Cisco ASA 5512-X上的端口转发
Cisco ASA 5512-X上的端口转发
提问于 2016-05-06 14:21:53
我会改进端口从外部主机到内部网络,在我的ASA。
网络和主机位于两个不同的接口上,内部网络位于具有ip地址192.168.10.0/24的内部接口g0/1上,而外部主机位于具有ip地址192.168.17.57的外部接口g0/7上。对于我的配置,我使用端口500尝试配置端口转发。
使用windows功能的"internet信息服务“,我可以使用"192.168.17.57:500”从内部子网到外部主机进行组合,但不能从外部主机到内部网络进行相同的操作。
怎么可能启用它呢?
这是我的配置:
interface GigabitEthernet0/0
nameif inside7
security-level 100
ip address 192.168.8.1 255.255.255.0
interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 192.168.10.1 255.255.255.0
interface GigabitEthernet0/2
nameif inside2
security-level 100
ip address 192.168.12.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
nameif outside7
security-level 0
ip address 192.168.17.1 255.255.255.0
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name copying.com
object network RETE1
range 192.168.10.100 192.168.10.160
object network RETE7
host 192.168.17.1
object network rete1
subnet 192.168.10.0 255.255.255.0
object service PORT
service tcp destination eq 500
object network rete17
host 192.168.17.57
object network RETE17
subnet 192.168.17.0 255.255.255.0
object service HTTP
service tcp destination eq www
object network HOST1
host 192.168.10.102
access-list ACL2 extended permit tcp 192.168.10.0 255.255.255.0 interface outside7 eq 500
access-list ACL extended permit tcp host 192.168.17.57 192.168.10.0 255.255.255.0 eq 500
access-list ACL extended permit tcp host 192.168.17.57 192.168.10.0 255.255.255.0 eq www
access-list ICMP extended permit icmp host 192.168.17.57 192.168.10.0 255.255.255.0
pager lines 23
logging asdm informational
mtu inside7 1500
mtu inside1 1500
mtu inside2 1500
mtu outside7 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside1,outside7) source static RETE1 interface service PORT HTTP
nat (outside7,inside1) source static rete17 interface service PORT HTTP
access-group ACL2 out interface inside1
access-group ACL in interface outside7
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
no service password-recovery
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
class-map inspection_default
match default-inspection-traffic
class-map ICMP-CLASS
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
service-policy ICMP-POLICY interface outside7
no call-home reporting anonymous
call-home回答 1
Server Fault用户
发布于 2016-05-27 14:10:08
安德里亚
我不确定我是否正确理解了你的问题。
你说你的内部接口g0/1与ip地址192.168.10.0/24。好吧,这是有道理的。
您说您的外部主机位于带有ip地址192.168.17.57的外部接口g0/7上。你的“外部主人”是什么意思?此路由器不是用作网关(仅用于内部流量路由)吗?
无论如何,正确的端口重定向方式如下所示。
对于目标主机(应答TCP端口500接收的请求的主机),您需要创建一个对象。在下面的代码中,用目标主机的私有IP地址替换Private。
object network obj_*Private*
host *Private*然后,您需要添加一个NAT语句,以便将通信量从私有IP地址转换为公共IP地址。在下面的代码中,您需要将“内部”更改为目标主机的私有IP地址连接到的接口,并将“外部”更改为服务请求的源连接到的接口,将Public更改为您将用于主机的公共IP地址,将运动更改为请求将要发送的端口,并将DPORT更改为服务器将要接受请求的端口。
nat (inside,outside) static *Public* service tcp SPORT DPORT您的最终更改可能如下所示。
object network obj_192.168.10.102
host 192.168.10.102
nat (inside,outside) static 192.168.17.57 service tcp 500 500页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/775258
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号