请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

   思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 282|回复: 1

ASA防火墙 nat问题

[复制链接]
发表于 2019-8-7 10:11:14 | 显示全部楼层 |阅读模式
10可用金钱
: Saved
:
: Serial Number: FCH204974K5
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(3)1
!
hostname ASA5515-SH-new
enable password MKaPtr7WLIRDeknT encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.99.201.1 255.255.255.248
policy-route route-map rmap-to-Liantong
!
interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 10.99.202.1 255.255.255.0
!
interface GigabitEthernet0/2
description "LINK to Telecom Net"
nameif outside
security-level 0
ip address 116.228.199.80 255.255.255.252
!
interface GigabitEthernet0/3
description "LINK to Unicom Net"
nameif outside1
security-level 0
ip address 140.207.8.35 255.255.255.248
!
interface GigabitEthernet0/4
shutdown
nameif outside2
security-level 0
ip address 180.170.199.43 255.255.255.240
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.99.200.100 255.255.255.0
!
regex Define "a regular expression"
regex url_filter10 "\.pps\.tv"
regex url_filter11 "\.funshion\.com"
regex url_filter12 "v.baidu\.com"
regex url_filter13 "\.video.qq\.com"
regex url_filter14 "\.amemv\.com"
regex url_filter1 "\.youku\.com"
regex url_filter2 "\.tudou\.com"
regex url_filter3 "\.56\.com"
regex url_filter4 "\.iqiyi\.com"
regex url_filter5 "tv.sohu\.com"
regex url_filter6 "\.letv\.com"
regex url_filter7 "v.qq\.com"
regex url_filter8 "\.kankan\.com"
regex url_filter9 "\.ku6\.com"
boot system disk0:/asa963-1-smp-k8.bin
ftp mode passive
clock timezone beijing 8
object network objPubAddr-0-27
host 140.207.0.27
object network objExpe-202-18
host 10.99.202.18
object network objPubAddr-0-29
host 140.207.0.29
object network objRaspb-202-221
host 10.99.202.221
object network objDianxin2
subnet 192.168.20.0 255.255.252.0
object network objDianxin
subnet 0.0.0.0 0.0.0.0
object network objLiantong
subnet 0.0.0.0 0.0.0.0
object network obj-5.61-6543
host 192.168.5.61
object network obj-5.61-11543
host 192.168.5.61
object network obj-5.159
host 192.168.5.159
object service des-20500-20599
service tcp destination range 20500 20599
object service src-20500-20599
service tcp source range 20500 20599
object network obj-5.155
host 192.168.5.155
object service des-10001-10100
service tcp destination range 10001 10100
object service src-10001-10100
service tcp source range 10001 10100
object network objPubAddr-0-30
host 140.207.0.30
object network objNas2-5-252
host 192.168.5.252
object-group network objGrpSHnew
network-object 10.88.0.0 255.255.0.0
network-object 10.99.0.0 255.255.0.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.222.0 255.255.255.0
object-group network objGrpSHold
network-object 10.0.1.0 255.255.255.0
network-object 10.243.254.0 255.255.255.0
object-group network objGrpBeijing
network-object 192.168.16.0 255.255.255.0
object-group network objGrpSuzhou
network-object 192.168.28.0 255.255.252.0
object-group network objGrpKuanhuiIDC
network-object 192.168.50.0 255.255.255.0
object-group network objGrp20Fdata
network-object 10.88.119.0 255.255.255.0
network-object 10.88.121.0 255.255.255.0
object-group network objGrpWiFiGuest
network-object 10.88.165.0 255.255.255.0
object-group network objGrpWiFi
network-object 10.88.160.0 255.255.252.0
object-group network url_filter_group
network-object 10.88.0.0 255.255.0.0
network-object 10.99.0.0 255.255.0.0
object-group network url_perm_group
network-object host 10.88.111.28
object-group network objGrpShenZ
network-object 192.168.24.0 255.255.252.0
access-list acl-SHnew-to-SHold extended permit ip object-group objGrpSHnew object-group objGrpSHold
access-list acl-SHnew-to-Beijing extended permit ip object-group objGrpSHnew object-group objGrpBeijing
access-list acl-SHnew-to-Suzhou extended permit ip object-group objGrpSHnew object-group objGrpSuzhou
access-list acl-SHnew-to-KuanhuiIDC extended permit ip object-group objGrpSHnew object-group objGrpKuanhuiIDC
access-list acl-SHold-to-SHnew extended permit ip object-group objGrpSHold object-group objGrpSHnew
access-list acl-20F-data-to-any extended permit ip object-group objGrp20Fdata any
access-list acl-Beijing-to-SHnew extended permit ip object-group objGrpBeijing object-group objGrpSHnew
access-list acl-Suzhou-to-SHnew extended permit ip object-group objGrpSuzhou object-group objGrpSHnew
