我有一个192.168.0.x的内部networking,我有一个服务器nat'd到我们有一个外部IP地址。 我无法弄清楚我需要如何改变这个东西的configuration才能使它工作。 我对ASDM也不是很好。 任何build议将不胜感激。
谢谢
这是我的configuration
hostname xxx domain-name xxxx.local enable password xxxxx encrypted passwd xxxxxencrypted names name 192.168.10.0 A-192.168.10.0 description SSL_ANYWHERE_DHCP_POOL name 192.168.32.0 A-192.168.32.0 description Anaheim name 192.168.0.25 BAMServer description BelManage Server name 192.168.0.1 Cisco-ASDM description Cisco Firewall name 192.168.0.4 DC description Primary Domain Controller name 192.168.0.10 Intranet-Server description Internal Intranet and Forum name 192.168.0.20 xxxxx description SQL Cognos Server name 192.168.0.16 xxxxx description Outside Platinum name 192.168.0.47 Printer-xxxx-Office description Is this still needed name 192.168.0.2 WebServer description Web Server name 192.168.0.213 xxxx-PC description Regina Salmon name 192.168.0.21 xxxx description Nasdrive1 name 192.168.0.185 xxxx description Linux Webserver dns-guard ! interface GigabitEthernet0/0 nameif Outside security-level 0 ip address 209.192.2.61 255.255.255.248 ! interface GigabitEthernet0/0.2 vlan 2 nameif Secondary security-level 0 ip address 66.0.128.222 255.255.255.240 ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 nameif Internal security-level 100 ip address Cisco-ASDM 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.3.1 255.255.255.0 management-only ! boot system disk0:/asa804-k8.bin boot system disk0:/asa724-k8.bin ftp mode passive clock timezone CST -6 clock summer-time CDT recurring dns domain-lookup Outside dns domain-lookup Internal dns server-group DefaultDNS name-server 207.230.75.34 name-server DC name-server 4.2.2.2 domain-name acthsv.local same-security-traffic permit inter-interface object-group service Webserver01 service-object tcp eq domain service-object tcp eq ftp service-object tcp eq www service-object tcp eq pop3 service-object tcp eq smtp service-object udp eq domain service-object icmp object-group service APC-FORUM service-object icmp service-object tcp eq domain service-object tcp eq ftp service-object tcp eq www service-object tcp eq pop3 service-object tcp eq smtp service-object udp eq domain object-group service xxxx-HSV service-object tcp eq www service-object tcp eq telnet service-object tcp source eq 3389 eq 3389 object-group service SQL service-object tcp eq www service-object udp eq www object-group service DM_INLINE_SERVICE_1 service-object icmp group-object SQL object-group service DM_INLINE_SERVICE_2 group-object APC-FORUM service-object tcp eq 3389 service-object icmp object-group service DM_INLINE_SERVICE_3 service-object icmp service-object tcp eq 3389 group-object APC-FORUM object-group service DM_INLINE_SERVICE_4 group-object APC-FORUM service-object tcp eq 3389 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service smb tcp-udp description smb port-object eq domain port-object eq 137 port-object eq 138 port-object eq 139 port-object eq 445 port-object eq 135 port-object eq 136 object-group service DM_INLINE_SERVICE_5 service-object tcp eq imap4 service-object tcp eq netbios-ssn service-object udp eq netbios-dgm service-object udp eq netbios-ns service-object ip object-group service DM_INLINE_SERVICE_6 service-object tcp eq netbios-ssn service-object udp eq netbios-dgm service-object udp eq netbios-ns object-group service DM_INLINE_SERVICE_7 service-object tcp-udp eq www service-object tcp eq ftp service-object tcp eq ftp-data service-object tcp eq https service-object tcp eq smtp service-object tcp eq ssh service-object tcp eq telnet object-group service DM_INLINE_SERVICE_8 service-object tcp-udp eq www service-object tcp eq ftp service-object tcp eq ftp-data service-object tcp eq https service-object tcp eq smtp service-object tcp eq ssh service-object tcp eq telnet group-object Webserver01 object-group service DM_INLINE_SERVICE_10 service-object tcp-udp eq www service-object tcp eq https object-group service DM_INLINE_SERVICE_9 service-object tcp-udp eq www service-object tcp eq https service-object udp eq www group-object APC-FORUM object-group service DM_INLINE_SERVICE_0 service-object tcp-udp eq www service-object tcp eq https group-object APC-FORUM access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 