模拟65XX系列交换机上PIX模块-透明模式物理拓扑：拓扑说明：FW1上E0.20：outside。VLAN 20 E0.30：inside。VLAN 30。放通ICMP流量。SW-FW1的链路为Trunk。 SW上有VLAN 10,VLAN 20,VLAN 30。F0/1在VLAN 10上。F0/2在VLAN 20上。SVI10：192.168.1.1/24。SVI30：2.2.2.2/24内网为Inside,IP：192.168.1.2/24，SW为网关：SVI10 ：192.168.1.1。公网为Internet，IP：2.2.2.1/24。逻辑拓扑：基本配置：内网：Inside#show running-configinterface Ethernet0/1 ip address 192.168.1.2 255.255.255.0ip route 0.0.0.0 0.0.0.0 192.168.1.1外网：Internet# show running-configinterface Ethernet0/2 ip address 2.2.2.1 255.255.255.0ip route 0.0.0.0 0.0.0.0 2.2.2.2SW：SW#show running-configinterface FastEthernet0/0 switchport mode trunk!interface FastEthernet0/1 switchport access vlan 10!interface FastEthernet0/2 switchport access vlan 20interface Vlan10 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly!interface Vlan30 ip address 2.2.2.2 255.255.255.0 ip nat outside ip virtual-reassemblyPIX：PIX(config)# show running-config firewall transparenthostname PIXinterface Ethernet0.20 vlan 20 nameif outside security-level 0!interface Ethernet0.30 vlan 30 nameif inside security-level 100ip address 1.1.1.1 255.0.0.0access-list icmp extended permit icmp any anyaccess-group icmp in interface outside交换机上NAT策略：access-list 101 permit ip 192.168.0.0 0.0.255.255 anyip nat inside source list 101 interface Vlan30 overload/内网访问公网做动态PAT。ip nat inside source static 192.168.1.2 2.2.2.2/公网访问内网做静态NAT。开测：内网上公网：SW上NAT转换成功：PIX记录了ICMP的过程：公网收到了：公网访问内网:防火墙记录了ICMP过程：SW上静态NAT转换成功：内网收到了：所以流量都经过了防火墙。数据引入防火墙成功！发现的问题：公网访问内网私网IP也可以通。/清楚交换机NAT表项公网PING内网：/内网收到了，此时交换机上没有什么记录。交换机只是做是转发。SW显示回应包的数据做了NAT。并且，公网上还介绍了这个回应包。为什么路由器上发出的请求包的目标IP和收到的回应包的源IP不一致，也会显示成功？