ASA5516-单公网地址NAT（端口映射）求助

TianLin23823 · ‎01-05-2021

ASA5516，版本：Version 9.8(2)
ASA防火墙做为出口，只有一个公网地址做了PAT。
在做内网服务器端口映射的时候，提示如下：
PVSZ-FW(config-network-object)# nat (inside,outside) static isp service tcp 80 80
ERROR: Address 202.100.100.6 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
谢谢。
配置如下：
PVSZ-FW(config)# show run
: Saved
:
: Serial Number: JAD24020KY1
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname PVSZ-FW
domain-name cbt.com
enable password $sha512$5000$Fk1JnccNsuAkCBo0jWYwOQ==$1jf0+tgn1akW9Gsv3LbJGg== pbkdf2
names
ip local pool ezvpn 10.10.100.100-10.10.100.200 mask 255.255.255.0
!
interface GigabitEthernet1/1
description link-to-ISP
nameif outside
security-level 0
ip address 202.100.100.6 255.255.255.252
!
interface GigabitEthernet1/2
description link-to-Sangfor
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name cbt.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PAT
subnet 0.0.0.0 0.0.0.0
object network vpnnet
subnet 10.10.100.0 255.255.255.0
object network vpn
subnet 10.10.30.0 255.255.255.0
object network vpn40
subnet 10.10.40.0 255.255.255.0
object network vpn-1
subnet 10.10.1.0 255.255.255.0
object network server
host 10.10.30.10
object service www-80
service tcp source eq www
object network isp
host 202.100.100.6
object-group network SZ
network-object 10.10.30.0 255.255.255.0
network-object 10.10.40.0 255.255.255.0
object-group network BJ
network-object 10.10.50.0 255.255.255.0
network-object 10.10.60.0 255.255.255.0
access-list out extended permit icmp any any
access-list out extended permit ip 10.10.100.0 255.255.255.0 any
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any host 10.10.30.10 eq www
access-list out extended permit tcp any host 202.100.100.6 eq www
access-list split extended permit ip 10.10.30.0 255.255.255.0 any
access-list split extended permit ip 10.10.40.0 255.255.255.0 any
access-list SZ-BJ extended permit ip object-group SZ object-group BJ
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static server interface service www-80 www-80
nat (inside,outside) source static SZ SZ destination static BJ BJ no-proxy-arp route-lookup
nat (inside,outside) source static SZ SZ destination static vpnnet vpnnet
!
object network PAT
nat (inside,outside) dynamic interface
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 202.100.100.5 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 1
route inside 10.10.20.0 255.255.255.0 10.10.1.2 1
route inside 10.10.30.0 255.255.255.0 10.10.1.2 1
route inside 10.10.40.0 255.255.255.0 10.10.1.2 1
route inside 192.168.111.0 255.255.255.0 10.10.1.2 1

TianLin23823 · ‎01-05-2021

show xlate
PVSZ-FW(config-network-object)# show xlate | include 10.10.30.10
TCP PAT from inside:10.10.30.10 80-80 to outside:202.100.100.6 80-80
UDP PAT from inside:10.10.30.10/58240 to outside:202.100.100.6/58240 flags ri idle 1:34:57 timeout 0:00:30
UDP PAT from inside:10.10.30.10/55411 to outside:202.100.100.6/55411 flags ri idle 0:00:17 timeout 0:00:30
TCP PAT from inside:10.10.30.10/49246 to outside:202.100.100.6/49246 flags ri idle 2:11:26 timeout 0:00:30
UDP PAT from inside:10.10.30.10/18801 to outside:202.100.100.6/18801 flags ri idle 1:49:49 timeout 0:00:30
TCP PAT from inside:10.10.30.101/55783 to outside:202.100.100.6/55783 flags ri idle 2:42:26 timeout 0:00:30

ilay · ‎01-05-2021

本帖最后由 gengchunlin 于 2021-1-6 12:37 编辑
internet出口地址掩码为/30，只有一个可用地址，做nat的时候就没有必要再对接口地址定义object了
直接使用interface即可
例如：
object network TEST
host 10.1.1.90
nat (inside,outside) static interface service tcp 3389 3389
!
-----
从整体的配置看，已经有了80端口的映射了啊，新加的只能使用其他的未占用的端口号了
nat (inside,outside) source static server interface service www-80 www-80

TianLin23823 · ‎01-05-2021

gengchunlin 发表于 2021-1-6 12:33
internet出口地址掩码为/30，只有一个可用地址，做nat的时候就没有必要再对接口地址定义object了
直接使用 ...

感谢，3389端口已经通了。
弄了半天才发现，运营商把80端口封了。

ilay · ‎01-05-2021

TianLin23823 发表于 2021-1-6 12:54
感谢，3389端口已经通了。
弄了半天才发现，运营商把80端口封了。

嗯，3389是做的一配置示例。配置时设置实际使用端口即可

YilinChen · ‎01-06-2021

ERROR: Address 202.100.100.6 overlaps with outside interface address.
报错提示看仔细一点，就能发现问题了:P