尝试设置 ASA5505。半工作状态,但从外部访问服务时出现问题。
ASA5505 基本许可证,版本 8.2。(另可升级至无限制内部主机)。
警告:我是思科新手。
10.10.39.X 是隐私的占位符。(编辑:为了减少混淆)
我想出了这个配置并在今晚对其进行了测试。
ASA Version 8.2(1)
!
hostname <removed>
domain-name <removed>
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.21.36.1 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.39.10 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name <removed>
access-list outside_inbound extended permit tcp any host 10.10.39.10 eq pptp
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq https
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 993
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq smtp
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 1001
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 465
access-list outside_inbound extended permit tcp any host 10.10.39.11 eq domain
access-list outside_inbound extended permit udp any eq domain host 10.10.39.11 eq domain
access-list outside_inbound extended permit tcp any host 10.10.39.12 eq www
access-list outside_inbound extended permit tcp any host 10.10.39.12 eq https
access-list outside_inbound extended permit tcp any host 10.10.39.13 eq www
access-list outside_inbound extended permit tcp any host 10.10.39.13 eq https
access-list outside_inbound extended permit icmp any any echo-reply
access-list outside_inbound extended permit icmp any any source-quench
access-list outside_inbound extended permit icmp any any unreachable
access-list outside_inbound extended permit icmp any any time-exceeded
access-list outside_inbound extended permit icmp any any traceroute
access-list outside_inbound extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 2 10.10.39.11-10.10.39.14 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp 172.21.37.20 pptp netmask 255.255.255.255
static (inside,outside) 10.10.39.11 172.21.37.14 netmask 255.255.255.255
static (inside,outside) 10.10.39.12 172.21.37.24 netmask 255.255.255.255
static (inside,outside) 10.10.39.13 172.21.37.17 netmask 255.255.255.255
access-group outside_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.39.9 1
route inside 192.168.15.0 255.255.255.0 172.21.36.52 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.21.36.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 172.21.36.0 255.255.252.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ipsec-pass-thru
inspect http
!
service-policy global_policy global
prompt hostname context
具有静态转发的服务器没有任何外部网络访问权限。例如,无法 ping google.com。邮件服务器无法从我们的 ISP 域 POP Barracuda 垃圾邮件过滤器等。
因此,在阅读了一些资料之后,我删除了 10.10.39.11、12 和 13 的静态信息,并用下面的内容替换了这三个。(编辑:在此声明中更正了 IP。)
static (inside,outside) tcp 10.10.39.11 https 172.21.37.14 https netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.11 993 172.21.37.14 993 netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.11 smtp 172.21.37.14 smtp netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.11 1001 172.21.37.14 1001 netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.11 465 172.21.37.14 465 netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.11 domain 172.21.37.14 domain netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.12 www 172.21.37.24 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.12 https 172.21.37.24 https netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.13 www 172.21.37.17 www netmask 255.255.255.255
static (inside,outside) tcp 10.10.39.13 https 172.21.37.17 https netmask 255.255.255.255
现在服务器(例如 172.21.37.14)可以再次 ping 通外部世界。邮件开始流动(域 POP 成功)等等。但我忘了检查网络邮件是否从外部正常工作。
但是 172.21.37.17 和 172.21.37.24 上的网络服务器仍然没有从外部世界做出响应。虽然我能够在 10.10.39.10(接口)上进行 PPTP VPN,这是外部接口 IP 地址。并且它静态映射到 172.21.37.20。
所以我想 NAT 肯定出了什么问题?10.10.39.11 到 10.10.39.14 没有响应。
有人能帮我看一下配置吗?请告诉我我做错了什么吗?我是不是漏掉了什么?当然是了,但是……请帮忙!谢谢。
答案1
(您的示例 IP 地址方案令人困惑...不要这样做!)
使用思科 ASDM 图形用户界面向导演练设置基本 PAT 规则。我还建议迁移到 ASA 8.3 或 8.4 软件(以及相应的 ASDM),大概包含在包装中。我认为它使设置静态 NAT 条目变得更容易,因为它可以在一个对话框中逐个主机地完成。