思科ASA 8.4(1)ADSM 6.4
我正努力从外部将SSH连接转发到我的networking中的服务器上的一个非标准端口。
如果我想把端口2828从外部转发到端口22上的内部特定IP上,命令行会是什么样子?
更新:提供configuration,开始与外部设置标准的SSH端口,因为我无法得到上述工作。
: Saved : ASA Version 8.4(1) ! hostname troll enable password XXXXXXX encrypted passwd XXXXXXX encrypted multicast-routing names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 mac-address 0022.6b6e.4165 nameif outside security-level 0 ip address dhcp ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 same-security-traffic permit inter-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network outside host 10.10.10.0 description outside object network vm object network inside-host-object host 192.168.1.100 access-list outside_access_in extended permit tcp any object inside-host-object eq ssh pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,outside) source dynamic any interface ! object network inside-host-object nat (inside,outside) static interface service tcp ssh 2828 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.10.10.0 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcp-client client-id interface outside dhcpd auto_config outside ! dhcpd address 192.168.1.9-192.168.1.40 inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context : end no asdm history enable 您将在为您的内部主机定义的networking对象中进行configuration。 如果你已经有一个,你需要做适当的修改。
object network inside-host-object ! 192.0.2.1 is your internal address for this server.. host 192.0.2.1 ! ..and 203.0.113.1 is the external address that you want to use. nat (inside,outside) static 203.0.113.1 service tcp 22 2828
而且还需要确保在外部接口的ACL中允许通信 – 允许基于后NAT IP和端口的通信(因此,在本例中,目标是192.0.2.1,端口22),这是从旧的ASA行为的变化。