防火墙5505做服务器映射不成功，版本8.2(5)

boss1sw · 发表于 2017-6-14 16:24:27

今天客户要做服务器映射，本人按照常规操作敲完后发现不行，实在没想出来问题原因，特来求助鸿鹄的各位大神

配置如下：
SUZ-ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname SUZ-ASA5505
enable password fs.FtZ1Zobv1d3Py encrypted
passwd fs.FtZ1Zobv1d3Py encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 4
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 58.210.31.182 255.255.255.252
!
interface Vlan3
nameif inside1
security-level 0
ip address 192.168.20.1 255.255.255.0
!
interface Vlan4
nameif outside1
security-level 0
ip address 192.168.50.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 58.210.31.182 eq 3389
access-list 100 extended permit tcp any host 28.210.31.182 eq 2800
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.
255.255.0
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255
.255.255.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.20.0 25
5.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ipsec extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.2
55.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.1
68.1.0 255.255.255.0
access-list acl_out extended permit icmp any any
access-list acl-out extended permit tcp any any
access-list acl-out extended permit tcp any host 58.210.31.182 eq 2800
access-list acl-in extended permit ip any any
access-list acl-in extended permit tcp any any
access-list acl-in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside1 1500
mtu outside1 1500
ip local pool vpnpool 192.168.10.100-192.168.10.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.7 3389 netmask 255.255.255.
255
static (inside,outside) tcp interface 13389 192.168.0.6 3389 netmask 255.255.255
.255
static (inside,outside) tcp interface 2800 192.168.0.5 2800 netmask 255.255.255.
255
static (outside,inside) tcp 192.168.0.5 2800 58.210.31.182 2800 netmask 255.255.
255.255
access-group acl-in in interface inside
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 58.210.31.181 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dyn-map 20 set transform-set vpnset
crypto dynamic-map outside-dyn-map 20 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ipsec 1 match address outside_cryptomap
crypto map ipsec 1 set peer 183.47.48.66
crypto map ipsec 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192
-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 E
SP-DES-SHA ESP-DES-MD5 vpn
crypto map ipsec 10 match address ipsec
crypto map ipsec 10 set peer 113.108.124.5
crypto map ipsec 10 set transform-set vpn
crypto map ipsec 20 ipsec-isakmp dynamic outside-dyn-map
crypto map ipsec interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpnclient internal
group-policy vpnclient attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
username vpn4 password aA5OVTtVifKTIKq3 encrypted
username vpn5 password xlMccBoMO.TA1qDD encrypted
username vpn2 password GLZo7yhyLS2COC/7 encrypted
username vpn3 password hTSOodgTloxpqxx. encrypted
username vpn1 password Qr9Uo2I.DinqQ9V/ encrypted
username haojun password CudBVrRke2lvvOKJ encrypted
username cisco password q45XJA9WXB.fRrlt encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *****
tunnel-group 113.108.124.5 type ipsec-l2l
tunnel-group 113.108.124.5 general-attributes
default-group-policy vpnclient
tunnel-group 113.108.124.5 ipsec-attributes
pre-shared-key *****
tunnel-group haojun type remote-access
tunnel-group haojun general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group haojun ipsec-attributes
pre-shared-key *****
tunnel-group 183.47.48.66 type ipsec-l2l
tunnel-group 183.47.48.66 ipsec-attributes
pre-shared-key *****
tunnel-group lmax-oa type remote-access
tunnel-group lmax-oa general-attributes
address-pool vpnpool
default-group-policy vpnclient
tunnel-group lmax-oa ipsec-attributes
pre-shared-key *****
tunnel-group ssl type remote-access
tunnel-group ssl general-attributes
address-pool vpnpool
tunnel-group ssl webvpn-attributes
group-alias test enable
!
class-map in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9b9e0386f544b954f059391da7de123a
: end
SUZ-ASA5505#

zhurx · 发表于 2017-6-14 16:24:28

我通过internet 测试以下的命令，tcp session是可以建立的。所以没什么问题。
telnet 58.210.31.182 3389
telnet 58.210.31.182 13389

这条命令不对，remove/No 掉。
static (outside,inside) tcp 192.168.0.5 2800 58.210.31.182 2800 netmask 255.255.255.255

boss1sw · 发表于 2017-6-14 16:29:24

boss1sw · 发表于 2017-6-14 16:32:14

boss1sw · 发表于 2017-6-15 13:01:22

boss1sw · 发表于 2017-6-16 20:43:44

本帖最后由 boss1sw 于 2017-6-16 20:49 编辑

zhurx 发表于 2017-6-16 13:53
我通过internet 测试以下的命令，tcp session是可以建立的。所以没什么问题。
telnet 58.210.31.182 3389 ...

谢谢了，不过最后还是没做成，客户昨天说服务器突然出问题，地址被防火墙占用了，又让我把NAT删光

PS:下面那条我是看到网上有人说8.2版本服务器NAT要做双向放行，我就试了试

zhurx · 发表于 2017-6-19 11:09:46

Cisco ASA 5500 8.2版本的标准静态NAT配置 1对1...
static ( 真实接口，映射接口）映射的IP 真实的IP netmask X.X.X.X
如果在outside有ACL, 只要用映射的IP 加permit就可以了。
static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask][dns]
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255

账号		自动登录	找回密码
密码			论坛注册

[求助] 防火墙5505做服务器映射不成功，版本8.2(5)

最佳答案

客服中心

投诉建议