access-list acl-KuanhuiIDC-to-SHnew extended permit ip object-group objGrpKuanhuiIDC object-group objGrpSHnew
access-list url_filter_list extended deny tcp object-group url_perm_group any eq www
access-list url_filter_list extended permit tcp object-group url_filter_group any eq www
access-list acl-WiFiGuest-to-any extended permit ip object-group objGrpWiFiGuest any
access-list acl-WiFi-to-any extended permit ip object-group objGrpWiFi any
access-list acl-SHnew-to-ShenZ extended permit ip object-group objGrpSHnew object-group objGrpShenZ
access-list acl-expe-to-outside1 extended permit ip object objExpe-202-18 any
access-list acl-raspb-to-outside1 extended permit ip object objRaspb-202-221 any
access-list acl-fr-outside1 extended permit icmp any any
access-list acl-fr-outside1 extended permit ip any object objRaspb-202-221
access-list acl-fr-outside1 extended permit ip any object objExpe-202-18
access-list acl-fr-outside1 extended permit ip any object objNas2-5-252
access-list acl-fr-outside extended permit icmp any any
access-list acl-fr-outside extended permit tcp any host 192.168.5.61 eq 11543
access-list acl-fr-outside extended permit tcp any host 192.168.5.61 eq 6543
access-list acl-fr-outside extended permit tcp any object obj-5.159 range 20500 20599
access-list acl-fr-outside extended permit tcp any host 192.168.5.155 eq 10001
access-list acl-fr-outside2 extended permit icmp any any
access-list acl-fr-outside2 extended permit tcp any host 192.168.5.61 eq 11543
access-list acl-fr-outside2 extended permit tcp any host 192.168.5.61 eq 6543
access-list acl-deny-out extended deny tcp host 192.168.5.225 any
access-list acl-deny-out extended permit tcp any any
access-list acl-nas2-to-outside1 extended permit ip object objNas2-5-252 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu inside1 1500
mtu outside 1500
mtu outside1 1500
mtu outside2 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static objGrpSHnew objGrpSHnew destination static objGrpSHold objGrpSHold
nat (inside,outside) source static objGrpSHnew objGrpSHnew destination static objGrpBeijing objGrpBeijing
nat (inside,outside) source static objGrpSHnew objGrpSHnew destination static objGrpSuzhou objGrpSuzhou
nat (inside,outside) source static objGrpSHnew objGrpSHnew destination static objGrpKuanhuiIDC objGrpKuanhuiIDC
nat (inside,outside) source static objGrpSHnew objGrpSHnew destination static objGrpShenZ objGrpShenZ
nat (outside,inside) source static any any destination static interface obj-5.159 service des-20500-20599 des-20500-20599
!
object network objExpe-202-18
nat (inside1,outside1) static objPubAddr-0-27
object network objRaspb-202-221
nat (inside1,outside1) static objPubAddr-0-29
object network objDianxin2
nat (inside,outside2) dynamic interface
object network objDianxin
nat (inside,outside) dynamic interface
object network objLiantong
nat (inside,outside1) dynamic interface
object network obj-5.61-6543
nat (inside,outside) static interface service tcp 6543 6543
object network obj-5.61-11543
nat (inside,outside) static interface service tcp 11543 11543
object network obj-5.155
nat (inside,outside) static interface service tcp 10001 10001
object network objNas2-5-252
nat (inside1,outside1) static objPubAddr-0-30
access-group acl-fr-outside in interface outside
access-group acl-fr-outside1 in interface outside1
access-group acl-fr-outside2 in interface outside2
!
route-map rmap-to-Liantong permit 10
match ip address acl-20F-data-to-any acl-WiFiGuest-to-any acl-expe-to-outside1 acl-raspb-to-outside1 acl-nas2-to-outside1
set ip next-hop 140.207.0.25
!
route-map rmap-to-c3650 permit 10
match ip address acl-SHold-to-SHnew acl-Beijing-to-SHnew acl-Suzhou-to-SHnew acl-KuanhuiIDC-to-SHnew
set ip next-hop 10.99.202.4
!
route-map rmap-to-Dianxin2 permit 20
match ip address acl-SHnew-to-Suzhou
set ip next-hop 180.167.96.201
set interface outside2
!
route outside 0.0.0.0 0.0.0.0 116.228.191.69 1
route outside1 0.0.0.0 0.0.0.0 140.207.0.30 10
route inside 10.88.0.0 255.255.0.0 10.99.211.4 1
route inside1 10.88.0.0 255.255.0.0 10.99.202.4 10
route inside 10.99.0.0 255.255.0.0 10.99.211.4 1
route inside1 10.99.0.0 255.255.0.0 10.99.202.4 10
route outside1 45.77.148.106 255.255.255.255 140.207.0.25 5
route inside 192.168.5.0 255.255.255.0 10.99.211.4 1
route inside1 192.168.5.0 255.255.255.0 10.99.202.4 10
route inside 192.168.222.0 255.255.255.0 10.99.211.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.99.210.0 255.255.255.0 management
