无法在 ASA 5505 上进行端口转发:“丢弃原因:(acl-drop)流被配置的规则拒绝”

网络工程 思科 转发端口
2021-07-16 15:48:13

几个月前,我在 NE 上发表了这篇文章,但我终其一生都无法弄清楚我的 ASA 5505 上的端口转发。我从那以后重新开始,现在正在尝试使用 DMZ 端口,但又遇到了麻烦墙。似乎无论我尝试什么,隐式规则都会阻止入站流量。我不知道如何解决这个问题。我的 DMZ 网络在端口 7(vlan 12)上,子网为 172.16.0.0/24,Web 服务器 IP 为:172.16.0.2

这是我的原始节目运行: 

MyASA# show running-config 
: Saved
: 
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3) 
!
hostname MyASA
domain-name labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 description telco-isp 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute 
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0 
!             
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https 
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname samandrew@telco-isp.net
vpdn group labzGroup ppp authentication chap
vpdn username samandrew@telco-isp.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
username DrewAdmin password fZC8u8Iqk7W4q1hs encrypted privilege 15
username DrewAdmin attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active   
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f38de6f9c4834dee452b30e10f54a8de
: end
MyASA#

这是我的第一个数据包跟踪:

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config: 
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcd2ec2d0, priority=11, domain=permit, deny=true
    hits=32828, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

更新(2 月 26 日):我删除了所有 ACL 并添加了建议的 ACL,但不幸的是,HTTP/HTTPS 流量仍未通过。我的新秀跑:

MyASA# show running-config
: Saved
:
: Serial Number: 
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name Labz.local
enable password encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description Labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group LabzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network dmz-subnet
 nat (DMZ,outside) dynamic interface
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group LabzGroup request dialout pppoe
vpdn group LabzGroup localname MrCustomer@Telco-ISP.net
vpdn group LabzGroup ppp authentication chap
vpdn username MrCustomer@Telco-ISP.net password ********* store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain Labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:139e5552c3c8346de7d6b388e72ee8bb
: end
MyASA#

我的第二次数据包跟踪尝试:

MyASA# packet-tracer input outside tcp 8.8.8.8 443 172.16.0.2 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
        hits=260315, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
        hits=110764, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MyASA#

另外,这是我的 ACL(2 月 26 日): 

MyASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d

更新,2 月 27 日 - 这是我的第三次表演 

MyASA(config)# show run
: Saved
:
: Serial Number:
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname MyASA
domain-name labz.local
enable password lE85y9xDQeSE5Ktl encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
interface Vlan1
 description labz LAN
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 description Telco-ISP 100 Mbps fiber
 nameif outside
 security-level 0
 pppoe client vpdn group labzGroup
 ip address pppoe setroute
!
interface Vlan12
 description DMZ port
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name labz.local
same-security-traffic permit inter-interface
object network show
object network dmz-subnet
 subnet 172.16.0.0 255.255.255.0
object network webserver
 host 172.16.0.2
object network webserver-80
 host 172.16.0.2
object-group icmp-type PING-both
 description PING echo & echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list outside_acl extended permit tcp any object webserver eq https
access-list outside_acl extended permit tcp any object webserver eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo-reply outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network webserver
 nat (DMZ,outside) static interface service tcp https https
object network webserver-80
 nat (DMZ,outside) static interface service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable 444
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.3.1,CN=MyASA
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
 certificate e8fbb45b
    bf03b569 694aeba7 03c36099 8d
  quit
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group labzGroup request dialout pppoe
vpdn group labzGroup localname fryandrew@Telco-ISP.net
vpdn group labzGroup ppp authentication chap
vpdn username fryandrew@Telco-ISP.net password ***** store-local

dhcpd dns 1.1.1.1 8.8.8.8
dhcpd domain labz.local
!
dhcpd address 192.168.3.30-192.168.3.90 inside
dhcpd dns 1.1.1.1 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
username AdminMe password fZC8u8Iqk7W4q1hs encrypted privilege 15
username AdminMe attributes
 service-type admin
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9baa3a68f21c745a705eafb83ad44b86
: end
MyASA(config)#

这是更新的数据包跟踪: 

