2007-3-18 13:49
luweinet
cisco ios 路由和nat顺序
朋友问我防火墙是先nat还是先route...
cisco的ios是这样处理的
[size=24pt][b]Inside-to-Outside [/b][/size][b][size=6]Outside-to-Inside[/size]
[/b]
[table=98%][tr][td=1,1,271] [size=78%]•[/size][size=14pt]If IPSec then check input access list[/size]
[size=78%]•[/size][size=14pt]decryption - for CET [/size][size=14pt][/size]
[size=78%]•[/size][size=14pt]check input rate limits[/size]
[size=78%]•[/size][size=14pt]input accounting[/size]
[size=78%]•[/size][size=14pt]policy routing[/size]
[size=78%]•[/size][size=14pt][color=Red]routing[/color][/size]
[size=78%]•[/size][size=14pt]redirect to web cache[/size]
[size=78%]•[/size][size=14pt][b]NAT inside to outside (local to global translation)[/b][/size]
[size=78%]•[/size][size=14pt]crypto (check map and mark for encryption)[/size]
[size=78%]•[/size][size=14pt]check output access list[/size]
[size=78%]•[/size][size=14pt]inspect (Context-based Access Control (CBAC))[/size]
[size=78%]•[/size][size=14pt]TCP intercept[/size]
[size=78%]•[/size][size=14pt]encryption[/size]
[/td][td] [size=78%]•[/size][size=14pt]If IPSec then check input access list[/size]
[size=78%]•[/size][size=14pt]decryption - for CET or IPSec[/size]
[size=78%]•[/size][size=14pt]check input access list[/size]
[size=78%]•[/size][size=14pt]check input rate limits[/size]
[size=78%]•[/size][size=14pt]input accounting[/size]
[size=78%]•[/size][size=14pt][b]NAT outside to inside (global to local [/b][b]translation)[/b][/size]
[size=78%]•[/size][size=14pt]policy routing[/size]
[size=78%]•[/size][size=14pt][color=Red]routing[/color][/size]
[size=78%]•[/size][size=14pt]redirect to web cache[/size]
[size=78%]•[/size][size=14pt]crypto (check map and mark for encryption)[/size]
[size=78%]•[/size][size=14pt]check output access list[/size]
[size=78%]•[/size][size=14pt]inspect CBAC[/size]
[size=78%]•[/size][size=14pt]TCP intercept[/size]
[size=78%]•[/size][size=14pt]encryption[/size]
[/td][/tr][/table]
[[i] 本帖最后由 luweinet 于 2007-3-18 13:54 编辑 [/i]]
朋友问我防火墙是先nat还是先route...
cisco的ios是这样处理的
[size=24pt][b]Inside-to-Outside [/b][/size][b][size=6]Outside-to-Inside[/size]
[/b]
[table=98%][tr][td=1,1,271] [size=78%]•[/size][size=14pt]If IPSec then check input access list[/size]
[size=78%]•[/size][size=14pt]decryption - for CET [/size][size=14pt][/size]
[size=78%]•[/size][size=14pt]check input rate limits[/size]
[size=78%]•[/size][size=14pt]input accounting[/size]
[size=78%]•[/size][size=14pt]policy routing[/size]
[size=78%]•[/size][size=14pt][color=Red]routing[/color][/size]
[size=78%]•[/size][size=14pt]redirect to web cache[/size]
[size=78%]•[/size][size=14pt][b]NAT inside to outside (local to global translation)[/b][/size]
[size=78%]•[/size][size=14pt]crypto (check map and mark for encryption)[/size]
[size=78%]•[/size][size=14pt]check output access list[/size]
[size=78%]•[/size][size=14pt]inspect (Context-based Access Control (CBAC))[/size]
[size=78%]•[/size][size=14pt]TCP intercept[/size]
[size=78%]•[/size][size=14pt]encryption[/size]
[/td][td] [size=78%]•[/size][size=14pt]If IPSec then check input access list[/size]
[size=78%]•[/size][size=14pt]decryption - for CET or IPSec[/size]
[size=78%]•[/size][size=14pt]check input access list[/size]
[size=78%]•[/size][size=14pt]check input rate limits[/size]
[size=78%]•[/size][size=14pt]input accounting[/size]
[size=78%]•[/size][size=14pt][b]NAT outside to inside (global to local [/b][b]translation)[/b][/size]
[size=78%]•[/size][size=14pt]policy routing[/size]
[size=78%]•[/size][size=14pt][color=Red]routing[/color][/size]
[size=78%]•[/size][size=14pt]redirect to web cache[/size]
[size=78%]•[/size][size=14pt]crypto (check map and mark for encryption)[/size]
[size=78%]•[/size][size=14pt]check output access list[/size]
[size=78%]•[/size][size=14pt]inspect CBAC[/size]
[size=78%]•[/size][size=14pt]TCP intercept[/size]
[size=78%]•[/size][size=14pt]encryption[/size]
[/td][/tr][/table]
[[i] 本帖最后由 luweinet 于 2007-3-18 13:54 编辑 [/i]]
2007-4-3 21:58
zn8903
最好能结合全文解释一下,谢谢
[[i] 本帖最后由 zn8903 于 2007-4-3 21:59 编辑 [/i]]
[[i] 本帖最后由 zn8903 于 2007-4-3 21:59 编辑 [/i]]
2007-4-3 23:39
luweinet
.
这个是从cisco网站上摘抄的,关于cisco的ios是怎么处理数据包的流程的。作策略路由时必须理解的东西,基本都是直接翻译即可
数据报从里面出去的时候是先策略路由,路由,然后才是NAT
数据包从外进来的时候是先NAT,策略路由,再路由
在做多线路由这两个顺序必须搞明白,当时看的就是和iptables处理方式不同就贴了一下,对网络我也就在这水平了,见笑了:L
这个是从cisco网站上摘抄的,关于cisco的ios是怎么处理数据包的流程的。作策略路由时必须理解的东西,基本都是直接翻译即可
数据报从里面出去的时候是先策略路由,路由,然后才是NAT
数据包从外进来的时候是先NAT,策略路由,再路由
在做多线路由这两个顺序必须搞明白,当时看的就是和iptables处理方式不同就贴了一下,对网络我也就在这水平了,见笑了:L
2007-4-4 19:39
zn8903
多线路由?
2007-4-4 21:26
luweinet
:L
表述有问题,多出口问题....
[[i] 本帖最后由 luweinet 于 2007-4-4 21:31 编辑 [/i]]
表述有问题,多出口问题....
[[i] 本帖最后由 luweinet 于 2007-4-4 21:31 编辑 [/i]]
页: [1]
查看完整版本: cisco ios 路由和nat顺序
Powered by Discuz! Archiver 5.5.0 © 2001-2006 Comsenz Inc.