NAT和Twice NAT的主要区别)
How you define the real address.(从如何定义真实地址的角度来比较)
– Network object NAT—You define NAT as a parameter for a network object; the network object definition itself provides the real address. This method lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in twice NAT rules.
– Twice NAT—You identify a network object or network object group for both the real and
mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.
<为真实和映射后地址定义network object或者network object group。在twice nat中,NAT不是network object的一个参数,network object或者group是NAT配置的一个参数。能够为真实地址使用network object group,也体现了twice nat的可扩展性。 >
How source and destination NAT is implemented.(源和目的nat被运用)
– Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.
<每一个策略只能运用到数据包的源或者目的,如果要转换一个包的源和目的,需要使用两个策略,这两个策略不能绑定到一起来做实现特殊的源和目的的转换。>
– Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.
<一个单一策略,既能转换源也能转换目的。一个包只能匹配上一个策略,并且不再做进一步检查了。就算你没有配置twice nat的目的地址选项,一个数据包也只能匹配一个twice nat策略,目的和源被绑定到一起,因此你能够基于不同的源和目的做转换,例如:源A/目的A与源A/目的B转换不同>
We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP).
<我们推荐使用network object NAT,除非你明确需要twice nat所提供的特性。Network object nat非常容易配置,并且对语音等运用更加可靠>
NAT Rule Order
排序实例:
192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static)
