Cisco ASA 5510 DMZ 配置问题

网络工程 思科 纳特
2021-07-25 23:35:03

我需要帮助来解决这个问题。我有一个 Cisco ASA 5510,我正在尝试从互联网访问我的网络服务器,但连接不起作用。请在下面找到网络图: 在此处输入图片说明

我应用了这个配置:

interface Ethernet0/0
 nameif dmz
 security-level 50
 ip address 172.16.16.1 255.255.255.0 

object network dmz-subnet
 subnet 172.16.16.0 255.255.255.0
 nat (dmz,outside) dynamic interface

object network webserver
host 172.16.16.2
nat (dmz,outside) static interface service tcp https https

object network dns-server
 host 10.3.7.5

access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object LanLOCAL
access-list dmz_acl extended permit ip any any
access-group dmz_acl in interface dmz

access-list outside_acl extended permit tcp any object webserver eq https
access-group outside_acl in interface outside

如果我尝试连接,则允许数据包,这是数据包跟踪器的结果:

packet-tracer input outside tcp 192.0.2.123 12345 192.168.1.200 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver
 nat (dmz,outside) static interface service tcp https https 
Additional Information:
NAT divert to egress interface dmz
Untranslate 192.168.1.200/443 to 172.16.16.2/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any object webserver eq https 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver
 nat (dmz,outside) static interface service tcp https https 
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 81132, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

内部网络上的主机可以访问网络服务器。在我的网络服务器上,我可以解析名称并且可以访问互联网。在我的 ISP 路由器上,我创建了这条路由和这条 NAT 规则:

network 172.16.16.0 netmask 255.255.255.0 gateway 192.168.1.200
protocol tcp external ip all external port 443 internal port 443 forward to 192.168.1.200

在完整的 Cisco ASA 配置下方:

Result of the command: "sh run"

: Saved
:
ASA Version 9.1(5) 
!
hostname asa
domain-name NETWORK.local
enable password …………. encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd …………………. encrypted
names
ip local pool PoolTest 192.168.37.1-192.168.37.50 mask 255.255.255.0
!
interface Ethernet0/0
 nameif dmz
 security-level 50
 ip address 172.16.16.1 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.3.7.1 255.255.255.0 
!
interface Ethernet0/2
 nameif outside
 security-level 0
 ip address 192.168.1.200 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name NETWORK.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network LanLOCAL
 subnet 10.3.7.0 255.255.255.0
object network RemoteLANCust
 subnet 172.31.130.84 255.255.255.252
object network dmz-subnet
 subnet 172.16.16.0 255.255.255.0
object network webserver
 host 172.16.16.2
object network dns-server
 host 10.3.7.5
access-list dmz_acl extended permit udp any object dns-server eq domain 
access-list dmz_acl extended deny ip any object LanLOCAL 
access-list dmz_acl extended permit ip any any 
access-list outside_acl extended permit tcp any object webserver eq https 
access-list outside_cryptomap_2 extended permit ip 10.3.7.0 255.255.255.0 172.31.130.84 255.255.255.252 
pager lines 24
logging enable
logging trap notifications
logging asdm informational
logging host inside 10.3.3.100
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static LanLOCAL LanLOCAL destination static RemoteLANCust RemoteLANCust no-proxy-arp route-lookup
!
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static interface service tcp https https 
!
nat (inside,outside) after-auto source dynamic LanLOCAL interface
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 
route inside 10.0.0.0 255.0.0.0 10.3.7.250 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside x.x.x.x community ***** version 2c
snmp-server location World
snmp-server contact snmp@company.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging 20
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer a.b.c.d 
crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 7200
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd option 3 ip 10.3.7.13
dhcpd option 6 ip 10.3.7.5 10.3.3.5
dhcpd option 42 ip 10.3.7.5 10.3.3.5
!
dhcpd address 10.3.7.225-10.3.7.249 inside
dhcpd dns 10.3.7.5 interface inside
dhcpd lease 28800 interface inside
dhcpd domain NETWORK.local interface inside
dhcpd enable inside
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.3.7.5 source inside prefer
webvpn
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1
 tunnel-group-list enable
group-policy GroupPolicy_a.b.c.d internal
group-policy GroupPolicy_a.b.c.d attributes
 vpn-tunnel-protocol ikev1 
group-policy GPTestTunnel internal
group-policy GPTestTunnel attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 webvpn
  url-list none
vpn-group-policy GPTestTunnel
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d general-attributes
 default-group-policy GroupPolicy_a.b.c.d
tunnel-group a.b.c.d ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ce659b6be45d89fb64381df17f7502f7
: end

谁能帮我?

2个回答

在这种情况下(ASA 使用所有私有 IP),您应该尽可能避免执行 NAT。

  1. 通过您的设置,配置看起来不错,数据包跟踪器会告诉您 DMZ Web_Server 的静态 NAT 很好。

    要对此进行测试,请将笔记本电脑/PC 放入 ASA 外部接口和 ISP 路由器内部接口之间的网络 192.168.1.0/24(此处可能需要一个交换机),然后访问 Web_Serverhttps://192.168.1.200或使用telnet 192.168.1.200 443...

    • 如果它有效,您可以再次确认配置一切正常,问题出在 ISP 路由器上。确保 ISP 路由器配置为转发流量(源 IP:任何,源 TCP 端口:任何)在 TCP 端口 443 到 192.168.1.200 的 ISP 路由器外部 IP:193.xxx 在 TCP 端口 443。

    • 如果它不起作用,则问题出在 ASA。这不太可能,因为您的配置看起来不错。

    此设置要求您配置 NAT 两次(在 ASA 和 ISP 路由器上),这意味着当您从公共网络访问 Web_Server 时,流量会进行两次 NAT。

  2. 另一种方法是在 ASA 上根本不进行 NAT。

    正如我之前提到的,您的 ASA 使用所有私有 IP,您可以配置 ISP 路由器来处理所有 NAT(用于内部网络访问 Internet 的 PAT - 正如它所做的那样;以及用于 Web_Server 的静态 NAT)。在这种情况下,ASA 就像一个内部路由器,上面有 ACL 规则(根本没有 NAT 语句)。

    从公网,您可以通过 访问Web_Server https://193.x.x.x,此流量然后直接转发到您的Web_Server 真实IP 地址- 172.16.16.2。

我希望它有帮助,您可以找出问题所在。

您可以尝试更换:

object network dmz-subnet
 subnet 172.16.16.0 255.255.255.0
 nat (dmz,outside) dynamic interface

经过:

nat (dmz,outside) after-auto source dynamic any interface
其它你可能感兴趣的问题
上一篇Cisco 3725:为什么默认网关没有出现在“show ip route”上 下一篇Cisco ASA 站点到站点 VPN,远程 LAN 没有 Internet