66.0.128.214 access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.58 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host 209.192.2.59 inactive access-list Outside_access_in extended permit object-group Liaison-HSV any host 209.192.2.60 access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.62 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.0.128.210 inactive access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 66.0.128.211 access-list Outside_access_in extended permit tcp any host 66.0.128.212 eq 3389 inactive access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host 66.0.128.213 access-list Outside_access_in extended permit ip any host 66.0.128.220 access-list Outside_access_in extended permit ip any any access-list Outside_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any host 209.192.2.62 access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any host xxxxx access-list Outside_access_in extended permit object-group TCPUDP any host nasdrive object-group smb access-list Outside_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_10 host 66.0.128.214 192.168.0.0 255.255.255.0 access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.10.0 255.255.255.0 access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0 access-list Internal_nat0_outbound extended permit ip host Cisco-ASDM host 64.206.230.230 access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0 access-list Internal_access_in extended permit icmp any host 66.0.128.213 access-list Internal_access_in extended permit ip any any access-list Internal_access_in extended permit icmp any any access-list Internal_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213 access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_6 any host 209.192.2.62 access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_7 any host LinuxWebserver access-list Internal_access_in extended permit object-group TCPUDP any host nasdrive object-group smb access-list Internal_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_9 192.168.0.0 255.255.255.0 host 66.0.128.214 access-list split-tunnel standard permit host Cisco-ASDM access-list split-tunnel standard permit 192.168.0.0 255.255.255.0 pager lines 24 logging enable logging asdm informational logging ftp-server 192.168.0.13 \\backups acthsv\administrator **** mtu Outside 1500 mtu Secondary 1500 mtu Internal 1500 mtu management 1500 ip local pool SSL_CLIENTLESS 192.168.11.1-192.168.11.25 mask 255.255.0.0 ip local pool SSL-ANYWHERE 192.168.10.1-192.168.10.25 mask 255.255.0.0 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-621.bin no asdm history enable arp timeout 14400 global (Outside) 10 interface global (Internal) 1 172.16.1.5 netmask 255.0.0.0 nat (Internal) 0 access-list Internal_nat0_outbound nat (Internal) 10 0.0.0.0 0.0.0.0 nat (management) 0 0.0.0.0 0.0.0.0 static (Internal,Outside) 66.0.128.213 xxxx-PC netmask 255.255.255.255 static (Internal,Secondary) 66.0.128.220 xxxx netmask 255.255.255.255 static (Internal,Outside) 209.192.2.58 xxxxx netmask 255.255.255.255 static (Internal,Secondary) 66.0.128.210 Intranet-Server netmask 255.255.255.255 static (Internal,Outside) 209.192.2.60 Printer-xxxxx-Office netmask 255.255.255.255 static (Internal,Outside) 66.0.128.215 xxxxx netmask 255.255.255.255 static (Internal,Outside) 66.0.128.212 xxxxx netmask 255.255.255.255 static (Internal,Outside) 66.0.128.211 xxxxx netmask 255.255.255.255 static (Internal,Outside) 209.192.2.59 Intranet-Server netmask 255.255.255.255 static (Internal,Outside) 66.0.128.214 xxxxx netmask 255.255.255.255 dns access-group Outside_access_in in interface Outside access-group Internal_access_in in interface Internal route Outside 0.0.0.0 0.0.0.0 209.192.2.57 10 route Outside 0.0.0.0 0.0.0.0 66.0.128.209 20 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server ASA protocol radius accounting-mode simultaneous max-failed-attempts 5 aaa-server ASA (Internal) host DC timeout 5 key linex aaa-server ASA (Internal) host 192.168.0.13 key linex aaa-server ASA (Internal) host xxxx key 12345 aaa local authentication attempts max-fail 16 http server enable http 64.206.230.0 255.255.255.0 Outside http 192.168.1.0 255.255.255.0 