服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ASA 5505 8.4从外部向Web服务器开放端口
Intereting Posts
Amazon EC2实例 – 在sshterminal上发出“top”命令只是空白 tcpdump停止后只显示输出 安装到iSCSI目标并在没有PXE的情况下启动它 为redhat永久添加默认路由 ip地址只有在重启后才能改变 在禁用SSH密码validation之前确定SSHvalidation方法 当在Apache错误日志中获得“脚本头文件的提前结束”时,是否也可以logging发送到脚本的GET参数? 使用Sendmail通配符收据/ etc / mail / virtusertable DNSdebugging日志消息字段中有什么 Windows Server 2012远程桌面会话SSL证书 您所使用的各种身份pipe理解决scheme的相对优势和劣势 到达同一个networking,但不同的子网pc 邮件转发 我如何从Fedora中彻底删除X-Windows? / var / run / saslauthd在重新启动时更改权限

ASA 5505 8.4从外部向Web服务器开放端口

我已经在单独的VLAN上设置了一个Web服务器,并为Web服务器configuration了一个允许TCP端口80通信的对象,还设置了访问列表和访问组。 但是我无法从外面访问服务器。

我一直在Google上search,在这里查看答案,但他们都没有让我访问服务器。

我已经检查了networking服务器已经启动并且正在运行,并且使用它的ip从networking内部是可以访问的。

这里是configuration的相关部分: 

! interface Vlan1 nameif outside security-level 0 ip address dhcp ! interface Vlan2 nameif inside security-level 100 ip address 10.5.1.1 255.255.255.0 ! interface Vlan3 no forward interface Vlan2 nameif dmz security-level 50 ip address 10.4.1.1 255.255.255.0 ! dns server-group DefaultDNS domain-name mastermind.local object network dev-server-internal host 10.4.1.2 object network inside-net subnet 0.0.0.0 0.0.0.0 object network dev-server-external host 10.4.1.2 access-list outside_access_in extended permit tcp any host 10.4.1.2 eq www ! object network dev-server-internal nat (inside,dmz) dynamic interface object network inside-net nat (inside,outside) dynamic interface object network dev-server-external nat (dmz,outside) static interface service tcp www www access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.15.166.1 1 dhcpd dns 8.8.8.8 8.8.4.4 dhcpd auto_config outside ! dhcpd address 10.5.1.2-10.5.1.32 inside dhcpd enable inside ! dhcpd address 10.4.1.2-10.4.1.2 dmz dhcpd enable dmz !

所以这个想法是,VLAN“inside”用于普通用户,VLAN“dmz”用于Web服务器。 只有一台服务器连接到VLAN“dmz”,这就是为什么我只允许一个地址的DHCP。

我添加了“dev-server-internal”对象,允许内部用户直接使用ip(10.4.1.2)访问Web服务器。

那么我能做些什么才能从外部访问Web服务器呢?

以下是在尝试从外部访问Web服务器之后, show nat给我的内容: 

 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static dev-server-external interface service tcp www www translate_hits = 0, untranslate_hits = 0 2 (inside) to (dmz) source dynamic dev-server-internal interface translate_hits = 0, untranslate_hits = 0 3 (any) to (outside) source dynamic inside-net interface translate_hits = 1160, untranslate_hits = 149

编辑:packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80输出packet-tracer input outside tcp 1.2.3.4 2501 10.4.1.2 80

 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.4.1.0 255.255.255.0 dmz Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any host 10.4.1.2 eq www Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: DROP Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

编辑2:来自show interface vlan1相关部分: 

 Interface Vlan1 "outside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 0007.7dab.c007, MTU 1500 IP address 94.254.4.141, subnet mask 255.255.254.0

show route输出: 

 Gateway of last resort is 10.15.166.1 to network 0.0.0.0 C 10.5.1.0 255.255.255.0 is directly connected, inside C 10.4.1.0 255.255.255.0 is directly connected, dmz C 94.254.4.0 255.255.254.0 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via 10.15.166.1, outside

packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80输出packet-tracer input outside tcp 1.2.3.4 2501 94.254.4.141 80

 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: NAT divert to egress interface dmz Untranslate 94.254.4.141/80 to 10.4.1.2/80 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access in interface outside access-list outside_access extended permit tcp any host 10.4.1.2 eq www Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network dev-server-external nat (dmz,outside) static interface service tcp www www Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 356329, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow

把它放在一个答案,使格式更容易。 这个命令可能会造成一个问题: 

 object network dev-server-internal nat (inside,dmz) dynamic interface

我会继续前进,摆脱你的内部networking这个入口和身份到DMZ这样的: 

 object network internal-hosts2 subnet 10.5.1.0 255.255.255.0 nat (inside,dmz) static 10.5.1.0

而不是使用静态路由,请在vlan 1下执行此操作,使dhcp更新并自动设置您的默认路由从dhcp 

 interface vlan 1 no ip address dhcp ip address dhcp setroute

现在尝试在外部界面上捕获数据包。 在config模式下添加acl,在正常的exec模式下添加capture命令 

 access-list test extended permit tcp any interface outside eq www capture test access-list test interface outside

然后,当你尝试从互联网上打你的网站做一个show capture ,看看有没有数据包到你的防火墙。

自动NAT不会使外部接口上的Web服务器可用。

从DMZ机器到外部必须有一个静态的NAT规则,如果这是你想要的,可能只有80端口。