Cisco ASA - 配置对服务器的外部访问

Question 1

下面是使用特定对象命名方案的示例 - 为清晰起见而设计 - 在 ASA 8.3+ 中尽可能清晰

满的静止的NAT 外部：2.2.2.2 <-> 内部：192.168.0.100，带有 ASA 8.3+ 的 ACL

! Define network object for the host
! Configure NAT behavior here but will appear further down if doing a sh run

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP
 nat (inside,outside) static 2.2.2.2

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

为了静态 PAT在 ASA 的外部接口上使用 ACL。

! Define network object for the host

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP

! Create network object specific for the static PAT
! Kind of ridiculous with a lot of static PAT's but the ASA 8.3+ code is not
! geared for a lot of static PAT.

object network hst-192.168.0.100-tcp3389
 host 192.168.0.100
 description SRV01 PAT TCP/3389
 nat (inside,outside) static interface service tcp 3389 3389

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

Answer

下面是使用特定对象命名方案的示例 - 为清晰起见而设计 - 在 ASA 8.3+ 中尽可能清晰

满的静止的NAT 外部：2.2.2.2 <-> 内部：192.168.0.100，带有 ASA 8.3+ 的 ACL

! Define network object for the host
! Configure NAT behavior here but will appear further down if doing a sh run

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP
 nat (inside,outside) static 2.2.2.2

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

为了静态 PAT在 ASA 的外部接口上使用 ACL。

! Define network object for the host

object network hst-192.168.0.100
 host 192.168.0.100 
 description SRV01 LAN IP

! Create network object specific for the static PAT
! Kind of ridiculous with a lot of static PAT's but the ASA 8.3+ code is not
! geared for a lot of static PAT.

object network hst-192.168.0.100-tcp3389
 host 192.168.0.100
 description SRV01 PAT TCP/3389
 nat (inside,outside) static interface service tcp 3389 3389

! Define an object-group for services to be permitted in ACL

object-group service svcgrp-192.168.0.100-tcp tcp
 description SRV01 Services
 port-object eq 3389

! Put it all together - remember un-nat comes before ACL check
! Use real IP's in ACL's used in access-group -- even on outside

access-list outside_access_in extended permit tcp any object hst-192.168.0.100 object-group svcgrp-192.168.0.100-tcp
access-group outside_access_in in interface outside

Question 2

不要使用 8.4 示例，NAT 与 8.2 相比发生了很大变化

该访问列表是否应用于接口？

sh 访问组

还假设你的对象是正确的？

Answer

不要使用 8.4 示例，NAT 与 8.2 相比发生了很大变化

该访问列表是否应用于接口？

sh 访问组

还假设你的对象是正确的？

Cisco ASA - 配置对服务器的外部访问

答案1

答案2

相关内容