已解决: 内网主机通过访问asa的外网ip来访问映射的内网服务器

yuhao · ‎12-12-2018

一台asa5506做网关，软件版本9.5。现在想在防火墙上做静态映射，使内网主机通过访问防火墙外网口地址，来间接访问映射的内网服务器。请问各位大大这样能做吗，怎么实现？谢谢！

yutaoli158861 · ‎12-12-2018

从内访问映射后的外网地址 X.X.X.X：8090
！
object service 8090
service tcp destination eq 8090
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static X.X.X.X 192.168.200.202 service 8090 8090
!
从外访问映射后的内网地址 X.X.X.X：8090
！
object network 192.168.200.202_8090
nat (inside,outside) static interface service tcp 8090 8090
access-list outside_int extended permit tcp any host 192.168.200.202 eq 8090
access-group outside_int in interface outside
测试验证：
packet-tracer input inside tcp 192.168.200.203 50 x.x.x.x 8090
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x192.168.200.202 service 8090 8090
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/8090 to 192.168.200.202/8090
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100 in interface inside
access-list 100 extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x 192.168.200.202 service 8090 8090
Additional Information:
Static translate 192.168.200.203/50 to 70.70.70.203/50
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x 192.168.200.202 service 8090 8090
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9275189, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

在原帖中查看解决方案

yutaoli158861 · ‎12-12-2018

从内访问映射后的外网地址 X.X.X.X：8090
！
object service 8090
service tcp destination eq 8090
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static X.X.X.X 192.168.200.202 service 8090 8090
!
从外访问映射后的内网地址 X.X.X.X：8090
！
object network 192.168.200.202_8090
nat (inside,outside) static interface service tcp 8090 8090
access-list outside_int extended permit tcp any host 192.168.200.202 eq 8090
access-group outside_int in interface outside
测试验证：
packet-tracer input inside tcp 192.168.200.203 50 x.x.x.x 8090
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x192.168.200.202 service 8090 8090
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/8090 to 192.168.200.202/8090
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100 in interface inside
access-list 100 extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x 192.168.200.202 service 8090 8090
Additional Information:
Static translate 192.168.200.203/50 to 70.70.70.203/50
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,inside) source static 192.168.200.0 70.70.70.0 destination static x.x.x.x 192.168.200.202 service 8090 8090
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9275189, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Terence.Jh · ‎12-12-2018

1：如果内网主机单独分配一个公网地址直接做static NAT
2：如果内网主机只分配公网地址的一个端口，就做端口的Static PAT
https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/nat-basics.html

yuhao · ‎12-12-2018

terence 发表于 2018-12-13 10:56
1：如果内网主机单独分配一个公网地址直接做static NAT
2：如果内网主机只分配公网地址的一个端口，就做端 ...

谢谢大佬的回答，我现在的问题是主机和服务器是在同一个内网里。主机通过访问外网的ip来间接访问这台服务器。这种情况怎么做啊

Terence.Jh · ‎12-12-2018

yuhao@wxncs.net 发表于 2018-12-13 11:22
谢谢大佬的回答，我现在的问题是主机和服务器是在同一个内网里。主机通过访问外网的ip来间接访问这台服务 ...

这个是NAT回流的问题，我就不直接回答了，借用车车的仔细说明
https://www.zhihu.com/question/266194635/answer/304295261

yuhao · ‎12-12-2018

terence 发表于 2018-12-13 11:57
这个是NAT回流的问题，我就不直接回答了，借用车车的仔细说明
https://www.zhihu.com/question/26619463 ...

好的，谢谢！！

one-time · ‎12-13-2018

如果楼主问题已解决，记得标注最佳答案哦，也是对热心解答的小伙伴们的认可。最佳答案按钮在回复贴的右下角哦~
:handshake 感谢各位专家解答，谢谢！

yuhao · ‎12-14-2018

yutaoli158861 发表于 2018-12-14 15:34
从内访问映射后的外网地址 X.X.X.X：8090
！
object service 8090

这位大佬兄弟，很感谢！谢谢你的解答！！