如何在 ASA 的 DMZ 区域中托管服务器

网络工程 思科 思科 纳特
2021-07-10 22:41:42

我有一个 ASA5525-X 9.1.2。它有几个接口,但主要是我在看:

(假子网)

  • 内部 10.0.0.0/24,安全级别 100
  • 在 10.0.200.0/24 之外,安全级别 0
  • DMZ 10.0.100.0/24,安全级别 50

我在 DMZ,10.0.100.1 中有一个 DNS 服务器,我可以从内部访问它而不会出现问题。但是,我希望它对互联网上的人显示为 10.0.200.95(本示例中不是真正的 IP)。我有我认为需要让它工作的东西,但是当我测试它时,数据包被默认的 acl 丢弃。

相关配置部分:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.0.200.194 255.255.255.192 
interface GigabitEthernet0/6
 nameif DMZ
 security-level 50
 ip address 10.0.100.254 255.255.255.0 
interface GigabitEthernet0/7
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 

object network DMZ-DNS-Server-1
 host 10.0.100.1

nat (inside,outside-backup) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static VPN VPN no-proxy-arp route-lookup
nat (inside,outside) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static VPN VPN no-proxy-arp route-lookup
nat (inside,outside) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (inside,outside-backup) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (inside,DMZ) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static DMZ DMZ no-proxy-arp route-lookup
nat (DMZ,outside) source static DMZ DMZ destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (DMZ,outside-backup) source static DMZ DMZ destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup

object network DMZ-DNS-Server-1
 nat (DMZ,outside) static 10.0.200.195 net-to-net

nat (inside,outside-backup) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
nat (DMZ,outside-backup) after-auto source dynamic any interface


access-list traffic-in-outside extended permit tcp any host 10.0.200.195 eq domain 
access-list traffic-in-outside extended permit udp any host 10.0.200.195 eq domain 
access-group traffic-in-outside in interface outside

有任何想法吗?

2个回答

更改您的 ACL 以引用服务器的真实地址 (10.0.100.1) 而不是转换后的地址 (10.0.200.195)。这是 8.3+ 的另一个变化。ACL 匹配真实地址。

您将需要设置一个静态 NAT 来执行此操作,因为 8.3+ 这已略有更改,在 9 中您将需要这样做:

object network STATIC_NAT
 host 10.0.100.1
 nat (DMZ,outside) static 10.0.200.95
其它你可能感兴趣的问题
上一篇Juniper EX - 一次性禁用多个接口 下一篇更换 CISCO7609-S 的路由引擎 (RE) 后如何应用配置?