本帖最后由 gwzhong 于 2019-6-12 18:56 编辑
一个地址映射已经搞了好几天了，求大神帮忙看看这样配置到底哪里有问题，为啥怎么都通不了。机器内网访问都是正常的。
目的是想要把内网192.168.0.100的3389端口映射出去，操作已加粗加红。
配置文件如下：：
ciscoasa(config)# show run
: Saved
:
: Serial Number: FCH2050J6CU
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(4)18
!
hostname ciscoasa
enable password KDZzQhdcZk.w6ysV encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit udp any4 any4
passwd KDZzQhdcZk.w6ysV encrypted
names
ip local pool pool-sslvpn 192.16.254.1-192.16.254.50 mask 255.255.255.0
!
interface GigabitEthernet0/0
description Internet
nameif outside
security-level 0
ip address 116.228.89.243 255.255.255.240
!
interface GigabitEthernet0/1
description WIFI(SG200-Gi12)
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN(SG200-Gi21)
nameif lan-server
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface GigabitEthernet0/3
description Client
nameif client-zone
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/4
description Client2
nameif client2-zone
security-level 10
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/5
no nameif
security-level 0
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa944-18-smp-k8.bin
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
clock timezone CST 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server 202.96.209.133
object network my-inside-net
subnet 192.168.0.0 255.255.255.0
object network lan-server
subnet 172.16.0.0 255.255.255.0
object network mac
host 192.168.0.118
object network playground
host 192.168.0.50
object network Guotai
host 27.115.57.133
object network DlianL2
host 203.86.95.178
object network EG_Test
host 180.166.217.142
object network intel
host 198.175.98.50
object network zhangjiang
host 180.168.102.226
object network client-groups
subnet 192.168.1.0 255.255.255.0
object network video-1
host 192.168.0.90
object network client2-groups
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.0.162
host 192.168.0.162
object network Inside-net
subnet 192.168.0.0 255.255.255.0
object network sslvpn-pool-01
subnet 192.16.254.0 255.255.255.0
object network obj-192.168.0.130
host 192.168.0.130
object service 20000
object network 123
host 192.168.0.123
object network outside
host 116.228.89.243
object network inside192
host 1.1.1.1
object network real
object service tcp-3389
service tcp source eq 3389
object network tcp3389
host 192.168.0.123
object network server
subnet 192.168.0.123 255.255.255.255
object service mstsc
service tcp source eq 3389
object network dc
host 192.168.0.100
object-group service eg_test tcp
port-object eq 30022
object-group service tcp_8080 tcp
port-object eq 14000
port-object eq 8080
port-object eq 8090
port-object eq 8000
object-group service temp tcp
port-object eq 8090
port-object eq 8100
object-group network playground_servers
network-object host 203.86.95.181
network-object host 203.187.171.248
network-object object DlianL2
network-object object zhangjiang
object-group network video
network-object object video-1
object-group service service_udp_1701 udp
port-object eq 1701
object-group service service_tcp_1723 tcp
port-object eq pptp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object tcp destination eq telnet
access-list wifi extended permit ip object playground object-group playground_servers
access-list wifi extended deny ip object playground any
access-list wifi extended permit tcp any any eq www
access-list wifi extended permit tcp any any eq https
access-list wifi extended permit tcp any any eq domain
access-list wifi extended permit udp any any eq domain
access-list wifi extended permit tcp any any object-group tcp_8080
access-list wifi extended permit tcp object mac any object-group eg_test
access-list wifi extended permit icmp any object-group playground_servers echo-reply log
access-list wifi extended permit ip object-group video any log
access-list wifi extended permit ip object obj-192.168.0.130 any log
access-list wifi extended deny ip any object intel
access-list wifi extended permit tcp object obj-192.168.0.130 any eq 24020 log
access-list wifi extended permit tcp any any eq 3389
access-list client extended permit ip object client-groups object my-inside-net
access-list client extended deny ip object my-inside-net object client-groups
access-list client extended deny ip object client-groups object lan-server
access-list client extended permit tcp any any eq www
access-list client extended permit tcp any any eq https
