求助 ASA 5505 IOS8.3 NAT应用方面的一些问题,求教,谢谢。
配置防火墙的时候,NAT方面有一些一问题,麻烦大家了,谢谢vlan信息以红色的字体为准
ISP提供5个公网地址,119.62.207.22-119.62.207.26子网掩码是255.255.255.0(别奇怪这个,电信局给的就是这个)
ISP网关为119.62.207.1
22目前给另外一个网络使用了,然后25给2821路由使用了,做VPN,24给防火墙做outside地址,剩下 23, 26两个地址,我把23作为动态NAT出口地址,nat翻译出去,26作为另外一台代理服务器内网IP地址静态映射的公网地址地址
有问题的就是,我做了2个地址池,23 26 分别各一个,然后对应的nat翻译,两条,我的意思是,outside的IP地址是24,然后23,26 两个地址经过翻译,是否正常,这样的配置是否正确,可否将24和23合并到一起?
谢谢。麻烦大家了
目前配置做出如下:
ciscoasa# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 119.62.207.24 255.255.255.0
!
interface Vlan2
nameif inside
security-level 0
ip address 10.39.253.1 255.255.255.0
!
interface Vlan3
nameif dmz201
security-level 50
ip address 10.39.201.1 255.255.255.0
!
interface Vlan4
nameif dmz200
security-level 40
ip address 10.39.200.1 255.255.255.0
!
interface Vlan5
description FW5505
nameif Management
security-level 100
ip address 10.39.11.118 255.255.255.192
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
shutdown
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone HKST 8
object network inside1
subnet 10.39.0.0 255.255.0.0
object network outside1
host 119.62.207.23
object network static-outside1
host 119.62.207.26
object network static-inside1
host 10.39.201.32
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz201 1500
mtu Management 1500
mtu dmz200 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside1 outside1
nat (dmz201,outside) source static static-inside1 static-outside1
route outside 0.0.0.0 0.0.0.0 119.62.207.1 1
route inside 10.39.5.0 255.255.255.0 10.39.253.2 1
route inside 10.39.11.0 255.255.255.0 10.39.253.2 1
route dmz200 10.39.200.32 255.255.255.255 10.39.200.32 1
route dmz201 10.39.201.32 255.255.255.255 10.39.201.32 1
route inside 10.39.253.0 255.255.255.0 10.39.253.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 Management
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6cc5fdef98661a435e363f094347a1ff
: end
ciscoasa#
可以整合的,等下我给出配置现在有点事 要忙下
另外你nat (inside,outside) source dynamic inside1 outside1 这个是全局下定义的吧, 这个我没测试过是否有效,一般都是在Object下面配置的 qq360870025 发表于 2013-1-5 20:42 static/image/common/back.gif
可以整合的,等下我给出配置现在有点事 要忙下
另外你nat (inside,outside) source dynamic inside1 out ...
谢谢,麻烦你了,哎。。。这个配置10号就要出了,一开始用图形界面配,看的眼睛都快花了~ {:6_265:} 修理步兵 发表于 2013-1-5 21:17 static/image/common/back.gif
谢谢,麻烦你了,哎。。。这个配置10号就要出了,一开始用图形界面配,看的眼睛都快花了~
如果要将24、23整合在一起的话
object network inside1
nat (inside,outside) dynamic outside1 interface
进入object inside1里面,也就是你要做PAT转换的 (10.39.0.0/16),先用outside1的地址PAT,当不够用饿时候,在用interface
nat (inside,outside) source dynamic inside1 outside1 这条可以no掉了
另外你需要用ACL放行你static后真实的地址, 也就是放行 10.39.201.32
access-list static-inside1 permit tcp any host 10.39.201.32 eq xx
access-group static-inside1 in interface outside
ACL建议是精确匹配协议,根据你需求来放行,不要permit ip any
qq360870025 发表于 2013-1-5 22:07
如果要将24、23整合在一起的话
object network inside1
nat (inside,outside) dynamic outside1 inter ...
interface参数代表可用的全部用是吧,我现在的配置状态只是使用23,如果23不够用,换成interface就行了,一点知道了,后面,映射那个是用扩展访问控制列表吧,命名和我的那个object相同,这个是规定嘛? 修理步兵 发表于 2013-1-5 22:45 static/image/common/back.gif
interface参数代表可用的全部用是吧,我现在的配置状态只是使用23,如果23不够用,换成interface就行了, ...
inetface参数就是代表你接口地址嘛, 命名随便定的这里只是让你好区分点 {:6_290:} {:6_290:} qq360870025 发表于 2013-1-5 22:07 static/image/common/back.gif
如果要将24、23整合在一起的话
object network inside1
nat (inside,outside) dynamic outside1 inter ...
