我已经在单独的 VLAN 上设置了 Web 服务器,并为 Web 服务器配置了一个对象以允许 TCP 端口 80 通信,还设置了访问列表和访问组。但我无法从外部访问该服务器。
我一直在谷歌搜索并寻找这里的答案,但没有一个允许我访问服务器。
我已经检查过 Web 服务器是否已启动并正在运行,并且可以使用其 IP 从网络内部访问它。
以下是配置的相关部分:
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp
!
interface Vlan2
nameif inside
security-level 100
ip address 10.5.1.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif dmz
security-level 50
ip address 10.4.1.1 255.255.255.0
!
dns server-group DefaultDNS
domain-name mastermind.local
object network dev-server-internal
host 10.4.1.2
object network inside-net
subnet 0.0.0.0 0.0.0.0
object network dev-server-external
host 10.4.1.2
access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www
!
object network dev-server-internal
nat (inside,dmz) dynamic interface
object network inside-net
nat (inside,outside) dynamic interface
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.15.166.1 1
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 10.5.1.2-10.5.1.32 inside
dhcpd enable inside
!
dhcpd address 10.4.1.2-10.4.1.2 dmz
dhcpd enable dmz
!
因此,我们的想法是,VLAN“内部”用于普通用户,而 VLAN“dmz”用于 Web 服务器。只有一台服务器连接到 VLAN“dmz”,这就是为什么我只允许一个地址使用 dhcp。
我添加了对象“dev-server-internal”以允许内部用户使用它的 ip(10.4.1.2)直接访问 Web 服务器。
那么我该怎么做才能从外部访问 Web 服务器呢?
以下是show nat
我尝试从外部访问 Web 服务器后得到的结果:
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static dev-server-external interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source dynamic dev-server-internal interface
translate_hits = 0, untranslate_hits = 0
3 (any) to (outside) source dynamic inside-net interface
translate_hits = 1160, untranslate_hits = 149
编辑:输出自packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80
:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.4.1.0 255.255.255.0 dmz
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
编辑2:相关部分来自show interface vlan1
:
Interface Vlan1 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 0007.7dab.c007, MTU 1500
IP address 94.254.4.141, subnet mask 255.255.254.0
输出自show route
:
Gateway of last resort is 10.15.166.1 to network 0.0.0.0
C 10.5.1.0 255.255.255.0 is directly connected, inside
C 10.4.1.0 255.255.255.0 is directly connected, dmz
C 94.254.4.0 255.255.254.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside
输出自packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80
:
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface dmz
Untranslate 94.254.4.141/80 to 10.4.1.2/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any host 10.4.1.2 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network dev-server-external
nat (dmz,outside) static interface service tcp www www
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 356329, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
答案1
将其放入答案中以使其更易于格式化。此命令可能会造成问题:
object network dev-server-internal
nat (inside,dmz) dynamic interface
我将继续删除此条目并将您的内部网络标识为 DMZ,如下所示:
object network internal-hosts2
subnet 10.5.1.0 255.255.255.0
nat (inside,dmz) static 10.5.1.0
另外,不要使用静态路由,而是在 vlan 1 下执行此操作,让 dhcp 更新并自动从 dhcp 设置默认路由
interface vlan 1
no ip address dhcp
ip address dhcp setroute
现在尝试在外部接口上进行数据包捕获。在配置模式下添加 acl,在正常执行模式下添加捕获命令
access-list test extended permit tcp any interface outside eq www
capture test access-list test interface outside
然后,在您尝试从互联网访问您的网站后,查看show capture
是否有任何数据包进入您的防火墙。
答案2
无论多少自动 NAT 都无法使 Web 服务器在外部接口上可用。
必须有一个从 DMZ 机器到外部的静态 NAT 规则,如果您需要的话可能只针对端口 80。