cisco asa 公共服务器 nat 问题

tag-icon tag-icon networking firewall web-server nat cisco-asa
cisco asa 公共服务器 nat 问题

我负责在几周内进行一些 ASA 配置,为了测试一些配置选项,我在本地网络上设置了一个 Web 服务器,我希望能够使用 ISP 提供给我们的一个静态 IP 通过 WAN 来访问该服务器。

Info:

ASA: 8.2

ASM: 6.2

Static Block from ISP: xx.152.125.240/29

Default Gateway (Static route to): xx.152.125.241

Ethernet 0/0 (outside) - WAN - xx.152.125.243 255.255.255.248

Ethernet 0/3 (inside) - LAN - 10.255.170.1 255.255.255.0

试图:

我首先尝试手动设置 NAT 和 ACL 规则,但没有成功。所以我删除了它们,然后简单地使用了“公共服务器”功能设置,如下所示:

Private Interface: inside

Private IP Address: 10.255.170.4

Service: tcp/8080, tcp/http, tcp/https

Public Interface: outside

Public IP Address: xx.152.125.244

这创建了与我第一次手动设置的规则完全相同的规则,但第一次没有成功,所以我没有信心。令我惊讶的是,我无法通过浏览器访问服务器。所有其他网络功能都运行良好,而且我可以从 LAN 工作站上的浏览器内部访问 10.255.170.4 服务器。

故障排除:

我通常通过 ASDM 工作,因为我刚刚开始研究 CLI 参考。不过,我进入 CLI 执行数据包跟踪:

:: 数据包跟踪器输入外部 tcp 1.2.3.4 8080 xx.152.125.244 8080

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate xx.152.125.244/0 to 10.255.170.4/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group from_wan in interface outside
access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
port-object eq 8080
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255
nat-control
match ip inside host 10.255.170.4 outside any
static translation to xx.152.125.244
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 350070, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

问题:

那么,既然数据包没有被丢弃,为什么我无法通过浏览器访问公共 IP (xx.152.125.244:8080) 的服务器?我觉得我遗漏了一些非常简单的东西,但我又说不上来。

任何帮助都将不胜感激!

谢谢。

编辑:这是运行配置

: Saved

:

ASA Version 8.2(1) 
!
names
name 10.255.170.0 XXXX_net
name xx.152.125.243 XXXX_wan description WAN
dns-guard
!
interface Ethernet0/0
 description ISP/WAN
 nameif outside
 security-level 0
 ip address XXXX_wan 255.255.255.248 
!
interface Ethernet0/3
 description LAN
 nameif inside
 security-level 100
 ip address 10.255.170.1 255.255.255.0 
!
interface Management0/0
 description Management Interface
 shutdown
 nameif MGMT
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup MGMT
dns server-group DefaultDNS
 domain-name XXXX.office
same-security-traffic permit inter-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group network bomgar-subnet
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_SERVICE_2
 service-object ip 
 service-object icmp 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_TCP_0 tcp
 port-object eq 8080
 port-object eq www
 port-object eq https
access-list from_lan extended permit ip any any 
access-list from_lan extended permit gre any any 
access-list from_lan extended permit icmp any any 
access-list wan_xmit extended permit ip any any 
access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 
access-list from_wan extended permit icmp any any 
access-list from_wan extended permit udp any any eq isakmp 
access-list from_wan extended permit tcp any any object-group DM_INLINE_TCP_1 
access-list from_wan extended permit object-group DM_INLINE_SERVICE_1 any interface outside inactive 
access-list from_wan extended permit object-group DM_INLINE_SERVICE_2 any xx.152.125.240 255.255.255.248 inactive 
access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 XXXX_other_net 255.255.255.0 
access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 10.255.170.240 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.255.170.240 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 10.255.170.192 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 10.255.170.208 255.255.255.248 
access-list XXXX-RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 
access-list outside_nat0_outbound extended permit ip host XXXX_wan XXXX_net 255.255.255.0 
access-list VPN_RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 
access-list Bomgar extended permit object-group DM_INLINE_PROTOCOL_1 any host 10.255.170.169 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu MGMT 1500
ip local pool RA-IP-Pool 10.255.170.240-10.255.170.250 mask 255.255.255.0
ip local pool NEW-POOL 10.255.170.220-10.255.170.230 mask 255.255.255.0
ip local pool WIN-POOL 10.255.170.210-10.255.170.215 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outboundF
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 XXXX_net 255.255.255.0
static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 
access-group from_wan in interface outside
access-group wan_xmit out interface outside
access-group from_lan in interface inside
route outside 0.0.0.0 0.0.0.0 xx.152.125.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authorization command LOCAL 
http server enable
http XXXX_other_net 255.255.255.0 inside
http XXXX_net 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 200
crypto isakmp ipsec-over-tcp port 10000 
telnet timeout 5
ssh XXXX_net 255.255.255.0 inside
ssh XXXX_other_net 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 MGMT
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc 

[usernames-ommited]

tunnel-group DefaultRAGroup general-attributes
 address-pool RA-IP-Pool
 address-pool NEW-POOL
 address-pool WIN-POOL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:2a15a897244d95160b7f34f2b8a1c8f6
: end

答案1

经过大约一周的折腾之后,我让 ISP 介入,结果发现这是 ISP 的路由问题。

一旦收到通知,一切都会更新,并且 ASA 的配置变得简单而直接。

相关内容