Nat
ASA 5510 8.4 Nat 和埠轉發
因此,我試圖將內部伺服器上的內部服務轉發到 ASA 外部介面上同一埠上的外部介面。
我幾天來一直在尋找解決方案,但一無所獲。
以下是我的配置的相關部分:
: Saved : ASA Version 8.4(2) ! object service TCP-WebServer-8080 service tcp source eq 8080 object network WebServer_Object_10.1.10.7 host 10.1.10.7 object network obj-10.1.100.0 subnet 10.1.10.0 255.255.255.0 ! access-list outsidein extended permit ip object-group OUTSIDE object-group INSIDE access-list insideout extended permit ip object-group INSIDE object-group OUTSIDE access-list webserveraccess extended permit tcp any object WebServer_Object_10.1.10.7 eq 8080 ! nat (inside,outside) source dynamic obj-10.1.10.0 interface ! access-group webserveraccess in interface outside access-group insideout in interface inside ! object network WebServer_Object_10.1.10.7 nat (inside,outside) static interface service tcp 8080 8080
這是數據包跟踪器的輸出:
Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 1.2.3.4 255.255.255.255 identity Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
所以它看起來像是被 ACL 刪除了,但在我看來是正確的。我可以對我做錯了什麼有一些指導嗎?
問題是我的(動態 PAT)覆蓋了我的靜態 PAT(埠轉發)配置
nat(inside,outside) 源碼動態obj-10.1.10.0介面
刪除
無 nat (inside,outside) 源動態 obj-10.1.10.0 介面
然後將其添加為
nat(inside,outside) 自動後源動態 obj-10.1.10.0 介面
然後它起作用了。