Nat
具有多個 WAN 的靜態 NAT - 網際網路連接問題
我的 ASA 有問題。我在 ASA 中設置了多個 WAN 和靜態 NAT。我可以通過特定埠從這些 WAN 地址連接到我的伺服器,但我遇到了網際網路連接問題。我無法從該伺服器瀏覽到外部。我錯過了什麼?
: Saved : : Serial Number: XXXXXXXXX : Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores) : Written by enable_15 at 22:59:07.919 GMT Wed Nov 30 2016 ! ASA Version 9.6(1) ! hostname HC-ClientASA enable password xxxxxxxxxxxxxxxxxx encrypted names ip local pool Test_DHCP_VPN 10.20.30.0-10.20.30.100 mask 255.255.255.0 ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address xxx.xxx.xxx.74 255.255.255.248 ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 description WAN for ServerTV nameif ServerTV security-level 80 ip address 192.168.96.1 255.255.255.0 ! interface GigabitEthernet1/5 description GuestWiFi interface for Access poitns nameif GuestWiFi security-level 100 ip address 172.16.64.1 255.255.248.0 ! interface GigabitEthernet1/6 description Parking interface To Server nameif ParkingInterface security-level 100 ip address 172.16.17.1 255.255.255.0 ! interface GigabitEthernet1/7 no nameif no security-level no ip address ! interface GigabitEthernet1/8 description Old WAN Interface nameif WAN_OLD security-level 0 ip address xxx.xxx.xxx.137 255.255.255.252 ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive clock timezone GMT 0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network OLD_GW host xxx.xxx.xxx.138 description Old GW Interface object network GuestWiFi_NAT_OLD subnet 172.16.64.0 255.255.248.0 description GuestWiFi OLD WAN object network NEW_GW host xxx.xxx.xxx.73 description Telia New Gateway object network TestGw subnet 192.168.1.0 255.255.255.0 description Test NAT object network VPN_POOL_10.20.30.0 subnet 10.20.30.0 255.255.255.128 description VPN Pool object network GuestWiFiNAT subnet 172.16.64.0 255.255.248.0 description NAT for guestWiFi object network inside_NAT_OLD subnet 192.168.1.0 255.255.255.0 description Inside OLD WAN object network ParkingSystem subnet 172.16.17.0 255.255.255.0 description Parking system NAT object network ParkingSystem_NAT_OLD subnet 172.16.17.0 255.255.255.0 description Parking S OLD WAN object network ParkingSystemServers subnet xxx.xxx.xxx.0 255.255.255.0 description Public WAN from Parking System object network ParkingSystemSubnet subnet 172.16.17.0 255.255.255.0 description Parking System Subnet object network GuestWiFi subnet 172.16.64.0 255.255.248.0 description GuestWiFi object object network ParkingServer1 host 172.16.17.3 description ParkingServer1 object network ParkingServer2 host 172.16.17.4 description Parking server 2 object service TCP_Parking_771 service tcp source eq 771 description Port for Parking server1 object service TCP_Parking_771_U service udp source eq 771 description Port for parking server UDP object service TCP_Parking2_9100 service tcp source eq 9100 description Parking for server 2 TCP object service TCP_Parking2_9100_U service udp source eq 9100 description TCP_Parking2_9100_UDP object network TestLabNAT subnet 192.168.1.0 255.255.255.0 description TestLab NAT object network GuestWiFiLAB subnet 172.16.64.0 255.255.248.0 object network ParkingInterfaceLAB subnet 172.16.17.0 255.255.255.0 description Test Lab interface object network ServerInternet subnet 192.168.96.0 255.255.255.0 description Server Internet In object network ServerTVLab subnet 192.168.96.0 255.255.255.0 description Test Lab object network ServerTV_OLD subnet 192.168.96.0 255.255.255.0 object network ServerServer host 192.168.96.2 description ConnectionToServer object network NETWORK_OBJ_10.20.30.0_25 subnet 10.20.30.0 255.255.255.128 object network Parking subnet 172.16.17.0 255.255.255.0 object network ParkingNAT subnet 172.16.17.0 255.255.255.0 object network ParkingSystems host xxx.xxx.xxx.120 object network ParkingInterfaceOLD_WAN subnet 172.16.17.0 255.255.255.0 object network Server1 subnet 192.168.96.0 255.255.255.0 