站点到站点 vpn 另一端的服务器是否可以暴露 (NATd) 到 ASA 上的公共 IP

网络工程 思科 虚拟专用网 纳特
2021-07-31 16:28:12 
AWS                                      DataCenter
-----------        site-to-site VPN      ------------
http server   <=======================>  Cisco ASA   public address
10.0.1.59:443                                         109.1.2.27:8443

AWS VPC(带有 Web 服务器)通过站点到站点 VPN 连接到数据中心。在数据中心的 ASA 外部有一个公共地址,我想将 AWS 中的网络服务器 NAT 到该地址。如果 Web 服务器位于 DataCenter ASA 后面的 LAN 内,这将很容易。我已经这样做了。基本上我需要保持服务器的公共地址相同,但将它从数据中心移动到连接到数据中心的 ASA 的分支机构。

我试过这个: nat (outside,outside) source static 10.0.1.59 109.1.2.3 service http http8443 但它不起作用。

我确实启用了相同的安全流量。

same-security-traffic permit intra-interface

ASA 是版本 9.9(2)。

不,我无法更改公共 IP,也无法将 IP 移至分支机构。

提前致谢,

编辑:ASA 配置:


xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

!
interface GigabitEthernet1/1
 nameif inside
 security-level 100
 ip address 192.168.2.98 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif outside
 security-level 0
 ip address 109.1.2.26 255.255.255.248 
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network company-inside-datacenter
 subnet 192.168.2.0 255.255.255.0

object network webserver
 host 192.168.2.24

object network public-address
 host 109.1.2.27

object service https
 service tcp source eq https 

object service https8443
 service tcp source eq 8443 

object network obj-amzn
 subnet 10.0.0.0 255.255.0.0

object network obj_any
 subnet 0.0.0.0 0.0.0.0

object network webserver-aws
 host 10.0.1.59

object-group network datacenter-etc
 network-object 192.168.2.0 255.255.255.0

access-list nonat extended permit ip any4 192.168.2.0 255.255.255.0 

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any4 

access-list outside_access_in extended permit tcp any4 object webserver eq https 

access-list outside_access_in extended permit object https8443 any4 object webserver-aws 

access-list acl-amzn extended permit ip any4 10.0.0.0 255.255.0.0 

access-list inside_access_in_3 extended permit ip any4 any4 

nat (inside,any) source static any any destination static company-inside-datacenter company-inside-datacenter no-proxy-arp route-lookup

nat (inside,outside) source static webserver public-address service https https
nat (outside,outside) source static webserver-aws public-address service https https8443 no-proxy-arp

nat (inside,outside) source static company-inside-datacenter company-inside-datacenter destination static group-remote-aws group-remote-aws no-proxy-arp route-lookup
nat (outside,outside) source static datacenter-etc datacenter-etc destination static obj-amzn obj-amzn no-proxy-arp route-lookup
nat (inside,outside) source static datacenter-etc datacenter-etc destination static obj-amzn obj-amzn no-proxy-arp route-lookup

object network company-inside-datacenter
 nat (outside,outside) dynamic interface

object network obj_any
 nat (inside,outside) dynamic interface

access-group inside_access_in_3 in interface inside
access-group outside_access_in in interface outside
access-group global_access global

route outside 0.0.0.0 0.0.0.0 109.1.2.25 1

sysopt connection tcpmss 1300
service sw-reset-button

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1

crypto map outside_map 300 match address acl-amzn
crypto map outside_map 300 set pfs 
crypto map outside_map 300 set peer 53.53.53.27 53.53.53.32 
crypto map outside_map 300 set ikev1 transform-set transform-amzn
crypto map outside_map 300 set security-association lifetime seconds 3600
crypto map outside_map 300 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
management-access inside
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1
dhcprelay timeout 60
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy AmznGrpPolicy internal
group-policy AmznGrpPolicy attributes
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol ikev1 
 split-tunnel-all-dns disable

dynamic-access-policy-record DfltAccessPolicy

tunnel-group 53.53.53.27 type ipsec-l2l
tunnel-group 53.53.53.27 general-attributes
 default-group-policy AmznGrpPolicy
tunnel-group 53.53.53.27 ipsec-attributes
 ikev1 pre-shared-key *******************
 isakmp keepalive threshold 10 retry 3
 ikev2 remote-authentication pre-shared-key *******************
 ikev2 local-authentication pre-shared-key *******************

tunnel-group 53.53.53.32 type ipsec-l2l
tunnel-group 53.53.53.32 general-attributes
 default-group-policy AmznGrpPolicy
tunnel-group 53.53.53.32 ipsec-attributes
 ikev1 pre-shared-key *******************
 isakmp keepalive threshold 10 retry 3
 ikev2 remote-authentication pre-shared-key *******************
 ikev2 local-authentication pre-shared-key *******************

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 4096
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global

这是一个非常精简/清理的配置,其中所有地址/名称都已更改,并删除了许多不相关的 VPN 隧道。

当前通过 NAT 连接到公共地址的服务器是“网络服务器”。我需要 NAT 到同一事物的新服务器是“webserver-aws”(AWS VPC 内的服务器,通过 Site-Site VPN 连接到 ASA)。我正在尝试同时设置它以进行测试,因此当前服务器将 tcp443 公开为 tcp443,而我的测试条目试图在 tcp8443 上公开新服务器以进行测试。

编辑2:

在使用和不使用 no-proxy-arp 尝试@Ricky 的回答后,这是我的数据包跟踪器结果:

packet-tracer input outside tcp 0.0.0.1 1 109.1.2.27 8443 detailed 给了这个


Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 109.1.2.27 using egress ifc  outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
1个回答
object network obj-SERVER
 host <SERVER>
!
object network obj_any
 subnet 0.0.0.0 0.0.0.0
!
object service dest-tcp-REAL
 service tcp destination eq <REAL> 
object service dest-tcp-MAPPED
 service tcp destination eq <MAPPED> 
!
nat (outside,inside) source static obj_any interface destination static interface obj-SERVER service dest-tcp-MAPPED dest-tcp-REAL unidirectional no-proxy-arp

这将外部接口地址映射到内部服务器,并将源更改为内部接口,以便流量将返回到同一防火墙。如果外部 IP 不是防火墙的接口,您将需要一个额外的主机对象来替换第一个“接口”(来源)。内部路由应该从那里处理它,但可能需要一些疯狂的东西。(我也有“nat 0”规则,但我的 vpn 设置不正常。)

这对我有用,可以通过备份链接映射串行控制台端口,否则该链接不会成为该流量的返回路径。

[ASA 9.1(7)32]

其它你可能感兴趣的问题
上一篇比特错误是否会导致与 PDU 大小成正比的丢失? 下一篇Google IT Support Professional 在线课程的 IPv4 到 IPv6 映射错误?