高手请进 关于PAT的问题

lxk198113

我 将一web 服务器 先后放置在 172.16.1.0/24   和 192.168.10.1/24这2个网络中
并做了NAT:
static (inside,outside) tcp interface www Host-172.16.1.11 www netmask 255.255.255.255
static (dmz,outside) tcp interface www Host-192.168.10.11 www netmask 255.255.255.255
ACL: 允许对 any OUTSIDE 的80  端口进行访问

问题是: web 服务器 在 inside中时 能够用通过访问 outside:80  访问web server
      而  web 服务器 在 DMZ中时 无法通过访问 outside:80  访问web server
另: security-level
     inside:100
     dmz:50
    outside:0

lxk198113

ASA 配置 如下：

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 10.100.141.224 Host-10.100.141.224 description 10.100.141.224
name 192.168.10.11 Host-192.168.10.11 description 192.168.10.11
name 172.16.1.11 Host-172.16.1.11 description 172.16.1.11
!
interface Ethernet0/0
nameif manage
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address Host-10.100.141.224 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!            
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa832-k8.bin
boot config disk0:/.private/startup-config
ftp mode passive
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host Host-10.100.141.224
pager lines 24
mtu manage 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
static (inside,outside) tcp interface www Host-172.16.1.11 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username cisco password w1gc/9o5JBnw5PtE encrypted privilege 15
prompt hostname context
Cryptochecksum:8138c7eb56756d66db288aac099c8fb2

wantccie

ASA没配过。。。按照道理，既然0能访问100，没道理0不能访问50啊。。。

坐等高手分析。

yangsong315

学习了，谢谢楼主分享！

yangning365

配置没啥问题  如果服务器的DMZ 只需要
static (dmz,outside) tcp interface www Host-192.168.10.11 www netmask 255.255.255.255
然后放个ACL   PERMIT  ANY  到OUTSIDE地址的WWW服务就可以了

如果还不通，可以清一下NAT转换表clear xlate,再不行就是模拟器问题，真机不会有问题的