Le NAT non funzionano!
Inviato: mar 22 set , 2009 2:51 pm
Ciao a tutti,
ho un problemone con un ASA 5505, non riesco a far gunzionare le NAT per pubblicare all'esterno alcuni server.
Ho provato in tutti i modi ma nulla da fare, in ogni qualsiasi normalissima NAT statica non mi va, del tipo:
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq smtp
access-list outside_access_in extended permit tcp any host IP_NAT_British_EF03_Mail object-group DM_INLINE_TCP_2
static (outside,inside) EF03 IP_NAT_British_EF03_Mail netmask 255.255.255.255
static (inside,outside) IP_NAT_British_EF03_Mail EF03 netmask 255.255.255.255
il packet tracer mi diche che va in errore sull'ultima access list di default (outside deny all), nonostante ho creato l'accesso dall'esterno ai servizi smtp ed rdp.
Secondo me c'รจ qualche problema con la gestione delle NAT, ma non riesco a capire cosa,.. potete darmi qualche info?
grazie mille!
bye
Andrea
P.S: aggiungo parte della config. dell'ASA
name 89.118.130.124 IP_NAT_British_Esterno description IP Pubblico usato per NAT esterne
name 89.118.130.123 IP_NAT_British_EF03_Mail description IP Nat Pubblico per Mail Server
interface Vlan1
nameif inside
security-level 100
ip address 192.168.70.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.118.130.122 255.255.255.248
!
interface Vlan12
nameif dmz
security-level 50
ip address 172.16.70.0 255.255.0.0
!
interface Vlan22
nameif backup
security-level 0
ip address 69.45.12.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 22
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name euroflora.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 44011
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq 3389
service-object icmp traceroute
service-object icmp unreachable
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq smtp
access-list outside_access_in extended permit tcp any host IP_NAT_British_EF03_Mail object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 89.118.130.120 255.255.255.248 log disable
access-list outside_access_in extended permit tcp any host IP_NAT_British_Esterno object-group DM_INLINE_TCP_1
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp IP_NAT_British_Esterno 44011 ef01a 3389 netmask 255.255.255.255
static (outside,inside) tcp ef01a 3389 IP_NAT_British_Esterno 44011 netmask 255.255.255.255
static (outside,inside) EF03 IP_NAT_British_EF03_Mail netmask 255.255.255.255
static (inside,outside) IP_NAT_British_EF03_Mail EF03 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.118.130.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.70.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
sysopt noproxyarp dmz
sysopt noproxyarp backup
ho un problemone con un ASA 5505, non riesco a far gunzionare le NAT per pubblicare all'esterno alcuni server.
Ho provato in tutti i modi ma nulla da fare, in ogni qualsiasi normalissima NAT statica non mi va, del tipo:
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq smtp
access-list outside_access_in extended permit tcp any host IP_NAT_British_EF03_Mail object-group DM_INLINE_TCP_2
static (outside,inside) EF03 IP_NAT_British_EF03_Mail netmask 255.255.255.255
static (inside,outside) IP_NAT_British_EF03_Mail EF03 netmask 255.255.255.255
il packet tracer mi diche che va in errore sull'ultima access list di default (outside deny all), nonostante ho creato l'accesso dall'esterno ai servizi smtp ed rdp.
Secondo me c'รจ qualche problema con la gestione delle NAT, ma non riesco a capire cosa,.. potete darmi qualche info?
grazie mille!
bye
Andrea
P.S: aggiungo parte della config. dell'ASA
name 89.118.130.124 IP_NAT_British_Esterno description IP Pubblico usato per NAT esterne
name 89.118.130.123 IP_NAT_British_EF03_Mail description IP Nat Pubblico per Mail Server
interface Vlan1
nameif inside
security-level 100
ip address 192.168.70.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.118.130.122 255.255.255.248
!
interface Vlan12
nameif dmz
security-level 50
ip address 172.16.70.0 255.255.0.0
!
interface Vlan22
nameif backup
security-level 0
ip address 69.45.12.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 22
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name euroflora.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 44011
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq 3389
service-object icmp traceroute
service-object icmp unreachable
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
port-object eq smtp
access-list outside_access_in extended permit tcp any host IP_NAT_British_EF03_Mail object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 89.118.130.120 255.255.255.248 log disable
access-list outside_access_in extended permit tcp any host IP_NAT_British_Esterno object-group DM_INLINE_TCP_1
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) tcp IP_NAT_British_Esterno 44011 ef01a 3389 netmask 255.255.255.255
static (outside,inside) tcp ef01a 3389 IP_NAT_British_Esterno 44011 netmask 255.255.255.255
static (outside,inside) EF03 IP_NAT_British_EF03_Mail netmask 255.255.255.255
static (inside,outside) IP_NAT_British_EF03_Mail EF03 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.118.130.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.70.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
sysopt noproxyarp dmz
sysopt noproxyarp backup