雏鹰部落

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 2012|回复: 4

[讨论/求助] 高手请进 关于PAT的问题

[复制链接]
发表于 2011-7-20 15:31:12 | 显示全部楼层 |阅读模式





我 将一web 服务器 先后放置在 172.16.1.0/24   和 192.168.10.1/24这2个网络中
并做了NAT:
static (inside,outside) tcp interface www Host-172.16.1.11 www netmask 255.255.255.255
static (dmz,outside) tcp interface www Host-192.168.10.11 www netmask 255.255.255.255
ACL: 允许对 any OUTSIDE 的80  端口进行访问

问题是: web 服务器 在 inside中时 能够用通过访问 outside:80  访问web server
      而  web 服务器 在 DMZ中时 无法通过访问 outside:80  访问web server
另: security-level
     inside:100
     dmz:50
    outside:0

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
 楼主| 发表于 2011-7-20 15:32:16 | 显示全部楼层
ASA 配置 如下:

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 10.100.141.224 Host-10.100.141.224 description 10.100.141.224
name 192.168.10.11 Host-192.168.10.11 description 192.168.10.11
name 172.16.1.11 Host-172.16.1.11 description 172.16.1.11
!
interface Ethernet0/0
nameif manage
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address Host-10.100.141.224 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!            
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa832-k8.bin
boot config disk0:/.private/startup-config
ftp mode passive
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host Host-10.100.141.224
pager lines 24
mtu manage 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
static (inside,outside) tcp interface www Host-172.16.1.11 www netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 manage
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username cisco password w1gc/9o5JBnw5PtE encrypted privilege 15
prompt hostname context
Cryptochecksum:8138c7eb56756d66db288aac099c8fb2
发表于 2011-7-20 16:27:20 | 显示全部楼层
ASA没配过。。。按照道理,既然0能访问100,没道理0不能访问50啊。。。

坐等高手分析。
发表于 2011-7-20 22:28:02 | 显示全部楼层
学习了,谢谢楼主分享!
发表于 2011-8-6 21:59:19 | 显示全部楼层
配置没啥问题  如果服务器的DMZ 只需要
static (dmz,outside) tcp interface www Host-192.168.10.11 www netmask 255.255.255.255
然后放个ACL   PERMIT  ANY  到OUTSIDE地址的WWW服务就可以了

如果还不通,可以清一下NAT转换表clear xlate,再不行就是模拟器问题,真机不会有问题的
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|熊猫同学技术论坛|小黑屋| 网络工程师论坛 ( 沪ICP备09076391 )

GMT+8, 2024-11-23 04:41 , Processed in 0.083157 second(s), 20 queries , Gzip On.

快速回复 返回顶部 返回列表