ASA 5505 8.4 从外部到 Web 服务器开放端口

ASA 5505 8.4 从外部到 Web 服务器开放端口

我已经在单独的 VLAN 上设置了 Web 服务器,并为 Web 服务器配置了一个对象以允许 TCP 端口 80 通信,还设置了访问列表和访问组。但我无法从外部访问该服务器。

我一直在谷歌搜索并寻找这里的答案,但没有一个允许我访问服务器。

我已经检查过 Web 服务器是否已启动并正在运行,并且可以使用其 IP 从网络内部访问它。

以下是配置的相关部分:

!
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp 
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.5.1.1 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan2
 nameif dmz
 security-level 50
 ip address 10.4.1.1 255.255.255.0 
!             

dns server-group DefaultDNS
 domain-name mastermind.local

object network dev-server-internal 
 host 10.4.1.2
object network inside-net 
 subnet 0.0.0.0 0.0.0.0
object network dev-server-external 
 host 10.4.1.2
access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www 

!
object network dev-server-internal
 nat (inside,dmz) dynamic interface
object network inside-net
 nat (inside,outside) dynamic interface
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 inside
dhcpd enable inside
!
dhcpd address 10.4.1.2-10.4.1.2 dmz
dhcpd enable dmz
!

因此,我们的想法是,VLAN“内部”用于普通用户,而 VLAN“dmz”用于 Web 服务器。只有一台服务器连接到 VLAN“dmz”,这就是为什么我只允许一个地址使用 dhcp。

我添加了对象“dev-server-internal”以允许内部用户使用它的 ip(10.4.1.2)直接访问 Web 服务器。

那么我该怎么做才能从外部访问 Web 服务器呢?


以下是show nat我尝试从外部访问 Web 服务器后得到的结果:

Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dev-server-external interface service tcp www www 
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source dynamic dev-server-internal interface
    translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic inside-net interface
    translate_hits = 1160, untranslate_hits = 149

编辑:输出自packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.4.1.0        255.255.255.0   dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

编辑2:相关部分来自show interface vlan1

Interface Vlan1 "outside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
    MAC address 0007.7dab.c007, MTU 1500
    IP address 94.254.4.141, subnet mask 255.255.254.0

输出自show route

Gateway of last resort is 10.15.166.1 to network 0.0.0.0

C    10.5.1.0 255.255.255.0 is directly connected, inside
C    10.4.1.0 255.255.255.0 is directly connected, dmz
C    94.254.4.0 255.255.254.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside

输出自packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:
NAT divert to egress interface dmz
Untranslate 94.254.4.141/80 to 10.4.1.2/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:       
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network dev-server-external
 nat (dmz,outside) static interface service tcp www www 
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 356329, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

答案1

将其放入答案中以使其更易于格式化。此命令可能会造成问题:

object network dev-server-internal
 nat (inside,dmz) dynamic interface

我将继续删除此条目并将您的内部网络标识为 DMZ,如下所示:

object network internal-hosts2
 subnet 10.5.1.0 255.255.255.0
 nat (inside,dmz) static 10.5.1.0

另外,不要使用静态路由,而是在 vlan 1 下执行此操作,让 dhcp 更新并自动从 dhcp 设置默认路由

interface vlan 1
no ip address dhcp
ip address dhcp setroute

现在尝试在外部接口上进行数据包捕获。在配置模式下添加 acl,在正常执行模式下添加捕获命令

access-list test extended permit tcp any interface outside eq www
capture test access-list test interface outside

然后,在您尝试从互联网访问您的网站后,查看show capture是否有任何数据包进入您的防火墙。

答案2

无论多少自动 NAT 都无法使 Web 服务器在外部接口上可用。

必须有一个从 DMZ 机器到外部的静态 NAT 规则,如果您需要的话可能只针对端口 80。

相关内容