思科ASA 5505上的NAT路由和端口转发

我inheritance了我的第一个Cisco路由器，并且无法正确理解如何进行NAT 端口转发。

ASA：8.0.2 ASDM：6.1（1）

我有一个外部的IP地址（通过桥式调制解调器）和一个LAN在内部。局域网有另一个连接到networking和提供DHCP / DNS的PDC，不应该使用此连接。

这个连接应该是做很less的事情的东西：

将UDP端口3000-3002上的所有传入stream量转发到10.10.5.30上的相同端口
将TCP端口3005上的所有传入stream量转发到10.10.5.30上的相同端口
允许相同的端口和协议返回stream量
阻止一切。

我认为我们遇到的问题是stream量不会恢复 – 当我执行数据包跟踪时，内部的隐式拒绝会一直被标记出来。

另外，由于我已经开始小小的捣蛋纠正这个问题，所以隐含的任何安全规则现在都消失了（ooops！） – 关于如何解决这个问题的任何想法？

我在命令行上使用指令（可能是你的答案）是舒服的，而在实验和调查（当前情况）下则更less。

消毒的Conf：

: Saved : ASA Version 8.0(2) ! hostname BLAH-ASA domain-name BLAH.local enable password BLAH encrypted names name 15.8.15.3 BLAH_ASA_Outside name 192.168.6.254 vpn_local name 10.10.5.5 FS1 description BLAH File Server name 10.10.5.30 W_BASE description W Base Station ! interface Vlan1 nameif inside security-level 100 ip address 10.10.5.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group global ip address pppoe ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd BLAH encrypted boot system disk0:/asa802-k8.bin ftp mode passive clock timezone EST 10 clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00 dns server-group DefaultDNS domain-name BLAH.local object-group service W_TCP tcp description TCP 3005 port-object eq 3005 object-group service W_UDP udp description UDP 3000 - 3002 port-object eq 3000 port-object eq 3001 port-object eq 3002 access-list outside_1_cryptomap extended permit ip 10.10.5.0 255.255.255.0 host vpn_local access-list outside_access_in extended permit tcp any host BLAH_ASA_Outside eq pptp access-list outside_access_in remark W UDP Ports 3000 - 3002 access-list outside_access_in extended permit udp any host BLAH_ASA_Outside object-group W_UDP access-list outside_access_in remark W TCP Port 3005 access-list outside_access_in extended permit tcp any host BLAH_ASA_Outside object-group W_TCP access-list outside_access_in remark VPN ACL access-list outside_access_in extended permit ip host vpn_local 10.10.5.0 255.255.255.0 access-list outside_access_in extended permit gre any any access-list inside_nat0_outbound extended permit ip 10.10.5.0 255.255.255.0 host vpn_local pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-611.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface pptp FS1 pptp netmask 255.255.255.255 static (inside,outside) udp interface 3000 W_BASE 3000 netmask 255.255.255.255 static (inside,outside) udp interface 3001 W_BASE 3001 netmask 255.255.255.255 static (inside,outside) udp interface 3002 W_BASE 3002 netmask 255.255.255.255 static (inside,outside) tcp interface 3005 W_BASE 3005 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 165.228.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.10.5.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 132.3.9.254 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.10.5.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group global request dialout pppoe vpdn group global localname USERNAME vpdn group global ppp authentication chap vpdn username USERNAME password ********* dhcpd auto_config outside ! dhcpd address 10.10.5.3-10.10.5.33 inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp ! service-policy global_policy global ntp server 8.8.8.8 source outside prefer username ROOT password PASSWORD encrypted privilege 15 username ROOT2 password PASSWORD encrypted privilege 15 tunnel-group 132.3.9.254 type ipsec-l2l tunnel-group 132.3.9.254 ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:20 : end

您的内部界面上的清理规则与您的问题无关。

现代的防火墙是有效的，所以你不需要明确地允许stream量回到原来的来源。

你需要做的是允许从任何的stream量到你的服务器的NATED IP。

 access-list outside_access_in extended permit udp any host W_BASE object-group W_UDP

然后做一个简单的静态NAT。

 static (inside,outside) interface W_BASE netmask 255.255.255.255

既然你不转发端口，你可以保持你的NAT非常简单，只需用ACL打开正确的端口。

你也可以简化你的服务对象，如下所示：

 object-group service W_Ports service-object tcp eq 3005 service-object udp range 3000 3002

然后使用W_Ports而不是W_UDP和W_TCP。

您的ACL将如下所示：

 access-list outside_access_in extended permit object-group W_Ports any object-group W_BASE

更新后的版本：

access-list outside_access_in extended permit object-group W_UDP any host W_BASE

事实certificate，我的问题实际上是10.10.5.30的服务器使用了错误的默认网关。

与ASA 5505无关。