access-list client extended permit tcp any any eq domain
access-list client extended permit udp any any eq domain
access-list client extended permit icmp any any echo-reply log
access-list client2 extended deny ip object client2-groups object lan-server
access-list client2 extended deny ip object client2-groups object mac
access-list client2 extended deny ip object client2-groups object playground
access-list client2 extended deny ip object client2-groups object my-inside-net
access-list client2 extended deny ip object client2-groups object intel
access-list client2 extended deny ip object client2-groups object video-1
access-list client2 extended deny ip object client2-groups object Guotai
access-list client2 extended permit tcp any any eq www
access-list client2 extended permit tcp any any eq https
access-list client2 extended permit tcp any any eq domain
access-list client2 extended permit udp any any eq domain
access-list client2 extended permit icmp any object-group playground_servers echo-reply log
access-list client2 extended permit ip any any
access-list out extended permit tcp any host 192.168.0.123
access-list out extended permit ip any any
access-list sslvpn-to-internal remark sslvpn-to-internal
access-list sslvpn-to-internal extended permit ip object Inside-net any
access-list 172 extended permit ip 172.16.0.0 255.255.0.0 any
access-list 192 extended permit ip 192.168.0.0 255.255.0.0 any
access-list LAN extended permit ip 172.16.0.0 255.255.255.0 any
access-list out-web extended permit tcp any any eq 3389
access-list out-web extended permit tcp any host 192.168.0.100 eq 3389
access-list in-web extended permit ip any any
access-list in-web extended permit tcp any any
access-list in-web extended permit udp any any
pager lines 24
logging enable
logging timestamp
logging standby
logging buffer-size 1024000
logging console errors
logging monitor alerts
logging buffered alerts
logging trap alerts
logging history alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu lan-server 1500
mtu client-zone 1500
mtu client2-zone 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static Inside-net Inside-net description sslvpn-pool-01 sslvpn-pool-01
nat (inside,outside) source static any any
!
object network my-inside-net
nat (any,outside) dynamic interface
object network lan-server
nat (any,outside) dynamic interface
object network client-groups
nat (any,client-zone) dynamic interface
object network client2-groups
nat (client2-zone,outside) dynamic interface
object network dc
nat (inside,outside) static interface service tcp 3389 3389
access-group out-web in interface outside
access-group in-web in interface inside
access-group client in interface client-zone
access-group client2 in interface client2-zone
route outside 0.0.0.0 0.0.0.0 116.228.89.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication secure-http-client
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 lan-server
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 900
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 lan-server
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 5
dhcpd dns 202.96.209.133
dhcpd lease 28800
!
dhcpd address 192.168.0.120-192.168.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy policy-sslvpn internal
group-policy policy-sslvpn attributes
dns-server value 114.114.114.114
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value sslvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sslvpn-to-internal
address-pools value pool-sslvpn
dynamic-access-policy-record DfltAccessPolicy
username Tacfin_user03 password JRbAME0QVTYRyB4u encrypted
username Tacfin_user03 attributes
vpn-group-policy policy-sslvpn
service-type remote-access
username Tacfin_user02 password JRbAME0QVTYRyB4u encrypted
username Tacfin_user02 attributes
vpn-group-policy policy-sslvpn
service-type remote-access
username Tacfin_user01 password JRbAME0QVTYRyB4u encrypted
username Tacfin_user01 attributes
vpn-group-policy policy-sslvpn
service-type remote-access
username admin privilege 15
username zgw password bp2uvz0vuzm9ONxv encrypted
tunnel-group sslvpn type remote-access
tunnel-group sslvpn general-attributes
default-group-policy policy-sslvpn
tunnel-group sslvpn webvpn-attributes
group-alias policy-sslvpn enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 17
subscribe-to-alert-group configuration periodic monthly 17
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3a325bcfcfe87207dcb654134209f349
: end