object network Server2 host 192.168.96.2 object service iPerfServer service tcp source eq 5001 object network ServerNet subnet 192.168.96.0 255.255.255.0 object network WAN2 host xxx.xxx.xxx.75 object network ServerTV2 host 192.168.96.2 object network HostNatToOutside subnet 192.168.96.0 255.255.255.0 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable object-group icmp-type DM_INLINE_ICMP_2 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable object-group service ParkingObj tcp-udp port-object eq 771 port-object eq 9100 object-group service ParkingPortsNAT tcp-udp description OpenPortsForParking port-object eq 771 port-object eq 9100 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group icmp-type DM_INLINE_ICMP_4 icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq 4500 service-object tcp-udp destination eq 500 service-object tcp-udp destination eq 5001 service-object tcp-udp destination eq 8090 service-object tcp destination eq https service-object tcp destination eq ssh service-object udp destination eq snmp object-group network DM_INLINE_NETWORK_6 network-object object ParkingServer1 network-object object ParkingServer2 object-group service NOC_Auth tcp-udp port-object eq 8090 object-group service VPN_IPSec tcp-udp port-object eq 4500 port-object eq 500 object-group service iPerf tcp-udp port-object eq 5001 access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list inside_access_in extended permit object-group TCPUDP any any eq domain access-list inside_access_in extended permit ip any any access-list Test_Guest remark GuestWiFi network access-list Test_Guest standard permit 172.16.64.0 255.255.248.0 access-list Test_Guest remark ParkingNetwork access-list Test_Guest standard permit 172.16.17.0 255.255.255.0 access-list Test_Guest standard permit 192.168.96.0 255.255.255.0 access-list Test_Guest standard permit 192.168.1.0 255.255.255.0 access-list GuestWiFi_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 access-list GuestWiFi_access_in extended permit object-group TCPUDP any any eq domain access-list GuestWiFi_access_in extended permit ip any any access-list ParkingInterface_access_in extended permit object-group TCPUDP any any object-group ParkingObj access-list ParkingInterface_access_in extended permit object-group TCPUDP any any eq domain access-list ParkingInterface_access_in extended permit ip any any access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ServerServer access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any echo access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq https access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq ssh access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 8090 access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 8090 access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq snmp access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 5001 access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 5001 access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 500 access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 4500 access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 4500 access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq isakmp access-list ServerTVAccessList extended permit icmp any any echo-reply access-list ServerTV_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4 access-list ServerTV_access_in extended permit object-group TCPUDP any any eq domain access-list ServerTV_access_in extended permit ip any any access-list WAN_OLD_access_in extended permit object-group TCPUDP xxx.xxx.xxx.