asa5520 ASA 8.4 nat问题 dynamic 的时候，端口nat无效

zxl97121

ASA 8.4 (2)
因为之前的nat无效,
把nat (inside,outside) source dynamic nat_lan interface
改为object network nat_lan
nat (inside,outside) static interface
NAT的端口映射正常了,但发现在外网不能PING 通outside 接口IP，SSH 也不能连上去

在用nat (inside,outside) source dynamic nat_lan interface
在外网能ping通outside 接口IP，ssh也能连上，但NAT的端口不能连接


请问是哪里问题，如何修改，谢谢！

zhurx

NAT改变之后，你有没有 clear xlate, 然后再测试。

zhurx

最后将主要相关配置贴出来，描述下inside and outside 端口。

nat (inside,outside) source dynamic nat_lan interface     (动态NAT)
*******************************************************************************
object network nat_lan
nat (inside,outside) dynamic .......  (动态NAT)

心_、

ACL的原因，在外网的入口上加条ACL试试。
access-list 110 ex permit ip any any
access-group 110 in interface outside

doudoupig

太棒了，感谢楼主

phil

Thanks for your information.

schoolclub

rainbbwind

请问楼主现在好了么？我现在也是这样的情况，分享一下可以吗？

rainbbwind

楼上的大神能指教一下么？我的配置是：这种配置下，我映射的file-server就是无法远程。
ASA Version 8.4(2)

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside-10
security-level 100
ip address 172.16.10.254 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
vlan 20      
nameif inside-20
security-level 100
ip address 172.16.20.254 255.255.255.0
!
interface GigabitEthernet0/2.2
vlan 30
nameif inside-30
security-level 100
ip address 172.16.30.254 255.255.255.0
!
interface GigabitEthernet0/2.3
vlan 40
nameif inside-40
security-level 100
ip address 172.16.40.254 255.255.255.0
!
interface GigabitEthernet0/2.4
vlan 50
nameif inside-50
security-level 100
ip address 172.16.50.254 255.255.255.0
!
interface GigabitEthernet0/2.5
vlan 60      
nameif inside-60
security-level 100
ip address 172.16.60.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.200.254 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network net-192-168-10
subnet 192.168.10.0 255.255.255.0
object network net-172-16
subnet 172.16.0.0 255.255.0.0
object network file-server
host 172.16.10.12
object service tcp-34123
service tcp destination eq 34123
object-group network net-all
network-object object net-192-168-10
network-object object net-172-16
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 172.16.10.12 eq 3389

pager lines 24
logging enable
logging buffered informational
mtu outside 1500
mtu inside-10 1500
mtu inside-20 1500
mtu inside-30 1500
mtu inside-40 1500
mtu inside-50 1500
mtu inside-60 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (any,outside) source dynamic net-all interface
!
object network file-server
nat (inside-10,outside) static interface service tcp 3389 34123
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect pptp
!
service-policy global_policy global
: end