Port-Forwarding

ASA 5505 8.4 從外部到 Web 伺服器的開放埠

  • February 13, 2012

我已經在一個單獨的 VLAN 上設置了一個 web 伺服器,並為 webserver 配置了一個對像以允許 tcp 埠 80 通信,還設置了訪問列表和訪問組。但是我無法從外部訪問伺服器。

我一直在Google搜尋並查看這裡的答案,但沒有一個允許我訪問伺服器。

我已經檢查了 Web 伺服器是否已啟動並正在執行,並且可以使用它的 ip 從網路內部訪問它。

這是配置的相關部分:

!
interface Vlan1
nameif outside
security-level 0
ip address dhcp 
!
interface Vlan2
nameif inside
security-level 100
ip address 10.5.1.1 255.255.255.0 
!
interface Vlan3
no forward interface Vlan2
nameif dmz
security-level 50
ip address 10.4.1.1 255.255.255.0 
!             

dns server-group DefaultDNS
domain-name mastermind.local

object network dev-server-internal 
host 10.4.1.2
object network inside-net 
subnet 0.0.0.0 0.0.0.0
object network dev-server-external 
host 10.4.1.2
access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www 

!
object network dev-server-internal
nat (inside,dmz) dynamic interface
object network inside-net
nat (inside,outside) dynamic interface
object network dev-server-external
nat (dmz,outside) static interface service tcp www www 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 inside
dhcpd enable inside
!
dhcpd address 10.4.1.2-10.4.1.2 dmz
dhcpd enable dmz
!

所以這個想法是VLAN“內部”用於普通使用者,VLAN“dmz”用於Web伺服器。只有一台伺服器連接到 VLAN“dmz”,這就是為什麼我只允許一個地址使用 dhcp。

我添加了對象“dev-server-internal”以允許內部使用者直接使用它的 ip (10.4.1.2) 訪問 Web 伺服器。

那麼我該怎麼做才能從外部訪問 Web 伺服器呢?


以下是show nat嘗試從外部訪問 Web 伺服器後給我的資訊:

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dev-server-external interface service tcp www www 
   translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source dynamic dev-server-internal interface
   translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic inside-net interface
   translate_hits = 1160, untranslate_hits = 149

**編輯:**輸出packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.4.1.0        255.255.255.0   dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www 
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

編輯2:相關部分來自show interface vlan1

Interface Vlan1 "outside", is up, line protocol is up
 Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
   MAC address 0007.7dab.c007, MTU 1500
   IP address 94.254.4.141, subnet mask 255.255.254.0

輸出show route

Gateway of last resort is 10.15.166.1 to network 0.0.0.0

C    10.5.1.0 255.255.255.0 is directly connected, inside
C    10.4.1.0 255.255.255.0 is directly connected, dmz
C    94.254.4.0 255.255.254.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside

輸出packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www 
Additional Information:
NAT divert to egress interface dmz
Untranslate 94.254.4.141/80 to 10.4.1.2/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www 
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 356329, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

將其放在答案中以使其更易於格式化。此命令可能會造成問題:

object network dev-server-internal
nat (inside,dmz) dynamic interface

我會繼續將您的內部網路中的這個條目和身份刪除到 DMZ,如下所示:

object network internal-hosts2
subnet 10.5.1.0 255.255.255.0
nat (inside,dmz) static 10.5.1.0

此外,不要使用靜態路由,而是在 vlan 1 下執行此操作以更新 dhcp 並自動從 dhcp 設置預設路由

interface vlan 1
no ip address dhcp
ip address dhcp setroute

現在嘗試在您的外部介面上擷取數據包。在配置模式下添加acl,在正常執行模式下添加擷取命令

access-list test extended permit tcp any interface outside eq www
capture test access-list test interface outside

然後,在您嘗試從 Internet 訪問您的網站後show capture,請查看是否有任何數據包進入您的防火牆。

引用自:https://serverfault.com/questions/359523