我接受了几个星期的ASAconfiguration任务,并testing了一些configuration选项,我在本地networking上安装了一个Web服务器,我希望能够通过WAN访问我们的一个静态IP ISP给了我们。
Info: ASA: 8.2 ASM: 6.2 Static Block from ISP: xx.152.125.240/29 Default Gateway (Static route to): xx.152.125.241 Ethernet 0/0 (outside) - WAN - xx.152.125.243 255.255.255.248 Ethernet 0/3 (inside) - LAN - 10.255.170.1 255.255.255.0 尝试:
我第一次试图手动设置NAT和ACL规则,没有运气。 所以我删除了这些,只是使用“公共服务器”function设置如下所示:
Private Interface: inside Private IP Address: 10.255.170.4 Service: tcp/8080, tcp/http, tcp/https Public Interface: outside Public IP Address: xx.152.125.244
这创造了我第一次手动设置的相同的确切规则,所以我没有什么信心。 我惊奇的是,我无法通过浏览器访问服务器。 所有其他的networkingfunction都很好,在内部我可以从LAN工作站上的浏览器访问10.255.170.4服务器。
故障排除:
我通常通过ASDM工作,因为我刚开始挖掘CLI引用。 然而,我放入CLI来执行数据包跟踪:
::包外部inputtcp 1.2.3.4 8080 xx.152.125.244 8080
Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: NAT divert to egress interface inside Untranslate xx.152.125.244/0 to 10.255.170.4/0 using netmask 255.255.255.255 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group from_wan in interface outside access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 object-group service DM_INLINE_TCP_0 tcp port-object eq www port-object eq https port-object eq 8080 Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 nat-control match ip inside host 10.255.170.4 outside any static translation to xx.152.125.244 translate_hits = 0, untranslate_hits = 1 Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 350070, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
题:
因此,鉴于数据包没有被丢弃,为什么我不能通过浏览器访问公共IP(xx.152.125.244:8080)? 我觉得我错过了很简单的东西,但不能把我的手指放在上面。
任何援助非常感谢!
谢谢。
编辑:这是运行configuration
: Saved : ASA Version 8.2(1) ! names name 10.255.170.0 XXXX_net name xx.152.125.243 XXXX_wan description WAN dns-guard ! interface Ethernet0/0 description ISP/WAN nameif outside security-level 0 ip address XXXX_wan 255.255.255.248 ! interface Ethernet0/3 description LAN nameif inside security-level 100 ip address 10.255.170.1 255.255.255.0 ! interface Management0/0 description Management Interface shutdown nameif MGMT security-level 0 ip address 172.16.1.1 255.255.255.0 management-only ! boot system disk0:/asa821-k8.bin ftp mode passive dns domain-lookup outside dns domain-lookup MGMT dns server-group DefaultDNS domain-name XXXX.office same-security-traffic permit inter-interface object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object udp protocol-object tcp object-group network bomgar-subnet object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https object-group service DM_INLINE_SERVICE_1 service-object ip service-object icmp service-object tcp eq www service-object tcp eq https object-group service DM_INLINE_SERVICE_2 service-object ip service-object icmp service-object tcp eq www service-object tcp eq https object-group service DM_INLINE_TCP_0 tcp port-object eq 8080 port-object eq www port-object eq https access-list from_lan extended permit ip any any access-list from_lan extended permit gre any any access-list from_lan extended permit icmp any any access-list wan_xmit extended permit ip any any access-list from_wan extended permit tcp any host xx.152.125.244 object-group DM_INLINE_TCP_0 access-list from_wan extended permit icmp any any access-list from_wan extended permit udp any any eq isakmp access-list from_wan extended permit tcp any any object-group DM_INLINE_TCP_1 access-list from_wan extended permit object-group DM_INLINE_SERVICE_1 any interface outside inactive access-list from_wan extended permit object-group DM_INLINE_SERVICE_2 any xx.152.125.240 255.255.255.248 inactive access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 XXXX_other_net 255.255.255.0 access-list inside_nat0_outbound extended permit ip XXXX_net 255.255.255.0 10.255.170.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 10.255.170.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 10.255.170.192 255.255.255.192 access-list inside_nat0_outbound extended permit ip any 10.255.170.208 255.255.255.248 access-list XXXX-RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 access-list outside_nat0_outbound extended permit ip host XXXX_wan XXXX_net 255.255.255.0 access-list VPN_RA_splitTunnelAcl standard permit XXXX_net 255.255.255.0 access-list Bomgar extended permit object-group DM_INLINE_PROTOCOL_1 any host 10.255.170.169 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu MGMT 1500 ip local pool RA-IP-Pool 10.255.170.240-10.255.170.250 mask 255.255.255.0 ip local pool NEW-POOL 10.255.170.220-10.255.170.230 mask 255.255.255.0 ip local pool WIN-POOL 10.255.170.210-10.255.170.215 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (outside) 0 access-list outside_nat0_outboundF nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 XXXX_net 255.255.255.0 static (inside,outside) xx.152.125.244 10.255.170.4 netmask 255.255.255.255 access-group from_wan in interface outside access-group wan_xmit out interface outside access-group from_lan in interface inside route outside 0.0.0.0 0.0.0.0 xx.152.125.241 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authorization command LOCAL http server enable http XXXX_other_net 255.255.255.0 inside http XXXX_net 255.255.255.0 inside http 172.16.1.0 255.255.255.0 MGMT no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 200 crypto isakmp ipsec-over-tcp port 10000 telnet timeout 5 ssh XXXX_net 255.255.255.0 inside ssh XXXX_other_net 255.255.255.0 inside ssh 172.16.1.0 255.255.255.0 MGMT ssh timeout 30 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc [usernames-ommited] tunnel-group DefaultRAGroup general-attributes address-pool RA-IP-Pool address-pool NEW-POOL address-pool WIN-POOL tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes no authentication chap ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect pptp ! service-policy global_policy global prompt hostname context Cryptochecksum:2a15a897244d95160b7f34f2b8a1c8f6 : end
经过大约一个星期的弄糊涂之后,我得到了ISP的介入,发现这是ISP的路由问题。
一旦通知一切都被更新,ASA的configuration简单而直接。