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group ParkingPortsNAT access-list WAN_OLD_access_in extended permit ip object ParkingSystems object ParkingSystemSubnet access-list WAN_OLD_access_in extended permit ip any object ParkingSystemSubnet access-list WAN_OLD_access_in extended permit ip any any inactive access-list WAN_OLD_access_in extended permit icmp any any echo-reply pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu ServerTV 1500 mtu GuestWiFi 1500 mtu ParkingInterface 1500 mtu WAN_OLD 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any GuestWiFi icmp permit any ParkingInterface asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static any any destination static VPN_POOL_10.20.30.0 VPN_POOL_10.20.30.0 no-proxy-arp route-lookup nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771 nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771_U nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100 nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100_U ! object network GuestWiFi_NAT_OLD nat (GuestWiFi,WAN_OLD) dynamic interface dns object network inside_NAT_OLD nat (inside,WAN_OLD) dynamic interface dns object network ServerServer nat (ServerTV,outside) static interface object network ParkingInterfaceOLD_WAN nat (ParkingInterface,WAN_OLD) dynamic interface dns object network ServerTV2 nat (ServerTV,outside) static WAN2 access-group ServerTVAccessList in interface outside access-group inside_access_in in interface inside access-group ServerTV_access_in in interface ServerTV access-group GuestWiFi_access_in in interface GuestWiFi access-group ParkingInterface_access_in in interface ParkingInterface access-group WAN_OLD_access_in in interface WAN_OLD route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1 route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 172.16.64.0 255.255.248.0 GuestWiFi http 10.20.30.0 255.255.255.0 GuestWiFi http 172.16.17.0 255.255.255.0 ParkingInterface http 192.168.96.0 255.255.255.0 ServerTV http xxx.xxx.xxx.72 255.255.255.248 outside http xxx.xxx.xxx.136 255.255.255.252 WAN_OLD no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map WAN_OLD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map WAN_OLD_map interface WAN_OLD crypto map TestLab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=HC-ClientASA keypair HC_Client_Odense proxy-ldc-issuer crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate 50de3358 30820551 30820339 a0030201 02020450 de335830 0d06092a 864886f7 0d010105 05003038 31173015 06035504 03130e48 432d416e 64657273 656e4153 41311d30 1b06092a 864886f7 0d010902 160e4843 2d416e64 65727365 6e415341 301e170d 31363131 32323039 34353430 5a170d32 36313132 30303934 3534305a 30383117 30150603 55040313 0e48432d 416e6465 7273656e 41534131 1d301b06 092a8648 86f70d01 0902160e 48432d41 6e646572 73656e41 53413082 0222300d 06092a86 4886f70d 01010105 00038202 0f003082 020a0282 0201009b bf07918b 21978e37 0a517ac1 5d1eb7a3 1dca77f7 054b0615 7a85096b 87b3d32f b86e61b5 78fa6364 08d932b7 2e73d1a9 1acdef89 a5cf7dd2 a9dfa34c b5086cd2 6f954b83 680c5fcc dee06f08 7030ff8d 729458e4 59780d58 ae72b300 4a0b2e7a ac608cb7 cd5ce92a 39184d2e 3a7fd589 8ddbea50 bb4100a7 58dbc795 011181ae 34a92ba3 21a3d844 4ba72a10 2ce287e9 586dedbd 25b82e69 fd400b6f ce7de623 54a079f3 d0d096cb fa2e69b7 1269aa84 ac5ed471 e2604897 aea282ca 27bb86b3 d3a78ac1 d8fcfc84 0e62f59f 71878e7d 0d6d052f e4fd7d90 374dc860 a3cd83e2 772e58de 77e29583 03ecd3d4 9df22a1a 5903cc62 8f781e4d 2ecb281b efe0b1e4 211e5953 bb5cec6e 0a260312 f85fd498 8adbd9e7 23e2e32c 9b034df9 839d9bbe aa769171 bb464bfe be066806 d5d56cdc 22427990 08c8eb4a 93d676da 13bb9662 ad3bcb05 d29d8b9a c800abd0 d4f482d5 c7cb8aa9 50d67062 61a33965 0c0aa305 e21b844c 95b12ed4 293e4b31 fc9300a5 367ae17f defd89b3 74b1e9e5 d44a93a3 19fa9df0 4e4e6bee c64beddd d2541da6 d3a2699f 37f90b3a 8c190c9c 889c3856 ace813cb 6e4a0026 e10e2233 52dae76e 47b31549 0dc98652 14b2714a 3f60170a b3d3fb03 84adada8 eacff402 fc1b1158 9df65d60 3b8346ad b49da8ab dc9401cc b1402b46 ebd88db2 fa2d35a5 afa9b0e6 1985baa2 81f9dc97 024ec940 2fdf6102 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 8014577e f2a6cd27 748802e9 