我试图NAT外部地址到一个不是本地的内部地址,但在站点到站点VPN连接的远程端。 这可能吗? 日志说路由无法find下一跳的TCP从外部xxxx / xxx到里面:yyyy / yyyy
我可以连接到yyyy地址就好了,所以VPN是up的。
nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 any object vpn-network access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_2 object-group network DM_INLINE_NETWORK_2 network-object object web-server-inside network-object object web-server-outside object-group service DM_INLINE_SERVICE_2 service-object tcp destination eq www service-object tcp destination eq https service-object object tomcat-http 命令的结果是:“packet-tracer input tcp 8.8.8.8 1234 xxxx 80详细”
Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http Additional Information: NAT divert to egress interface outside Untranslate xxxx/80 to 10.yyy/8080 Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xadc473e8, priority=111, domain=permit, deny=true hits=3395573, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=outside Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
以下是允许内部接口通信后的跟踪:
Result of the command: "packet-tracer input outside tcp 8.8.8.8 1234 xxxx 80 detailed" Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http Additional Information: NAT divert to egress interface outside Untranslate xxxx/80 to yyyy/8080 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object web-server-inside object-group service DM_INLINE_SERVICE_2 service-object object http service-object object http-tomcat service-object object https Additional Information: Forward Flow based lookup yields rule: in id=0xae825a98, priority=13, domain=permit, deny=false hits=16, user_data=0xaa5f12c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=yyyy, mask=255.255.255.255, port=8080, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xadc4acf0, priority=0, domain=inspect-ip-options, deny=true hits=22335785, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 4 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xadc42e48, priority=21, domain=lu, deny=true hits=8829, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xad421098, priority=13, domain=ipsec-tunnel-flow, deny=true hits=22393564, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http Additional Information: Static translate 8.8.8.8/1234 to 8.8.8.8/1234 Forward Flow based lookup yields rule: in id=0xafd6da48, priority=6, domain=nat, deny=false hits=26, user_data=0xae843690, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=yyyy, mask=255.255.255.255, port=8080, dscp=0x0 input_ifc=outside, output_ifc=outside Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (outside,outside) source static any any destination static web-server-outside web-server-inside service http tomcat-http Additional Information: Forward Flow based lookup yields rule: out id=0xae2c6960, priority=6, domain=nat-reverse, deny=false hits=26, user_data=0xae835d18, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=yyyy, mask=255.255.255.255, port=8080, dscp=0x0 input_ifc=outside, output_ifc=outside Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xadc4acf0, priority=0, domain=inspect-ip-options, deny=true hits=22335787, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 23045025, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow