schoolclub 发表于 2015-4-21 07:10:36

求助ciscoASA5525-k9 NAT问题

拓扑图如图所示:
核心交换机和ASA采用10.10.10.0/30互联,网关全部设在核心交换机上。目前网络访问互联网是没问题的。就是NAT映射始终不通,请大神指点下谢谢
NAT部分配置:
ciscoasa(config)# object network web
ciscoasa(config-network-object)# host 192.168.1.163
ciscoasa(config-network-object)# nat (inside,outside) static 58.56.155.129
ciscoasa(config-network-object)# nat (inside,outside) static 58.56.155.129 service tcp http http

nat (inside,outside) static 58.56.155.129 dns

ciscoasa(config)# access-list 100 permit tcp any host 192.168.1.163 eq http
ciscoasa(config)# access-group 100 in interface outside
请大神指点下那地方做的不对?万分感谢


schoolclub 发表于 2015-4-21 07:12:59

求大神指点~~~

careline 发表于 2015-4-21 10:38:05

ciscoasa(config)# access-list 100 permit tcp any host 192.168.1.163 eq http
方向明显有问题啊。
object-group network WEB
network-object host 10.8.8.8
network-object host 10.9.9.9
object-group service Port
service-object tcp destination eq www
service-object udp destination eq 8090
service-object tcp destination eq 8000
access-list inside-acl extended permit object-groupPortobject-group Web any

careline 发表于 2015-4-21 10:46:34

你自己定义的OBJECT-GROUP没有调用,建议是针对HOST放行后出口INTERNET。

schoolclub 发表于 2015-4-21 10:55:42

careline 发表于 2015-4-21 10:46
你自己定义的OBJECT-GROUP没有调用,建议是针对HOST放行后出口INTERNET。

你好能贴个案例吗?最近才开始研究ASA~~谢谢

schoolclub 发表于 2015-4-21 10:57:56

careline 发表于 2015-4-21 10:46
你自己定义的OBJECT-GROUP没有调用,建议是针对HOST放行后出口INTERNET。

object network 1.168
host 192.168.1.168
nat (inside,outside) static interface service tcp 88 88
access-list out-to-in extended permit tcp any host 192.168.1.168 eq 88
access-list InAll extended permit ip any any
access-group out-to-in in interface outside
access-group InAll in interface inside
我有重新找了份文档重新写了下 麻烦帮忙给看下谢谢
页: [1]
查看完整版本: 求助ciscoASA5525-k9 NAT问题