另外你需要用ACL放行你static后真实的地址, 也就是放行 10.39.201.32
access-list static-inside1 permit tcp any host 10.39.201.32 eq xx
access-group static-inside1 in interface outside
访问控制列表,外网访问内网的DMZ区域的服务器,10.39.201.32,外网过来应该目的地址是119.62.207.26,访问控制列表的目的地址应该是119.62.207.26,而不是那个内网地址吧,数据包从公网到outside的IN的时候,目的地址还是映射出去的那个26的公网地址,这对不?
或者说,将那条访问控制列表放到inside口,OUT的方向,目的地址写内网10.39.201.32 修理步兵 发表于 2013-1-6 14:45 static/image/common/back.gif
另外你需要用ACL放行你static后真实的地址, 也就是放行 10.39.201.32
access-list static-inside1 perm ...
8.3之前确实是设置转换后的,但是 8.3以后NAT不会对ACL进行影响了, 放行的是真实的地址 本帖最后由 修理步兵 于 2013-1-6 17:46 编辑
qq360870025 发表于 2013-1-6 16:08 static/image/common/back.gif
8.3之前确实是设置转换后的,但是 8.3以后NAT不会对ACL进行影响了, 放行的是真实的地址
噢,知道了。另外,我要开放PPTP协议,怎么开放,我翻了一通说明书(8.3的操作手册,ASDM自带的帮助)只有PPTP介绍,没有教具体怎么做,能告诉我吗?谢谢
例如,inside中的一台PC,建立VPN,协议用PPTP,拨号到另外一端,防火墙别拦就行了,这个PC可能是任何一台PC
麻烦你了,谢谢~
我自己找到做的方法了,access-list vpn1permit tcp any any eq 1723
access-list vpn1 permit tcp any any eq 1721
应用到outside in的方向
这样会不会拦住其他的流量?
修理步兵 发表于 2013-1-6 16:43 static/image/common/back.gif
噢,知道了。另外,我要开放PPTP协议,怎么开放,我翻了一通说明书(8.3的操作手册,ASDM自带的帮助)只有 ...
PPTP是会用GRE的封装的
你防火墙要监控这个应用层的协议
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global
你配置里面没有全局策略,你就监控这个吧
ACL放行比较不靠谱 qq360870025 发表于 2013-1-6 19:45 static/image/common/back.gif
PPTP是会用GRE的封装的
你防火墙要监控这个应用层的协议
class-map inspection_default
内部没有ACL之类的东西,纯映射了~一个动态和一个静态。今天下午用asdm看着帮助手册配置的新配置
ciscoasa(config-pmap)# exit
ciscoasa(config)# show run
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 119.62.207.24 255.255.255.0
!
interface Vlan2
nameif inside
security-level 0
ip address 10.39.253.1 255.255.255.0
!
interface Vlan3
nameif dmz201
security-level 50
ip address 10.39.201.1 255.255.255.0
!
interface Vlan4
nameif dmz200
security-level 40
ip address 10.39.200.1 255.255.255.0
!
interface Vlan5
description FW5505
nameif Management
security-level 100
ip address 10.39.11.118 255.255.255.192
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
shutdown
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone HKST 8
object network inside1-outside-www
subnet 10.39.0.0 255.255.0.0
description office
object network dmz201-26-www
host 10.39.201.32
description dmz201-32-www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz201 1500
mtu dmz200 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside1-outside-www
nat (inside,outside) dynamic interface
object network dmz201-26-www
nat (dmz201,outside) static 119.62.207.26
route outside 0.0.0.0 0.0.0.0 119.62.207.1 1
route inside 10.39.5.0 255.255.255.0 10.39.253.2 1
route inside 10.39.11.0 255.255.255.0 10.39.253.2 1
route dmz200 10.39.200.32 255.255.255.255 10.39.200.32 1
route dmz201 10.39.201.32 255.255.255.255 10.39.201.32 1
route inside 10.39.253.0 255.255.255.0 10.39.253.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 Management
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 15
!
class-map inspect1
match default-inspection-traffic
!
!
policy-map global
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2f64da3f785fb94c09814a99478c127b
: end
ciscoasa(config)#
就差一个PPTP放行不知道怎么搞?大神你给的那个策略,我朋友也给了我一份一模一样的,我照着敲,结果语法错误,可能是我敲错了吧,过几天才能测试,明天后天有别的活,麻烦你了,谢谢。。 修理步兵 发表于 2013-1-6 20:51 static/image/common/back.gif
内部没有ACL之类的东西,纯映射了~一个动态和一个静态。今天下午用asdm看着帮助手册配置的新配置
cisc ...
没错的,这是我8.4的监控协议
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
你在里面加人一个inspect pptp就行了
看了你的配置,你PAT只做24的了,23不整合了?
另外你ACL还是没放行10.39.201.32的流量呀
页:
[1]
2