ASA拒绝PAT的IP
ASA拒绝PAT的IP
提问于 2019-01-23 15:38:39
ASA一直拒绝TCP到PAT的DMZ。有人能看一下这个吗,我一直在使用ASDM。
same-security-traffic permit intra-interface
object network expressway-e
host 192.168.5.21
description expressway inside
object network expressway-e-dmz
host 10.1.0.21
description expressway dmz interface
object network inside-all
subnet 192.168.0.0 255.255.0.0
object network DMZ
subnet 10.1.0.0 255.255.255.0
description DMZ Subnet Object
object network obj-192.168.0.0-01
subnet 192.168.0.0 255.255.0.0
object service udp_3478-3483
service udp source range 3478 3483
object service udp_24000-29999
service udp source range 24000 29999
object service udp_36002-59999
service udp source range 36002 59999
object service tcp_5222
service tcp source eq 5222
object service tcp_8443
service tcp source eq 8443
object service tcp_5061
service tcp source eq 5061
object service udp_5061
service udp source eq 5061
object network Outside-Interface
host 74.32.58.14
object network ASA-DMZ-Interface
host 10.1.0.1
object network DMZ_outside
subnet 0.0.0.0 0.0.0.0
object network expressway-server-Outside
host 10.1.0.21
object-group network obj-192.168.0.0
description Inside Vlan1
network-object 192.168.0.0 255.255.0.0
object-group network obj-192.168.1.0
object-group network obj-192.168.10.0
description Network Management subnet
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp time-exceeded
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj-10.1.0.0
network-object DMZ 255.255.255.0
object-group service tcp-expressway tcp
port-object eq 5222
port-object eq 8443
object-group service udp-expressway udp
port-object range 23999 30000
port-object range 3477 3484
port-object range 36001 60000
port-object eq 5061
port-object eq 5222
port-object eq 8443
access-list inside_access_in remark Permit Ping
access-list inside_access_in extended permit ip any4 any4
access-list outside_access_in remark outside_in_acl
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4
access-list outside_access_in extended permit udp any4 object expressway-e-dmz object-group udp-expressway
access-list outside_access_in extended permit tcp any4 object expressway-e-dmz object-group tcp-expressway
access-list inside_access_in_1 extended permit ip any4 any4
access-list global_mpc extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 object DMZ
access-list DMZ_access_in remark Permit/Allow icmp from Inside
access-list DMZ_access_in extended permit icmp 192.168.2.0 255.255.255.0 object DMZ
access-list dmz_access_in extended permit ip object DMZ any4
access-list dmz_access_in extended permit ip object DMZ object inside-all
access-list global_mpc_1 remark This allowed ping from inside networks to DMZ hosts
access-list global_mpc_1 extended permit icmp object inside-all 10.1.0.0 255.255.255.0
access-list global_mpc_2 extended permit icmp object inside-all object ASA-DMZ-Interface
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 5222
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 8443
access-list OutsideToDMZ extended permit tcp any4 host 10.1.0.21 eq 5061
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 3477
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 3484
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 23999
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 30000
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 gt 36001
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 lt 60000
access-list OutsideToDMZ extended permit udp any4 host 10.1.0.21 eq 5061
*remove*
object network inside-all
nat (inside,dmz) static 10.1.0.0
object network DMZ
nat (dmz,outside) dynamic interface
!
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_24000-29999 udp_24000-29999
nat (dmz,outside) after-auto source dynamic expressway-server-Outside expressway-server-Outside service tcp_8443 tcp_8443
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_36002-59999 udp_36002-59999
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service tcp_5222 tcp_5222
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_3478-3483 udp_3478-3483
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service tcp_5061 tcp_5061
nat (dmz,outside) after-auto source static expressway-server-Outside expressway-server-Outside service udp_5061 udp_5061
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group OutsideToDMZ in interface outside
access-group dmz_access_in in interface dmz 回答 1
Network Engineering用户
发布于 2019-01-23 21:53:33
object network DMZ
nat (dmz,outside) dynamic interface这句话是你问题的一部分。您的“全球”NAT被赋予了比以下更高的优先级:
nat (dmz,outside) after-auto source dynamic expressway-server-Outside expressway-server-Outside service tcp_8443 tcp_8443因为你用了关键字“后自动”。
如果您发出命令"show nat“(而不是显示run ),您将看到处理NAT语句的顺序。由于后置自动关键字,它在NAT处理中的优先级最低,是一种“最后的手段”。如果从特定的NAT语句中删除该关键字,则应该可以。
通常,更好的做法是只在您的全局NAT语句中使用after-auto关键字,而不是服务NAT。因此,您对“如果没有其他匹配项,请使用此”语句给予最低优先级。
所以,我会做以下几件事:
object network DMZ
no nat (dmz,outside) dynamic interfacenat (dmz,outside) after-auto source dynamic DMZ interface (确保它只是DMZ接口上的DMZ子网)
或
nat (dmz,outside) after-auto source dynamic any interface (因为您已经限制在DMZ接口上)
其次是:
no nat (dmz,outside) after-auto source dynamic expressway-server-Outside expressway-server-Outside service tcp_8443 tcp_8443
nat (dmz,outside) source dynamic expressway-server-Outside expressway-server-Outside service tcp_8443 tcp_8443页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/56328
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号