Nat

ASA 5510 8.4 Nat 和埠轉發

  • June 10, 2013

因此,我試圖將內部伺服器上的內部服務轉發到 ASA 外部介面上同一埠上的外部介面。

我幾天來一直在尋找解決方案,但一無所獲。

以下是我的配置的相關部分:

: Saved
:
ASA Version 8.4(2)
!
object service TCP-WebServer-8080
service tcp source eq 8080
object network WebServer_Object_10.1.10.7
host 10.1.10.7
object network obj-10.1.100.0
subnet 10.1.10.0 255.255.255.0
!
access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE
access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE
access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080
!
nat (inside,outside) source dynamic obj-10.1.10.0 interface
!
access-group webserveraccess in interface outside
access-group insideout in interface inside
!
object network WebServer_Object_10.1.10.7
nat (inside,outside) static interface service tcp 8080 8080

這是數據包跟踪器的輸出:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   1.2.3.4   255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

所以它看起來像是被 ACL 刪除了,但在我看來是正確的。我可以對我做錯了什麼有一些指導嗎?

問題是我的(動態 PAT)覆蓋了我的靜態 PAT(埠轉發)配置

nat(inside,outside) 源碼動態obj-10.1.10.0介面

刪除

無 nat (inside,outside) 源動態 obj-10.1.10.0 介面

然後將其添加為

nat(inside,outside) 自動後源動態 obj-10.1.10.0 介面

然後它起作用了。

引用自:https://serverfault.com/questions/514148