维技术-网络-Cisco-ASA 内网访问出口地址

 

问题

Cisco 防火墙 对inside 或 dmz 端口映射到公网Outside 以后,在inside 或 dmz 不能通过Outside 公网访问,

 

针对以前的PIX 防火墙可以通过alias 来解决;

针对ASA (ASA5500和ASA5500-X系列) 防火墙,可以通过 二次NAT(twice NAT) 来实现。

另: ASA 8.3及更高版本 的配置命令 跟 ASA 8.2及更早版本 不同。

 

  • ASA 8.3及更高版本
二次NAT 配置:
object service twiceNAT-outside-ip-obj
    host 123.123.123.123

object service twiceNAT-dmz-ip-obj
    host 192.168.1.123

针对单个端口的 二次NAT 配置:
object service twiceNAT-tcp-443 
service tcp destination eq https 

nat (DMZ,DMZ) source static any interface destination static twiceNAT-outside-ip-obj twiceNAT-dmz-ip-obj service twiceNAT-tcp-443 twiceNAT-tcp-443 

# 解释:
# DMZ区域的任何人(any) 可以通过外网地址 (twiceNAT-outside-ip-obj) 访问DMZ服务器(twiceNAT-dmz-ip-obj)的443端口(twiceNAT-tcp-443
# (any)可以定义为一个 object 
-------------------------------------
针对整个object 的 二次NAT 配置:
nat (DMZ,DMZ) source static any interface destination static twiceNAT-outside-ip-obj twiceNAT-dmz-ip-obj service any
# 解释:
# DMZ区域的任何人(any) 可以通过外网地址 (twiceNAT-outside-ip-obj) 访问DMZ服务器(twiceNAT-dmz-ip-obj
# (any)可以定义为一个 object 
# 注意:
# 针对整个object 的 NAT 会引发ASA 的一个提醒和告警
# 主要是提醒NAT应用以后,所有从(DMZ)访问到这个目的地址(twiceNAT-outside-ip-obj)的流量都会被转换到(twiceNAT-dmz-ip-obj)
# 可能会造成有些应用在outside上的服务访问异常
# 如果确认没问题可以忽略
NOTE: After this NAT is applied in the ASA you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.
 
抓包验证:
ASA# packet-tracer input inside tcp 192.168.1.100 443 123.123.123.123 443
ASA# show cap
ASA# show cap capin
ASA# show cap capout

 

  • ASA 8.2及更早版本 不同

 

access-list IN-OUT-INTERFACE extended permit ip host 10.1.1.100 host 123.123.123.123
static (dmz,dmz) interface access-list IN-OUT-INTERFACE

access-list OUT-IN-INTERFACE extended permit ip host 10.1.1.6 host 10.1.1.1
static (dmz,dmz) 123.123.123.123 access-list OUT-IN-INTERFACE
# 解释:
# Outside公网地址123.123.123 ------ dmz 测试服务器10.1.1.6
# 10.1.1.100 在内网可以通过 123.123.123.123 访问到 dmz 测试服务器10.1.1.6
# 10.1.1.1 为网关,主要为了强制使测试服务器请求返回给ASA,避免因非对称路由导致的流量转发错误

-------------------------------------------------------------------------------------
static (dmz,dmz) tcp 123.123.123.123 https 10.1.1.6 https netmask 255.255.255.255
# 方法二

 

  • Cisco PIX

 

static (dmz,outside) tcp 123.123.123.123 https 10.1.1.100 https netmask 255.255.255.255 0 0 
alias (dmz) 10.1.1.100 123.123.123.123 255.255.255.255
#dmz区域的用户可以通过outside 公网ip 123.123.123.123 ,访问dmz的10.1.1.100

 

官方参考文档:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/213531-how-to-allow-lan-communication-between-h.html

https://www.cisco.com/c/zh_cn/support/docs/security/asa-5500-x-series-firewalls/213531-how-to-allow-lan-communication-between-h.html#anc20

 

posted @ 2021-04-19 16:42  i学笔记  阅读(669)  评论(0)    收藏  举报