我有一个Cisco ASA(运行ASA 8.4),它具有到三个站点的站点到站点IPsec隧道。
这些网站有重叠的地址范围,所以在我的ASA我已经设置NAT,所以一切都可以访问。
我现在需要做一些端口转发,但我不能得到它的工作。 我需要允许site1访问我们内部networking上10.42.0.136的端口4433。
他们看到我们的内部networking为10.84.0.0/24(真正的子网是10.42.0.0/23 – 应该是23)。 我们看到他们的networking为10.43.1.0/24(真实子网是10.21.70.0/24)。
我的NATconfiguration如下:
object network office-real subnet 10.42.0.0 255.255.254.0 object network office-nat range 10.84.0.10 10.84.0.254 object network site1-real subnet 10.21.70.0 255.255.255.0 object network site1-nat subnet 10.43.1.0 255.255.255.0 object network obj_any subnet 0.0.0.0 0.0.0.0 object network server1 host 10.42.1.136 access-list outside-access-in extended permit icmp object site1-nat object office-real echo access-list outside-access-in extended permit icmp object site1-nat object office-real echo-reply access-list outside-access-in extended permit icmp object site1-nat object office-real source-quench access-list outside-access-in extended permit icmp object site1-nat object office-real unreachable access-list outside-access-in extended permit icmp object site1-nat object office-real time-exceeded ! I know this could be made much better, i was just doing it to test! :) access-list outside-access-in extended permit tcp any any eq 4433 access-list outside-access-in extended deny ip any any log notifications ! This will give our inside network a random address betwee 10.84.0.10-254, for connections going to 10.43.1.0/24 which are forwarded to 10.21.70.0/24 nat (inside,outside) source dynamic office-real office-nat destination static site1-nat site1-real ! object network server1 ! I want 10.84.0.3:4433 to be forwarded to 10.42.1.136 nat (inside,outside) static 10.84.0.3 service tcp 4433 4433 !attach access-list access-group outside-access-in in interface outside 我不明白为什么这不起作用:(任何人有任何想法?