ASA 5505 8.4 從外部到 Web 伺服器的開放埠
我已經在一個單獨的 VLAN 上設置了一個 web 伺服器,並為 webserver 配置了一個對像以允許 tcp 埠 80 通信,還設置了訪問列表和訪問組。但是我無法從外部訪問伺服器。
我一直在Google搜尋並查看這裡的答案,但沒有一個允許我訪問伺服器。
我已經檢查了 Web 伺服器是否已啟動並正在執行,並且可以使用它的 ip 從網路內部訪問它。
這是配置的相關部分:
! interface Vlan1 nameif outside security-level 0 ip address dhcp ! interface Vlan2 nameif inside security-level 100 ip address 10.5.1.1 255.255.255.0 ! interface Vlan3 no forward interface Vlan2 nameif dmz security-level 50 ip address 10.4.1.1 255.255.255.0 ! dns server-group DefaultDNS domain-name mastermind.local object network dev-server-internal host 10.4.1.2 object network inside-net subnet 0.0.0.0 0.0.0.0 object network dev-server-external host 10.4.1.2 access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www ! object network dev-server-internal nat (inside,dmz) dynamic interface object network inside-net nat (inside,outside) dynamic interface object network dev-server-external nat (dmz,outside) static interface service tcp www www access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.15.166.1 1 dhcpd dns 8.8.8.8 8.8.4.4 dhcpd auto_config outside ! dhcpd address 10.5.1.2-10.5.1.32 inside dhcpd enable inside ! dhcpd address 10.4.1.2-10.4.1.2 dmz dhcpd enable dmz !
所以這個想法是VLAN“內部”用於普通使用者,VLAN“dmz”用於Web伺服器。只有一台伺服器連接到 VLAN“dmz”,這就是為什麼我只允許一個地址使用 dhcp。
我添加了對象“dev-server-internal”以允許內部使用者直接使用它的 ip (10.4.1.2) 訪問 Web 伺服器。
那麼我該怎麼做才能從外部訪問 Web 伺服器呢?
以下是
show nat
嘗試從外部訪問 Web 伺服器後給我的資訊:Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static dev-server-external interface service tcp www www translate_hits = 0, untranslate_hits = 0 2 (inside) to (dmz) source dynamic dev-server-internal interface translate_hits = 0, untranslate_hits = 0 3 (any) to (outside) source dynamic inside-net interface translate_hits = 1160, untranslate_hits = 149
**編輯:**輸出
packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80
:Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.4.1.0 255.255.255.0 dmz Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any host 10.4.1.2 eq www Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: DROP Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
編輯2:相關部分來自
show interface vlan1
:Interface Vlan1 "outside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 0007.7dab.c007, MTU 1500 IP address 94.254.4.141, subnet mask 255.255.254.0
輸出
show route
:Gateway of last resort is 10.15.166.1 to network 0.0.0.0 C 10.5.1.0 255.255.255.0 is directly connected, inside C 10.4.1.0 255.255.255.0 is directly connected, dmz C 94.254.4.0 255.255.254.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside
輸出
packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80
:Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: NAT divert to egress interface dmz Untranslate 94.254.4.141/80 to 10.4.1.2/80 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any host 10.4.1.2 eq www Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 356329, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow
將其放在答案中以使其更易於格式化。此命令可能會造成問題:
object network dev-server-internal nat (inside,dmz) dynamic interface
我會繼續將您的內部網路中的這個條目和身份刪除到 DMZ,如下所示:
object network internal-hosts2 subnet 10.5.1.0 255.255.255.0 nat (inside,dmz) static 10.5.1.0
此外,不要使用靜態路由,而是在 vlan 1 下執行此操作以更新 dhcp 並自動從 dhcp 設置預設路由
interface vlan 1 no ip address dhcp ip address dhcp setroute
現在嘗試在您的外部介面上擷取數據包。在配置模式下添加acl,在正常執行模式下添加擷取命令
access-list test extended permit tcp any interface outside eq www capture test access-list test interface outside
然後,在您嘗試從 Internet 訪問您的網站後
show capture
,請查看是否有任何數據包進入您的防火牆。