我正在尝试将外部地址 NAT 到内部地址,该地址不是本地地址,而是位于站点到站点 VPN 连接的远程端。这可能吗?日志显示路由无法找到从外部 xxxx/xxx 到内部的 TCP 的下一跳:yyyy/yyyy
我可以正常连接到 yyyy 地址,因此 VPN 已启动。
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http
access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 any object vpn-network
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_2
object-group network DM_INLINE_NETWORK_2
network-object object web-server-inside
network-object object web-server-outside
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq www
service-object tcp destination eq https
service-object object tomcat-http
命令结果:“packet-tracer input outside tcp 8.8.8.8 1234 xxxx 80 Detailed”
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http
Additional Information:
NAT divert to egress interface outside
Untranslate x.x.x.x/80 to 10.y.y.y/8080
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadc473e8, priority=111, domain=permit, deny=true
hits=3395573, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
这是允许接口内流量后的跟踪:
Result of the command: "packet-tracer input outside tcp 8.8.8.8 1234 x.x.x.x 80 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http
Additional Information:
NAT divert to egress interface outside
Untranslate x.x.x.x/80 to y.y.y.y/8080
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object web-server-inside
object-group service DM_INLINE_SERVICE_2
service-object object http
service-object object http-tomcat
service-object object https
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae825a98, priority=13, domain=permit, deny=false
hits=16, user_data=0xaa5f12c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=y.y.y.y, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadc4acf0, priority=0, domain=inspect-ip-options, deny=true
hits=22335785, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadc42e48, priority=21, domain=lu, deny=true
hits=8829, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad421098, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=22393564, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http
Additional Information:
Static translate 8.8.8.8/1234 to 8.8.8.8/1234
Forward Flow based lookup yields rule:
in id=0xafd6da48, priority=6, domain=nat, deny=false
hits=26, user_data=0xae843690, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=y.y.y.y, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=outside
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae2c6960, priority=6, domain=nat-reverse, deny=false
hits=26, user_data=0xae835d18, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=y.y.y.y, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=outside
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xadc4acf0, priority=0, domain=inspect-ip-options, deny=true
hits=22335787, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23045025, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow