请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科服务支持社区 点击关注
思科服务支持社区

  
 找回密码
 立即注册

扫一扫,访问微社区

搜索
热搜: 邮件服务器
查看: 387|回复: 15

ASA5500X 9.6.3的NAT配置

[复制链接]
发表于 2017-11-25 01:25:18 | 显示全部楼层 |阅读模式
0可用金钱
本帖最后由 siumem 于 2017-12-13 10:58 编辑

今天碰到一台ASA5512X,版本是9.6.3,做一个简单的static nat 。就内部服务器192.168.2.20映射到外部的一个地址,开放web服务,端口8181,服务器直接配置公网IP地址外面是可以访问的,然而在ASA上做NAT映射后就是访问不进来,奇怪的是show log可以看到明确被acl拒绝了,但是acl明明是开放了访问的,把版本升到9.7.1也不行,配置如下,哪位兄弟帮助看一下。
sh run
: Saved
ASA Version 9.7(1)4
!
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 180.180.180.82 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.2.253 255.255.255.0
!
!
!
boot system disk0:/asa971-4-smp-k8.bin
ftp mode passive
object network obj_vlan172
subnet 172.16.2.0 255.255.255.0
object network Jizhi_MIP
host 192.168.1.20
object network inside_vlan2
subnet 192.168.2.0 255.255.255.0
object network obj_180.180.180.90
host 180.180.180.90
access-list o2i extended permit icmp any any echo-reply
access-list o2i extended permit icmp any any source-quench
access-list o2i extended permit icmp any any unreachable
access-list o2i extended permit icmp any any time-exceeded
access-list o2i extended permit tcp any host 192.168.2.20 eq 8181
access-list o2i extended permit tcp any host 192.168.2.20 eq 3389
access-list o2i extended permit ip any host 192.168.2.20
access-list o2i extended permit icmp any any echo
access-list o2i extended permit ip any host 180.167.77.90
pager lines 24
logging enable
logging buffered warnings
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static Jizhi_MIP obj_180.167.77.90
!
object network obj_vlan172
nat (inside,outside) dynamic interface
object network inside_vlan2
nat (inside,outside) dynamic interface
access-group o2i in interface outside
route outside 0.0.0.0 0.0.0.0 180.167.77.81 1
route inside 192.168.1.0 255.255.255.0 172.16.2.254 1
route inside 192.168.2.0 255.255.255.0 172.16.2.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco password kHXUGj3hWxtw0q2l encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp
  inspect http
policy-map type inspect dns migrated_dns_map_2
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e81491547a9a98132a5372c0511bf982
: end
-------------------------------------------------------------------------------------------------------------------------------------------
谢谢大家的提醒,配置文本中object写得有错误,把192.168.2.20写成了192.168.1.20。
最终的原因是前端一台做纯路由的H3C ER路由器引起,估计是有ARP更新限制,更换了公网IP地址的主机后,长时间不通。重启都不行,最后直接把这台中由器拿掉了。



最佳答案

查看完整内容

ACL o2i 里确实没写呀,没有充许 公网任意IP,可以访问 192.168.1.20 的ACL条目
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
发表于 2017-11-25 01:25:19 | 显示全部楼层
ACL o2i 里确实没写呀,没有充许 公网任意IP,可以访问 192.168.1.20 的ACL条目
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
 楼主| 发表于 2017-11-25 01:27:20 | 显示全部楼层
show  log可以明确看到外面时来的访问被防火墙拦住了:
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53080 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53081 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53080 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53081 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53080 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53081 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-2-106001: Inbound TCP connection denied from 140.206.78.29/80 to 192.168.2.20/58672 flags PSH ACK  on interface inside
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53080 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:116.226.153.200/53081 dst inside:192.168.1.20/8181 by access-group "o2i" [0x0, 0x0]


但是应用在outside的access-list 明明已经放行了这个应用
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2017-11-27 10:08:34 | 显示全部楼层
本帖最后由 arvinjing 于 2017-12-1 09:35 编辑

你的NAT和ACL都有一些问题,建议你的NAT采用如下的方式配置
object network Jizhi_MIPhost
192.168.2.20
nat (inside,outside) static  obj_180.180.180.90 service tcp 80 8181
access-list o2i extended permit tcp any host 192.168.2.20 eq 80


  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (2 评价)
发表于 2017-11-27 22:15:18 | 显示全部楼层
ACL里写的2.20,不是1.20
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
发表于 2017-11-28 09:12:25 | 显示全部楼层
你内网地址的端口是不是80 ? 如果是的话,你的ACL 要允许80端口哦
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
发表于 2017-11-29 09:56:52 | 显示全部楼层
nat (inside,outside) source static Jizhi_MIP obj_180.167.77.90
object network Jizhi_MIP
host 192.168.1.20         <<<<<<<<<<   应该改为192.168.2.20
你说你要映射内部服务器192.168.2.20,但是你object里面写的是“192.168.1.20”。
access-list o2i extended permit tcp any host 192.168.2.20 eq 8181
ACL里面放行的是192.168.2.20。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分4 (2 评价)
发表于 2017-11-29 15:35:17 | 显示全部楼层
log里显示Deny tcp src outside:116.226.153.200/53080 dst inside:192.168.1.20/8181 ,会出现此告警是因为你的acl中并没有允许到192.168.1.20这个地址的访问,你的ACL中只允许了2.20这个条目,没有关于192.168.1.20的条目,如过想要此地址允许访问,应加一条access-list o2i extended permit tcp any host 192.168.2.20 eq 8181
另一条log是denied from 140.206.78.29/80 to 192.168.2.20/58672 ,会显示这个告警是因为对2.20只放开了8181和3389 这两个端口,并没有放开58672这个端口,所以会有此告警
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2017-11-30 17:53:08 | 显示全部楼层
排查一遍,找个案例,简答
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2017-12-1 09:05:59 | 显示全部楼层
  看应该是你的NAT 没有2.20   ,ACL 你试试同时放通80  根8181
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科服务支持社区  

GMT+8, 2017-12-15 00:54 , Processed in 0.093754 second(s), 54 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表