Networking
cisco asa 公共伺服器 nat 問題
我的任務是在幾週內完成一些 ASA 配置,為了測試一些配置選項,我在本地網路上設置了一個 Web 伺服器,我希望能夠使用我們的一個靜態 IP 從 WAN 訪問它ISP給了我們。
Info: ASA: 8.2 ASM: 6.2 Static Block from ISP: xx.152.125.240/29 Default Gateway (Static route to): xx.152.125.241 Ethernet 0/0 (outside) - WAN - xx.152.125.243 255.255.255.248 Ethernet 0/3 (inside) - LAN - 10.255.170.1 255.255.255.0
試圖:
我第一次嘗試手動設置 NAT 和 ACL 規則,但沒有運氣。所以我刪除了這些並簡單地使用了“公共伺服器”功能設置,如下所示:
Private Interface: inside Private IP Address: 10.255.170.4 Service: tcp/8080, tcp/http, tcp/https Public Interface: outside Public IP Address: xx.152.125.244
這創建了與我第一次手動設置但不起作用的完全相同的規則,所以我沒有信心。令我驚訝的是,我無法通過瀏覽器訪問伺服器。所有其他網路功能都執行良好,在內部我可以從 LAN 工作站上的瀏覽器訪問 10.255.170.4 伺服器。
故障排除:
我通常通過 ASDM 工作,因為我剛剛開始研究 CLI 參考。然而,我進入 CLI 執行數據包跟踪:
:: tcp 1.2.3.4 8080 xx.152.125.244 8080 外部的數據包跟踪器輸入
Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: NAT divert to egress interface inside Untranslate xx.152.125.244/0 to 10.255.170.4/0 using netmask 255.255.255.255 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group from_wan in interface outside access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 object-group service DM_INLINE_TCP_0 tcp port-object eq www port-object eq https port-object eq 8080 Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 350070, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
問題:
那麼既然數據包沒有被丟棄,為什麼我不能通過瀏覽器訪問伺服器到公共 IP(xx.152.125.244:8080)?我覺得我錯過了一些非常簡單的東西,但我不能指望它。
非常感謝任何幫助!
謝謝。
編輯:這是執行配置
: Saved : ASA Version 8.2(1) ! names name 10.255.170.0 XXXX_net name xx.152.125.243 XXXX_wan description WAN dns-guard ! interface Ethernet0/0 description ISP/WAN nameif outside security-level 0 ip address XXXX_wan 255.255.255.248 ! interface Ethernet0/3 description LAN nameif inside security-level 100 ip address 10.255.170.1 255.255.255.0 ! interface Management0/0 description Management Interface shutdown nameif MGMT security-level 0 ip address 172.16.1.1 255.255.255.0 management-only ! boot system disk0:/asa821-k8.bin ftp mode passive dns domain-lookup outside dns domain-lookup MGMT dns server-group DefaultDNS domain-name XXXX.office same-security-traffic permit inter-interface object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object udp protocol-object tcp object-group network bomgar-subnet object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp eq www service-object tcp eq https object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp service-object tcp eq www service-object tcp eq https object-group service DM_INLINE_TCP_0 tcp port-object eq 8080 port-object eq www port-object eq https access-list from_lan extended permit ip any any access-list from_lan extended permit gre any any access-list from_lan extended permit icmp any any access-list wan_xmit extended permit ip any any access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 access-list from_wan extended permit icmp any any access-list from_wan extended permit udp any any eq isakmp access-list from_wan extended permit tcp any any object-group DM_INLINE_TCP_1 access-list from_wan extended permit object-group DM_INLINE_SERVICE_1 any interface outside inactive access-list from_wan extended permit object-group DM_INLINE_SERVICE_2 any xx.152.125.240 255.255.255.248 inactive access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 XXXX_other_net 255.255.255.0 access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 10.255.170.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 10.255.170.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 10.255.170.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip any 10.255.170.208 255.255.255.248 access-list XXXX-RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 access-list outside_nat0_outbound extended permit ip host XXXX_wan XXXX_net 255.255.255.0 access-list VPN_RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 access-list Bomgar extended permit object-group DM_INLINE_PROTOCOL_1 any host 10.255.170.169 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu MGMT 1500 ip local pool RA-IP-Pool 10.255.170.240-10.255.170.250 mask 255.255.255.0 ip local pool NEW-POOL 10.255.170.220-10.255.170.230 mask 255.255.255.0 ip local pool WIN-POOL 10.255.170.210-10.255.170.215 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (outside) 0 access-list outside_nat0_outboundF nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 XXXX_net 255.255.255.0 static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 access-group from_wan in interface outside access-group wan_xmit out interface outside access-group from_lan in interface inside route outside 0.0.0.0 0.0.0.0 xx.152.125.241 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authorization command LOCAL http server enable http XXXX_other_net 255.255.255.0 inside http XXXX_net 255.255.255.0 inside http 172.16.1.0 255.255.255.0 MGMT no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 200 crypto isakmp ipsec-over-tcp port 10000 telnet timeout 5 ssh XXXX_net 255.255.255.0 inside ssh XXXX_other_net 255.255.255.0 inside ssh 172.16.1.0 255.255.255.0 MGMT ssh timeout 30 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc [usernames-ommited] tunnel-group DefaultRAGroup general-attributes address-pool RA-IP-Pool address-pool NEW-POOL address-pool WIN-POOL tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes no authentication chap ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp ! service-policy global_policy global prompt hostname context Cryptochecksum:2a15a897244d95160b7f34f2b8a1c8f6 : end
在玩弄了大約一個星期後,我讓 ISP 參與其中,並發現這是 ISP 的路由問題。
收到通知後,所有內容均已更新,ASA 的配置簡單明了。