请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 247|回复: 5

ASA5516-单公网地址NAT(端口映射)求助

[复制链接]
发表于 2021-1-6 11:11:21 | 显示全部楼层 |阅读模式
0可用金钱
ASA5516,版本:Version 9.8(2)

ASA防火墙做为出口,只有一个公网地址做了PAT。

在做内网服务器端口映射的时候,提示如下:

PVSZ-FW(config-network-object)# nat (inside,outside) static isp service tcp 80 80
ERROR: Address 202.100.100.6 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

谢谢。

配置如下:
PVSZ-FW(config)# show run
: Saved

:
: Serial Number: JAD24020KY1
: Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname PVSZ-FW
domain-name cbt.com
enable password $sha512$5000$Fk1JnccNsuAkCBo0jWYwOQ==$1jf0+tgn1akW9Gsv3LbJGg== pbkdf2
names
ip local pool ezvpn 10.10.100.100-10.10.100.200 mask 255.255.255.0

!
interface GigabitEthernet1/1
description link-to-ISP
nameif outside
security-level 0
ip address 202.100.100.6 255.255.255.252
!
interface GigabitEthernet1/2
description link-to-Sangfor
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name cbt.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PAT
subnet 0.0.0.0 0.0.0.0
object network vpnnet
subnet 10.10.100.0 255.255.255.0
object network vpn
subnet 10.10.30.0 255.255.255.0
object network vpn40
subnet 10.10.40.0 255.255.255.0
object network vpn-1
subnet 10.10.1.0 255.255.255.0
object network server
host 10.10.30.10
object service www-80
service tcp source eq www
object network isp
host 202.100.100.6
object-group network SZ
network-object 10.10.30.0 255.255.255.0
network-object 10.10.40.0 255.255.255.0
object-group network BJ
network-object 10.10.50.0 255.255.255.0
network-object 10.10.60.0 255.255.255.0
access-list out extended permit icmp any any
access-list out extended permit ip 10.10.100.0 255.255.255.0 any
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any host 10.10.30.10 eq www
access-list out extended permit tcp any host 202.100.100.6 eq www
access-list split extended permit ip 10.10.30.0 255.255.255.0 any
access-list split extended permit ip 10.10.40.0 255.255.255.0 any
access-list SZ-BJ extended permit ip object-group SZ object-group BJ
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static server interface service www-80 www-80
nat (inside,outside) source static SZ SZ destination static BJ BJ no-proxy-arp route-lookup
nat (inside,outside) source static SZ SZ destination static vpnnet vpnnet
!
object network PAT
nat (inside,outside) dynamic interface
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 202.100.100.5 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 1
route inside 10.10.20.0 255.255.255.0 10.10.1.2 1
route inside 10.10.30.0 255.255.255.0 10.10.1.2 1
route inside 10.10.40.0 255.255.255.0 10.10.1.2 1
route inside 192.168.111.0 255.255.255.0 10.10.1.2 1

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2021-1-6 11:36:35 | 显示全部楼层
show xlate

PVSZ-FW(config-network-object)# show xlate | include 10.10.30.10
TCP PAT from inside:10.10.30.10 80-80 to outside:202.100.100.6 80-80
UDP PAT from inside:10.10.30.10/58240 to outside:202.100.100.6/58240 flags ri idle 1:34:57 timeout 0:00:30
UDP PAT from inside:10.10.30.10/55411 to outside:202.100.100.6/55411 flags ri idle 0:00:17 timeout 0:00:30
TCP PAT from inside:10.10.30.10/49246 to outside:202.100.100.6/49246 flags ri idle 2:11:26 timeout 0:00:30
UDP PAT from inside:10.10.30.10/18801 to outside:202.100.100.6/18801 flags ri idle 1:49:49 timeout 0:00:30
TCP PAT from inside:10.10.30.101/55783 to outside:202.100.100.6/55783 flags ri idle 2:42:26 timeout 0:00:30
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-6 12:33:34 | 显示全部楼层
本帖最后由 gengchunlin 于 2021-1-6 12:37 编辑

internet出口地址掩码为/30,只有一个可用地址,做nat的时候就没有必要再对接口地址定义object了
直接使用interface即可

例如:
object network TEST
host 10.1.1.90
nat (inside,outside) static interface service tcp 3389 3389
!
-----
从整体的配置看,已经有了80端口的映射了啊,新加的只能使用其他的未占用的端口号了
nat (inside,outside) source static server interface service www-80 www-80




  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
 楼主| 发表于 2021-1-6 12:54:40 | 显示全部楼层
gengchunlin 发表于 2021-1-6 12:33
internet出口地址掩码为/30,只有一个可用地址,做nat的时候就没有必要再对接口地址定义object了
直接使用 ...

感谢,3389端口已经通了。

弄了半天才发现,运营商把80端口封了。

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-6 13:33:28 | 显示全部楼层
TianLin23823 发表于 2021-1-6 12:54
感谢,3389端口已经通了。

弄了半天才发现,运营商把80端口封了。

嗯,3389是做的一配置示例。配置时设置实际使用端口即可
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2021-1-6 18:23:58 | 显示全部楼层
ERROR: Address 202.100.100.6 overlaps with outside interface address.
报错提示看仔细一点,就能发现问题了
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2021-1-18 08:37 , Processed in 0.081430 second(s), 43 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表