management http 192.168.0.0 255.255.255.0 Internal no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000 crypto map Outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set pfs group1 crypto map Outside_map 1 set connection-type answer-only crypto map Outside_map 1 set peer 64.206.230.230 crypto map Outside_map 1 set transform-set ESP-3DES-SHA crypto map Outside_map 1 set security-association lifetime seconds 28800 crypto map Outside_map 1 set security-association lifetime kilobytes 4608000 crypto map Outside_map 1 set phase1-mode aggressive crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=LXHSV keypair sslvpnkeypair crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate 436fe04c 308201c3 3082012c a0030201 02020443 6fe04c30 0d06092a 864886f7 0d010104 05003026 310e300c 06035504 0313054c 58485356 31143012 06092a86 4886f70d 01090216 054c5848 5356301e 170d3130 31313134 32333232 34335a17 0d323031 31313132 33323234 335a3026 310e300c 06035504 0313054c 58485356 31143012 06092a86 4886f70d 01090216 054c5848 53563081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100be 29a7a6bf 34b85354 47cfbce4 dd5502ae 8a165e8e 12a032b5 c65b66e4 2beb54c8 cf93b5a9 74e76b53 c76264d9 8480bc29 2d2a3b04 2c24bc45 6141446f d58e0850 ebd9d374 15949267 c6103f41 c2f7df4c 4202b93d 9733080a 912655d6 e54b40a5 39e468b7 c9b7e432 3ce571cb b7d1b755 a63182df a60d2610 16a6b934 0d036b02 03010001 300d0609 2a864886 f70d0101 04050003 8181001e 6992eee9 c671e5d9 a773aa5c 89f44803 3526fa96 57d3d608 c8ce4855 69a96e55 68129b6e 14bdd3ca eeb015e2 2d892253 629d5d86 107658e9 3e40e057 729ce0bb f541bac8 7d62945c aeb5630a e3e3ea61 702ad41d f5bf8183 a4f14ac8 489cc63c 5b1ae590 93a749e5 9ba24ad0 c96de73a b9c4feee 05f72db7 3bd95a41 84a1dc quit crypto isakmp enable Outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 64.206.230.0 255.255.255.0 Outside telnet 192.168.0.0 255.255.255.0 Internal telnet timeout 5 ssh 192.168.0.81 255.255.255.255 Internal ssh timeout 5 console timeout 0 dhcpd dns DC 207.230.75.34 dhcpd domain acthsv.local dhcpd option 3 ip Cisco-ASDM dhcpd option 6 ip Cisco-ASDM ! dhcpd address 192.168.0.50-192.168.0.150 Internal dhcpd dns 207.230.75.34 DC interface Internal dhcpd wins DC interface Internal ! dhcpd address 192.168.3.2-192.168.3.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp authenticate ntp server 64.90.182.55 prefer webvpn enable Outside svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 svc enable tunnel-group-list enable group-policy SSL_CLIENTLESS_GP internal group-policy SSL_CLIENTLESS_GP attributes wins-server value 192.168.0.4 dns-server value 192.168.0.4 192.168.0.13 vpn-access-hours none vpn-simultaneous-logins 20 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list none default-domain value ACTHSV.local msie-proxy method no-proxy vlan none nac-settings none address-pools value SSL_CLIENTLESS client-firewall none webvpn svc ask enable default webvpn timeout 90 group-policy DfltGrpPolicy attributes vpn-tunnel-protocol svc webvpn group-policy timg internal group-policy timg attributes vpn-tunnel-protocol svc webvpn webvpn url-list value Tim group-policy ANYCONNECT internal group-policy ANYCONNECT attributes dns-server value 192.168.0.4 vpn-tunnel-protocol IPSec svc webvpn split-tunnel-policy tunnelspecified split-tunnel-network-list value split-tunnel default-domain value acthsv.local msie-proxy method no-modify webvpn svc keep-installer installed svc rekey time 30 svc rekey method ssl svc ask none default svc ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ipsec-pass-thru inspect pptp inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:7a70c57cd9f49151c1d993268c11f2ba : end 如果服务器位于与您调用内部networking ( 192.168.0.0.24 )相同的networking子网中,则:
不可能。 由于NAT发夹问题 ,旧版本的Cisco ASA软件不支持此function。
可以使用以下设置进行configuration:
object network internal range 192.168.0.1 192.168.0.254 object network external host [IP address of your WAN interface] object network server-internal host [server internal IP address] object network server-external host [server external (NATted) IP address] nat (internal, internal) source static internal external destination static server-external server-internal
您可以使用show version命令检查您的ASA软件版本。
希望它有帮助。 如果不是,请提供更多有关您使用的IP地址,configuration输出等的详细信息。