无法使端口转发工作在ASA 5505上：“删除原因：(acl-drop)流被配置规则拒绝”

Question

几个月前，我在NE上写了这篇文章，但我仍然为我的生命，只是无法计算我们的端口转发在我的ASA 5505。从那以后，我重新开始，现在正在尝试DMZ端口，但又碰上了砖墙。似乎无论我尝试什么，隐含的规则/S阻止入站流量。我想不出怎么解决这个问题。我的DMZ网络位于端口7 (vlan 12)上，子网172.16.0.0/24，web服务器IP为: 172.16.0.2

这里是我最初的节目运行：

MyASA# show running-config 
: Saved
: 
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3) 
!
hostname MyASA
domain-name labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 description telco-isp 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute 
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0 
!             
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https 
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname samandrew@telco-isp.net
vpdn group labzGroup ppp authentication chap
vpdn username samandrew@telco-isp.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
username DrewAdmin password fZC8u8Iqk7W4q1hs encrypted privilege 15
username DrewAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active   
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f38de6f9c4834dee452b30e10f54a8de
: end
MyASA#  

这里是我的第一个数据包跟踪：

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config: 
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcd2ec2d0, priority=11, domain=permit, deny=true
    hits=32828, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

更新(2月26日)：我删除了所有all并添加了建议的all，但遗憾的是，HTTPS流量仍未通过。我的新节目：

MyASA# show running-config
: Saved
:
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description Labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname MrCustomer@Telco-ISP.net
vpdn group LabzGroup ppp authentication chap
vpdn username MrCustomer@Telco-ISP.net password ********* store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:139e5552c3c8346de7d6b388e72ee8bb
: end
MyASA#

我的第二次数据包跟踪尝试：

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
        hits=260315, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
        hits=110764, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA#

还有，这是我的ACL(2月26日)：

MyASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d

更新，2月27日-这是我第三次展示运行

MyASA(config)# show run
: Saved
:
: Serial Number:
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name labz.local
enable password lE85y9xDQeSE5Ktl encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable 444
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname fryandrew@Telco-ISP.net
vpdn group labzGroup ppp authentication chap
vpdn username fryandrew@Telco-ISP.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password fZC8u8Iqk7W4q1hs encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9baa3a68f21c745a705eafb83ad44b86
: end
MyASA(config)#

这里是更新的数据包跟踪：

MyASA# packet-tracer input outside tcp 8.8.8.8 80 172.16.0.2 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
    hits=379567, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP  
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
    hits=197361, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

这里是我的ACL(2月27日)：

    MyASA# show access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0 
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0 
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d 
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d 

编辑-看起来我有一个多余的NAT声明/策略.？(到头来这并不重要)

MyASA# show NAT detail 

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static webserver interface   service tcp https https 
    translate_hits = 0, untranslate_hits = 148
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: https Mapped: https 
2 (DMZ) to (outside) source static webserver-80 interface   service tcp www www 
    translate_hits = 0, untranslate_hits = 102
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: www Mapped: www 

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface  
    translate_hits = 52506, untranslate_hits = 12737
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32
2 (DMZ) to (outside) source dynamic any interface  
    translate_hits = 1142, untranslate_hits = 4
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32

Answer 1

access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

您需要删除上述所有行，方法是发出以下命令：

no access-list outside_acl extended permit tcp interface outside object webserver eq https 
no access-list outside_acl extended permit tcp interface outside object webserver eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

基本上，他们什么也不做。您现有的规则是将源(即互联网上的人)限制在您的IP地址(而不是他们的)上。

如果您希望允许来自internet的流量到您的web服务器，则需要用以下内容替换刚才删除的行：

access-list outside_acl extended permit tcp any object webserver eq https

当前的对象NAT语句只允许使用HTTPS (而不是HTTP)，因此，如果您也想包含HTTP，我们需要为它做一个单独的语句，可以这样做：

object network webserver-80
 host 172.16.0.2
 nat (DMZ,outside) static interface service tcp www www

现在您已经为HTTP添加了NAT，我们可以通过添加以下内容来添加一个支持HTTP的ACE：

access-list outside_acl extended permit tcp any object webserver eq www

编辑：

在此之前，我没有注意到，DMZ接口有一个冗余的全局NAT，在PAT语句之前就会被击中，导致它们不被使用。另外，由于您使用的是接口IP和端口443，而端口443目前绑定到ASDM的ASA内部web服务器，因此需要将其移到另一个端口，这样就不会发生冲突。

请通过发出以下命令更改http服务器的端口：

no http server enable
http server enable 444

请注意这个非标准端口，因为如果您使用ASDM，需要使用这个端口才能访问ASDM。而不仅仅是https://192.168.3.1，现在将是https://192.168.3.1:444

请删除：

object network dmz-subnet
 nat (DMZ,outside) dynamic interface

发出：

object network dmz-subnet
 no nat (DMZ,outside) dynamic interface

另外，您还有另一个全局NAT，它被设置为使用“任意”接口，这是不推荐的。我的建议是修改它，将其限制在没有显式NAT ( DMZ接口)的唯一剩余接口上，方法是：

no nat (any,outside) after-auto source dynamic any interface

nat (DMZ,outside) after-auto source dynamic any interface

编辑(从评论讨论中添加)：

而且，您的外部接口没有绑定到它的ACL。

请补充：

access-group outside_acl in interface outside