具有静态 NAT 的 Cisco asa 8.4 PAT

具有静态 NAT 的 Cisco asa 8.4 PAT

我正在尝试理解 Cisco 对 ASA > v8.3 上的 NAT 所做的更改。我有一个正在 PAT 到外部接口地址的网络,并且想要从外部接口 IP 到特定的内部主机添加静态 NAT。

配置的相关部分如下所示:

object network SERVER1
 host 192.168.198.7
 description INTERNAL SERVER
object service SERVER1-TCP-6000
 service tcp destination eq 6000
 access-list OUTSIDE-IN extended permit tcp object-group REMOTE-ACCESS object SERVER1 eq 6000 log emergencies
nat (INSIDE,OUTSIDE) source dynamic INSIDE-NET interface
nat (INSIDE,OUTSIDE) source static SERVER1 interface service SERVER1-TCP-6000 SERVER1-TCP-6000

从地址进行的测试REMOTE-ACCESS失败,并且数据包跟踪器输出显示流量被丢弃:

fw1# packet-tracer input OUTSIDE tcp 1.1.1.2 1076 10.1.1.20 6000 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ROUTER1.EXAMPLE.COM using egress ifc  identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f2e212c9870, priority=0, domain=nat-per-session, deny=false
    hits=30107923, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f2e2c881270, priority=0, domain=permit, deny=true
    hits=4957308, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

我发现新的 NAT 配置非常令人困惑,因此非常感谢任何可以向我展示我在这里遗漏了什么的人。

相关内容