我正在尝试理解 Cisco 对 ASA > v8.3 上的 NAT 所做的更改。我有一个正在 PAT 到外部接口地址的网络,并且想要从外部接口 IP 到特定的内部主机添加静态 NAT。
配置的相关部分如下所示:
object network SERVER1
host 192.168.198.7
description INTERNAL SERVER
object service SERVER1-TCP-6000
service tcp destination eq 6000
access-list OUTSIDE-IN extended permit tcp object-group REMOTE-ACCESS object SERVER1 eq 6000 log emergencies
nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000
从地址进行的测试REMOTE-ACCESS失败,并且数据包跟踪器输出显示流量被丢弃:
fw1# packet-tracer input OUTSIDE tcp 1.1.1.2 1076 10.1.1.20 6000 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ROUTER1.EXAMPLE.COM using egress ifc identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e212c9870, priority=0, domain=nat-per-session, deny=false
hits=30107923, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e2c881270, priority=0, domain=permit, deny=true
hits=4957308, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
我发现新的 NAT 配置非常令人困惑,因此非常感谢任何可以向我展示我在这里遗漏了什么的人。