MyASA# packet-tracer input outside tcp 8.8.8.8 80 172.16.0.2 80 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc34e810, priority=0, domain=nat-per-session, deny=false
    hits=379567, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP  
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcd251fe8, priority=0, domain=permit, deny=true
    hits=197361, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

这是我的 ACL(2 月 27 日):

    MyASA# show access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_acl; 2 elements; name hash: 0x6b8df462
access-list outside_acl line 1 extended permit tcp any object webserver eq https (hitcnt=0) 0xf582ebb0 
  access-list outside_acl line 1 extended permit tcp any host 172.16.0.2 eq https (hitcnt=0) 0xf582ebb0 
access-list outside_acl line 2 extended permit tcp any object webserver eq www (hitcnt=0) 0x0e174c0d 
  access-list outside_acl line 2 extended permit tcp any host 172.16.0.2 eq www (hitcnt=0) 0x0e174c0d

编辑 - 看起来我有一个多余的 NAT 声明/策略......?(这最后没有关系)

MyASA# show NAT detail 

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static webserver interface   service tcp https https 
    translate_hits = 0, untranslate_hits = 148
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: https Mapped: https 
2 (DMZ) to (outside) source static webserver-80 interface   service tcp www www 
    translate_hits = 0, untranslate_hits = 102
    Source - Origin: 172.16.0.2/32, Translated: Current_Pub_IP/32
    Service - Protocol: tcp Real: www Mapped: www 

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface  
    translate_hits = 52506, untranslate_hits = 12737
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32
2 (DMZ) to (outside) source dynamic any interface  
    translate_hits = 1142, untranslate_hits = 4
    Source - Origin: 0.0.0.0/0, Translated: Current_Pub_IP/32
1个回答
access-list outside_acl extended permit tcp interface outside object webserver eq https 
access-list outside_acl extended permit tcp interface outside object webserver eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

您需要通过发出以下命令来删除上面的所有这些行:

no access-list outside_acl extended permit tcp interface outside object webserver eq https 
no access-list outside_acl extended permit tcp interface outside object webserver eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq www 
no access-list outside_acl extended permit tcp host 172.16.0.2 host 0.0.0.0 eq https

他们基本上什么都不做。您现有的规则将来源(即互联网上的人)限制为您的IP 地址(而不是他们的)。

如果您想允许来自互联网的流量到您的网络服务器,您需要将您刚刚删除的行替换为:

access-list outside_acl extended permit tcp any object webserver eq https

您当前的对象 NAT 语句仅允许使用 HTTPS(而不是 HTTP),因此如果您还想包含 HTTP,我们将需要为它做一个单独的语句,可以这样做:

object network webserver-80
 host 172.16.0.2
 nat (DMZ,outside) static interface service tcp www www

现在您已经为 HTTP 添加了一个 NAT,我们可以添加一个支持 ACE 来允许 HTTP,通过添加:

access-list outside_acl extended permit tcp any object webserver eq www

编辑:

我之前没有注意到你有一个用于 DMZ 接口的冗余全局 NAT,它在你的 PAT 语句之前被命中,导致它们不被使用。此外,由于您使用的是接口 IP 和端口 443,该端口当前绑定到 ASDM 的 ASA 的内部 Web 服务器,因此您需要将其移至另一个端口,以免发生冲突。

请通过发出以下命令更改 http 服务器的端口:

no http server enable
http server enable 444

记下这个非标准端口,因为如果您使用它,您将需要使用它来访问 ASDM。而不是仅仅的https://192.168.3.1现在将https://192.168.3.1:444

请删除:

object network dmz-subnet
 nat (DMZ,outside) dynamic interface

通过发布:

object network dmz-subnet
 no nat (DMZ,outside) dynamic interface

此外,您还有另一个全局 NAT 设置为使用“任何”接口,这是不推荐的。我的建议是通过发出以下命令来更改它以将其限制为没有显式 NAT 的唯一剩余接口(DMZ 接口):

no nat (any,outside) after-auto source dynamic any interface

nat (DMZ,outside) after-auto source dynamic any interface

编辑(从评论讨论中添加):

此外,您的外部接口没有绑定 ACL。

请加:

access-group outside_acl in interface outside
其它你可能感兴趣的问题
上一篇将单个交换机端口分配给不同的 VLAN 下一篇Junos 如何执行大量重复命令?