d*****s
发帖数: 173 | 1 T1给了5个ip 50.20.38.106-50.20.38.110
asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
想要从外部通过50.20.38.106访问内部web server 192.168.1.110
我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
asa版本是8.3
附上我的配置
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password b4RZzua6LpNOeJCF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 50.20.38.110 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.0.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 66.180.96.12
domain-name default.domain.invalid
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network myWebServ
host 192.168.1.100
object network 192.168.1.105
host 192.168.1.105
object network 192.168.1.2
host 192.168.1.2
object network 192.168.1.242
host 192.168.1.242
object network 192.168.1.3
host 192.168.1.3
object network 192.168.1.4
host 192.168.1.4
object network 192.168.1.5
host 192.168.1.5
object network 192.168.1.6
host 192.168.1.6
object network 192.168.1.7
host 192.168.1.7
object network 192.168.1.8
host 192.168.1.8
object network 192.168.1.9
host 192.168.1.9
object-group network WebServer
network-object object 192.168.1.105
network-object object 192.168.1.110
network-object object 192.168.1.2
network-object object 192.168.1.3
network-object object 192.168.1.4
network-object object 192.168.1.5
network-object object 192.168.1.6
network-object object 192.168.1.7
network-object object 192.168.1.8
network-object object 192.168.1.9
access-list test_splitTunnelAcl standard permit any
access-list 100 extended permit ip any any
access-list 100 extended permit tcp host 50.20.38.106 object 192.168.1.100
eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool topshand 192.168.1.110-192.168.1.122 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (any,outside) dynamic interface
object network myWebServ
nat (inside,outside) static 50.20.38.106
route outside 0.0.0.0 0.0.0.0 50.20.38.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
以下省略 |
j*a
发帖数: 14423 | 2 access-group涅?
acl应该permit 那个106
【在 d*****s 的大作中提到】
: T1给了5个ip 50.20.38.106-50.20.38.110
: asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
: 想要从外部通过50.20.38.106访问内部web server 192.168.1.110
: 我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
: asa版本是8.3
: 附上我的配置
: ASA Version 8.3(1)
: !
: hostname ciscoasa
|
d*****s
发帖数: 173 | 3 能帮忙写个配置吗?我是新手,不太了解,只能照葫芦画瓢
【在 j*a 的大作中提到】
: access-group涅?
: acl应该permit 那个106
|
a***n
发帖数: 262 | 4 I did not see the static nat.
apply access-group 100 in outside
then try to use packet-tracer utility
T1给了5个ip 50.20.38.106-50.20.38.110
asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
想要从外部通过50.20.38.106访问内部web server 192.168.1.110
我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
asa版本是8.3
附上我的配置
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password b4RZzua6LpNOeJCF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 50.20.38.110 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.0.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 66.180.96.12
domain-name default.domain.invalid
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network myWebServ
host 192.168.1.100
object network 192.168.1.105
host 192.168.1.105
object network 192.168.1.2
host 192.168.1.2
object network 192.168.1.242
host 192.168.1.242
object network 192.168.1.3
host 192.168.1.3
object network 192.168.1.4
host 192.168.1.4
object network 192.168.1.5
host 192.168.1.5
object network 192.168.1.6
host 192.168.1.6
object network 192.168.1.7
host 192.168.1.7
object network 192.168.1.8
host 192.168.1.8
object network 192.168.1.9
host 192.168.1.9
object-group network WebServer
network-object object 192.168.1.105
network-object object 192.168.1.110
network-object object 192.168.1.2
network-object object 192.168.1.3
network-object object 192.168.1.4
network-object object 192.168.1.5
network-object object 192.168.1.6
network-object object 192.168.1.7
network-object object 192.168.1.8
network-object object 192.168.1.9
access-list test_splitTunnelAcl standard permit any
access-list 100 extended permit ip any any
access-list 100 extended permit tcp host 50.20.38.106 object 192.168.1.100
eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool topshand 192.168.1.110-192.168.1.122 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (any,outside) dynamic interface
object network myWebServ
nat (inside,outside) static 50.20.38.106
route outside 0.0.0.0 0.0.0.0 50.20.38.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
以下省略
【在 d*****s 的大作中提到】
: T1给了5个ip 50.20.38.106-50.20.38.110
: asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
: 想要从外部通过50.20.38.106访问内部web server 192.168.1.110
: 我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
: asa版本是8.3
: 附上我的配置
: ASA Version 8.3(1)
: !
: hostname ciscoasa
|
l*********r
发帖数: 215 | 5 试试:access-group 100 in interface outside |
l*********r
发帖数: 215 | 6 再试:packet-tracer input outside tcp 50.20.38.106 1024 192.168.1.100 www
看看Result:里的Action: |
l*********r
发帖数: 215 | 7 还有,把这条no掉:
no access-list 100 extended permit ip any any |
d*****s
发帖数: 173 | 8
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
我加了access-group 100 in interface outside
然后no access-list 100 extended permit ip any any
还是无法访问
【在 l*********r 的大作中提到】
: 再试:packet-tracer input outside tcp 50.20.38.106 1024 192.168.1.100 www
: 看看Result:里的Action:
|
s*****g
发帖数: 1055 | 9 For testing purpose, keep "access-list 100 extended permit ip any any" and
try packet tracer again. Your packet tracer should look like this
packet-tracer input outside tcp 1024 50.20.38.
106 www |
a***n
发帖数: 262 | 10 Usually for testing pupose, I always have
logging enable
logging timestamp
logging buffered debugging
Then you can see show log to see the log information.
38.
【在 s*****g 的大作中提到】
: For testing purpose, keep "access-list 100 extended permit ip any any" and
: try packet tracer again. Your packet tracer should look like this
: packet-tracer input outside tcp 1024 50.20.38.
: 106 www
|
a***n
发帖数: 262 | 11 static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
Static NAT entry needed. I copied from FWSM should be the same with ASA.
show nat ?
【在 d*****s 的大作中提到】
:
: Result:
: input-interface: outside
: input-status: up
: input-line-status: up
: output-interface: inside
: output-status: up
: output-line-status: up
: Action: drop
: Drop-reason: (acl-drop) Flow is denied by configured rule
|
a***n
发帖数: 262 | 12 http://www.cisco.com/en/US/products/ps6120/products_configurati
【在 a***n 的大作中提到】
: static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
: Static NAT entry needed. I copied from FWSM should be the same with ASA.
: show nat ?
|
s*****g
发帖数: 1055 | 13 That was old style configuration of static NAT, the new style SUCKS.
【在 a***n 的大作中提到】
: static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
: Static NAT entry needed. I copied from FWSM should be the same with ASA.
: show nat ?
|