http 10.88.222.0 255.255.255.0 inside
http 10.99.222.0 255.255.255.0 management
snmp-server host inside 10.88.111.28 community *****
snmp-server host inside 192.168.5.81 community *****
snmp-server host inside 192.168.5.80 community *****
snmp-server host inside 10.88.111.27 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
sysopt connection tcpmss minimum 1290
crypto ipsec ikev1 transform-set transet-ks esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 50 set ikev1 transform-set transet-ks
crypto dynamic-map outside_dyn_map 50 set reverse-route
crypto map map-vpn 5 match address acl-SHnew-to-Beijing
crypto map map-vpn 5 set peer 106.2.219.122
crypto map map-vpn 5 set ikev1 transform-set transet-ks
crypto map map-vpn 10 match address acl-SHnew-to-ShenZ
crypto map map-vpn 10 set peer 218.17.189.11
crypto map map-vpn 10 set ikev1 transform-set transet-ks
crypto map map-vpn 20 match address acl-SHnew-to-Suzhou
crypto map map-vpn 20 set peer 153.35.215.214
crypto map map-vpn 20 set ikev1 transform-set transet-ks
crypto map map-vpn 40 match address acl-SHnew-to-KuanhuiIDC
crypto map map-vpn 40 set peer 43.254.153.210
crypto map map-vpn 40 set ikev1 transform-set transet-ks
crypto map map-vpn 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map-vpn interface outside
crypto map map-vpn2 1 match address acl-SHnew-to-ShenZ
crypto map map-vpn2 1 set peer 218.17.189.11
crypto map map-vpn2 1 set ikev1 transform-set transet-ks
crypto map map-vpn2 2 match address acl-SHnew-to-Beijing
crypto map map-vpn2 2 set peer 106.2.219.122
crypto map map-vpn2 2 set ikev1 transform-set transet-ks
crypto map map-vpn2 3 match address acl-SHnew-to-Suzhou
crypto map map-vpn2 3 set peer 58.210.18.18
crypto map map-vpn2 3 set ikev1 transform-set transet-ks
crypto map map-vpn2 4 match address acl-SHnew-to-KuanhuiIDC
crypto map map-vpn2 4 set peer 43.254.153.210
crypto map map-vpn2 4 set ikev1 transform-set transet-ks
crypto map map-vpn2 interface outside2
crypto map map-vpn1 100 match address acl-SHnew-to-ShenZ
crypto map map-vpn1 100 set peer 218.17.189.11
crypto map map-vpn1 100 set ikev1 transform-set transet-ks
crypto map map-vpn1 200 match address acl-SHnew-to-Beijing
crypto map map-vpn1 200 set peer 106.2.219.122
crypto map map-vpn1 200 set ikev1 transform-set transet-ks
crypto map map-vpn1 300 match address acl-SHnew-to-Suzhou
crypto map map-vpn1 300 set peer 58.210.18.18
crypto map map-vpn1 300 set ikev1 transform-set transet-ks
crypto map map-vpn1 400 match address acl-SHnew-to-KuanhuiIDC
crypto map map-vpn1 400 set peer 122.144.166.146
crypto map map-vpn1 400 set ikev1 transform-set transet-ks
crypto map map-vpn1 interface outside1
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 enable outside1
crypto ikev1 enable outside2
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha     
group 2
lifetime 43200
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 202.130.2.101
ntp server 210.73.145.44
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
username admincisco password zbQPdVfMYFh.vJBv encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 228.19.189.11 type ipsec-l2l
tunnel-group 228.19.189.11 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 106.2.229.222 type ipsec-l2l
tunnel-group 106.2.229.222 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 43.258.159.220 type ipsec-l2l
tunnel-group 43.258.159.220 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 153.33.216.224 type ipsec-l2l
tunnel-group 153.33.216.224 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map url_class
match access-list url_filter_list
class-map type regex match-any url_class_regex
match regex url_filter1
match regex url_filter2
match regex url_filter3
match regex url_filter4
match regex url_filter5
match regex url_filter6
match regex url_filter7
match regex url_filter8
match regex url_filter9
match regex url_filter10
match regex url_filter11
match regex url_filter12
match regex url_filter13
match regex url_filter14
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all url_class_inspect
match request header host regex class url_class_regex
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
  drop-connection log
policy-map url_policy
class url_class
  inspect http url_policy_inspect
!
service-policy global_policy global
service-policy url_policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:65d8e37553533e834a969dd996a8d647
: end