0bc66c09 52098e7d 0fb3301d 0603551d 0e041604 14577ef2 a6cd2774 8802e90b c66c0952 098e7d0f b3300d06 092a8648 86f70d01 01050500 03820201 0091f593 e31c5af8 4e8da415 039fcf93 bf770c4b f501da50 93dc9e57 f0f00b2e c7c2d53f 34547fcb 692976b3 337d293a 27d6f1be af40d76c cd78ef34 81a5cafc e9d60f7b 85de3870 5924468a 5dbba34f 63c1fe2c b14ab9b6 02634f45 7d40b61f 3d3a1378 8f4fafb4 9499bf7c 3784e9a9 fe4a7fac 3fb115b8 6e2b14e4 62bceea0 a8c5c5ba e2599857 f19c84ff 33f5f2a8 95c531ba d97d9e35 75f51081 e1451a22 60353ac7 2e2711d1 9e64fb52 45514b02 d362f07a bf874f23 f848da92 70ec10c8 f03741be 3bb28233 d78e95f8 26606b88 ff9f3f2a 8fe948eb 7005c9ed 9610cae9 90e4e6c1 69e98ec0 0e2debe7 d09a07cb ea159809 1dc1b666 a1401ea3 bb7e9203 f905c696 aee9d2f6 93978e82 4b6ec24e ab695964 64fd929c d0cfc46b dea848e5 d3cf56cb 08a2991f 7ddee7ef 5ed8869f 0be2a5ed dba14771 0d23ae29 6ebf7640 381106ff 99c1d56a 7d5ec7ad cd432009 2ef4248e aa9b42b8 a71ead22 14b38dcb e343c945 064796d3 1e337d75 baccf54c 209b67f8 0e4e8fa8 cf7ce3f1 99cddf3b 18eced0d 770448aa 1b37d65a 09574ee9 d5985c00 bdb804c3 9c0e069e 9eaa50e3 b4694174 e17251b4 fc0bc169 845b7639 ebc47f37 894b5a5f d5662fa9 40b9898c 86a44b6b 805cb0ba 8607499d 2c330359 c0b30ef1 046b01b2 bad5d514 efea8647 55db6819 4eaf2da2 59e219b8 e8ff9053 f4e630b8 34f631c7 c49062a5 a0239c9a ef quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside client-services port 443 crypto ikev2 enable WAN_OLD client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 ssh stricthostkeycheck ssh xxx.xxx.xxx.72 255.255.255.248 outside ssh 192.168.1.0 255.255.255.0 GuestWiFi ssh 172.16.64.0 255.255.248.0 GuestWiFi ssh 10.20.30.0 255.255.255.0 GuestWiFi ssh xxx.xxx.xxx.136 255.255.255.252 WAN_OLD ssh timeout 10 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access GuestWiFi dhcp-client client-id interface outside dhcpd dns 8.8.8.8 8.8.4.4 ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd dns 8.8.8.8 208.67.222.222 interface inside dhcpd enable inside ! dhcpd address 192.168.96.3-192.168.96.254 ServerTV dhcpd dns 8.8.8.8 8.8.4.4 interface ServerTV ! dhcpd address 172.16.64.2-172.16.64.250 GuestWiFi dhcpd dns 8.8.8.8 208.67.222.222 interface GuestWiFi dhcpd enable GuestWiFi ! dhcpd address 172.16.17.33-172.16.17.250 ParkingInterface dhcpd dns 8.8.8.8 8.8.8.8 interface ParkingInterface dhcpd enable ParkingInterface ! ssl trust-point ASDM_TrustPoint0 outside ssl trust-point ASDM_TrustPoint0 inside ssl trust-point ASDM_TrustPoint0 ServerTV ssl trust-point ASDM_TrustPoint0 GuestWiFi ssl trust-point ASDM_TrustPoint0 ParkingInterface ssl trust-point ASDM_TrustPoint0 WAN_OLD webvpn enable outside enable WAN_OLD anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1 anyconnect profiles Test_GuestWiFi_client_profile disk0:/Test_GuestWiFi_client_profile.xml anyconnect profiles VPN_Test_client_profile disk0:/VPN_Test_client_profile.xml anyconnect enable tunnel-group-list enable cache disable error-recovery disable group-policy GroupPolicy_VPN_Test internal group-policy GroupPolicy_VPN_Test attributes wins-server none dns-server value 8.8.8.8 vpn-tunnel-protocol ikev2 ssl-client split-tunnel-policy tunnelspecified split-tunnel-network-list value Test_Guest default-domain none webvpn anyconnect profiles value VPN_Test_client_profile type user dynamic-access-policy-record DfltAccessPolicy username admin password xxxxxxxxxxxxxxx encrypted privilege 15 tunnel-group VPN_Test type remote-access tunnel-group VPN_Test general-attributes address-pool Test_DHCP_VPN default-group-policy GroupPolicy_VPN_Test tunnel-group VPN_Test webvpn-attributes group-alias VPN_Test enable ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:14a2b233fa9e205b5a530e7925ef77ac : end
由於有兩個 WAN 子網,主要用於訪客 wifi,預設路由為度量 1,次要 WAN 用於 TVServer,預設路由度量為 2,次要永遠不會到達路由 2(因為它是次要的)以使用第一個子網的 IP 出去,而是我已經為主要設置了動態 NAT。流量將被檢查,TVService 提供商將能夠通過第二個 wan 子網的其他 IP 訪問伺服器。語法很簡單:nat (TVServer,OLD_WAN) 動態介面