bbsweetme
2019-12-30 17:32
浏览 261

思科防火墙5505 端口映射问题

单位内有台电脑想要端口映射到外网访问,查询了相关资料一直没弄好,请求大神帮忙。

贴上防火墙代码:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa

names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 1000
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 10
ip address 公网IP 255.255.255.248
!
interface Vlan1000
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.252
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 233.5.5.5
name-server 114.114.114.114
object-group network OBJ_INSIDE_Subnet
network-object 10.88.0.0 255.255.0.0
access-list 101 extended permit icmp any any
access-list 101 extended permit ip any any
access-list 101 extended permit tcp any eq www interface outside eq 28780
access-list 101 extended permit tcp any eq 8866 interface outside eq 30001
access-list 101 extended permit tcp any eq 8080 interface outside eq 38080
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 28780 10.88.98.87 www netmask 255.255.255.255
static (inside,outside) tcp interface 30001 10.88.38.215 8866 netmask 255.255.255.255
static (inside,outside) tcp interface 38080 10.88.38.215 8080 netmask 255.255.255.255
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 公网网关 1
route inside 10.88.0.0 255.255.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 210.72.145.44
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

: end

现在外网访问不了服务器页面,然后用站长工具里面的端口扫描显示28780与30001端口是打开的。

sh nat:

ciscoasa(config)# sh nat

NAT policies on Interface inside:
match tcp inside host 10.88.98.87 eq 80 outside any
static translation to 公网IP/28780
translate_hits = 0, untranslate_hits = 11
match tcp inside host 10.88.38.215 eq 8866 outside any
static translation to 公网IP/30001
translate_hits = 0, untranslate_hits = 105
match tcp inside host 10.88.38.215 eq 8080 outside any
static translation to 公网IP/38080
translate_hits = 0, untranslate_hits = 2
match ip inside any outside any
dynamic translation to pool 1 (公网IP [Interface PAT])
translate_hits = 5885251, untranslate_hits = 531611
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
ciscoasa(config)#

为什么这里untranslate_hits = 11

我只要用站长工具的端口扫描一次,这里就增加一。

请问我怎么才能成功把10.88.98.87的80端口映射到公网IP的28780端口呢?
谢啦。

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答