Cisco ASA 5512-x,传入 Exchange 服务器的流量和访问 https:/xxx.xxx/owa 的问题

网络工程 思科 防火墙
2021-07-19 02:39:01

最近我安装了 Cisco ASA 5512-X,并成功设置了到外部的流量,从 Exchange 服务器出去的流量很好。但是传入的流量和对 OWA 网络门户的访问,我无法进行配置以使其正常工作。任何帮助将不胜感激。不确定我在哪里错过了允许交通的正确设置。

: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(3)4 
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.163 255.255.255.248 
!
interface GigabitEthernet0/1
 description Inside IP's
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 ipv6 enable
 dhcprelay information trusted
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 description Client WiFi
 nameif Client
 security-level 0
 ip address 172.16.0.1 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 dhcprelay information trusted
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.0.8
 name-server 192.168.0.144
 domain-name xxx.xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ClientGateway
 host 172.16.0.1
 description ClientGateway
object network EmpGateway
 host 192.168.0.1
 description EmpGateway
object network xxxxx-VPN-IPs
 range 192.168.0.235 192.168.0.254
 description xxxxx-VPN-IPs
object network obj-172.16.0.0
 subnet 172.16.0.0 255.255.255.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0
object network Exchange-Int
 host 192.168.0.16
access-list outside_access_in extended permit tcp any object Exchange-Int eq https 
pager lines 24
logging enable
logging asdm informational
logging recipient-address xxxxxx@xxxxxx.org level critical
mtu Outside 1500
mtu Inside 1500
mtu Client 1500
mtu management 1500
ip verify reverse-path interface Inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,Outside) source dynamic ClientGateway interface
nat (any,Outside) source dynamic EmpGateway interface
nat (Client,Outside) source dynamic obj-172.16.0.0 interface
nat (Inside,Outside) source dynamic obj-192.168.0.0 interface
nat (any,Outside) source dynamic any interface
!
object network Exchange-Int
 nat (Inside,Outside) static interface service tcp https https 
!
nat (management,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 209.50.114.166 1
route Outside 192.168.0.0 255.255.255.0 209.50.114.166 1
route Outside xxx.xxx.xxx.160 255.255.255.248 xxx.xxx.xxx.166 1
route Inside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.164 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxx protocol ldap
aaa-server xxxx (Inside) host 192.168.0.8
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.9
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.15
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.16
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.17
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.130
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.144
 server-type auto-detect
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint Exchange
 enrollment terminal
 keypair Exchange
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 keypair Exchange
 crl configure
crypto ca trustpool policy
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
 smtp from-address xxxxx@xxxxx.org
crypto ca certificate chain ASDM_TrustPoint0
 certificate 048dada87796c4
    308205ad 30820495 a0030201 02020704 8dada877 96c4300d 06092a86 4886f70d 
    01010b05 003081b4 310b3009 06035504 06130255 53311030 0e060355 04081307 
    4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018 
    06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 312d302b 06035504 
    0b132468 7474703a 2f2f6365 7274732e 676f6461 6464792e 636f6d2f 7265706f 
    7369746f 72792f31 33303106 03550403 132a476f 20446164 64792053 65637572 
    65204365 72746966 69636174 65204175 74686f72 69747920 2d204732 301e170d 
    31343035 32373137 33383134 5a170d31 35303730 37323034 3335365a 30453121 
    301f0603 55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69 64617465 
    64312030 1e060355 04031317 6d61696c 2e6e6173 6876696c 6c656361 7265732e 
    6f726730 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 
    82010100 c89353e0 a6e285f2 ae21dbe6 e038bfbd 0a2e6e05 1e157419 b995b5e4 
    c3c77496 dda2adfe c15c507b 5b11a7bd e20a215b bd7f6d42 f7e6b436 88d82cd6 
    2a0e0185 06569d86 7456d15b 0b6bec6d 71cd58bb 227a5aa4 7bf7ce0e 6e9fc90e 
    c04f183c a910b2ba 26be014d 141ea9cd 9ff05b70 86079b62 5bfc2790 24522e35 
    c3196ba8 86029121 fbba5312 685d4d4d e97f7201 6e7e989d 961bc60c 6a5ac576 
    186af6ad 2fc7ba6a 431620e0 9ca33681 c9f5bd2f 03659421 bb79d546 7cd805dc 
    d062f1c1 694ceba4 b725c631 69a1cab9 3f524b8d 8014503b de8b7c20 fdbc08b1 
    f60fca3b 647054b5 504df86b f9627784 5c847858 b6c18502 04c099ed 9879ca16 
    50d0a41f 02030100 01a38202 30308202 2c300c06 03551d13 0101ff04 02300030 
    1d060355 1d250416 30140608 2b060105 05070301 06082b06 01050507 0302300e 
    0603551d 0f0101ff 04040302 05a03036 0603551d 1f042f30 2d302ba0 29a02786 
    25687474 703a2f2f 63726c2e 676f6461 6464792e 636f6d2f 67646967 3273312d 
    36362e63 726c3053 0603551d 20044c30 4a304806 0b608648 0186fd6d 01071701 
    30393037 06082b06 01050507 0201162b 68747470 3a2f2f63 65727469 66696361 
    7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 72792f30 7606082b 
    06010505 07010104 6a306830 2406082b 06010505 07300186 18687474 703a2f2f 
    6f637370 2e676f64 61646479 2e636f6d 2f304006 082b0601 05050730 02863468 
    7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63 6f6d2f72 
    65706f73 69746f72 792f6764 6967322e 63727430 1f060355 1d230418 30168014 
    40c2bd27 8ecc3483 30a233d7 fb6cb3f0 b42c80ce 3081a706 03551d11 04819f30 
    819c8217 6d61696c 2e6e6173 6876696c 6c656361 7265732e 6f726782 1b777777 
    2e6d6169 6c2e6e61 73687669 6c6c6563 61726573 2e6f7267 821f6175 746f6469 
  quit
crypto ikev1 enable Outside
crypto ikev1 enable Inside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 192.168.0.144 Inside
dhcprelay enable Outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.0.16
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:242a0ffb5b165b6ba5b3e0a5ae2e7d1e
: end
asdm image disk0:/asdm-741.bin
asdm history enable

 - 

List item
---------
2个回答

这个 NAT 语句看起来不错:

object network Exchange-Int
nat (Inside,Outside) static interface service tcp https https

这个允许从外部接口访问交换服务器的 ACL 看起来很有吸引力。 

access-list outside_access_in extended permit tcp any object Exchange-Int eq https

但是,它似乎不适用于外部接口。试试这个:

access-group outside_access_in in interface outside

看起来您已启用在 ASA 接口上侦听端口 443 的 http 服务器。这允许通过 ASDM 进行访问。您还在 Exchange 服务器的端口 443 上使用到 NAT 的外部接口。您可能希望更改 http 服务器侦听的端口。

http server enable 4443

这应该释放端口而不是导致端口冲突。

no http server enable
http server enable 8181
access-list outside_access_in extended permit tcp any interface outside eq https
static (inside,outside) tcp interface https 192.168.69.26 https netmask 255.255.255.255
其它你可能感兴趣的问题
上一篇为 LAN 中的选定主机使用公共 IP 下一篇cisco 交换机上两个接入端口之间的本地 VLAN 不匹配