140.207.0.27 file:///C:/Users/seli/AppData/Local/Temp/%25W@GJ$ACOF(TYDYECOKVDYB.png140.207.0.29 麻烦谁帮我看一下这两个IP可以通过外网FTP进来吗,在内网搭建了FTP的服务 ,因为不能访问,这个是之前有人搭建的说是能访问,140.207.0.27 [img][/img]140.207.0.29这两个ip不设置在物理接口上可以访问的吗,虽然interface GigabitEthernet0/3设置了一个联通的IP,但是优先级低,要等电信断开才会自动切换到联通上的,这个接口做了route-map rmap-to-Liantong permit 10有的流量是通过这个接口出去的,但是进来的流量可以进来吗,就算进来了,可以找到
140.207.0.27
[img][/img]
140.207.0.29这两个       ip 吗,谁能帮忙解释一下,还有怎么才可以通过这两个IPftp或者别的方式访问进来可以访问到10.99.202.221、10.99.202.18这两个服务器上的业务




  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-8-15 15:00:19 | 显示全部楼层
给个参考给你啊

hostname(config)# object network FTP_SERVER
hostname(config-network-object)# host 10.1.2.27
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp ftp

然后配置acl  允许访问,放通的地址是内网地址,ACL 应用在outside接口


  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-8-24 18:00 , Processed in 0.092027 second(s), 37 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表