Здравствуйте!
Есть задача сделать доступ извне к серверу 192.168.20.32 в локалке по https.
Перепробовал различные NAT, PAT, ничего не получается, при текущей настройке даже в логах ничего не появляется. На асе кроме этого настроен vpn сервер и ipsec туннели.Подскажите в какую сторону думать чтобы придумать.
Конфига такая.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 20
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 1111111111111111 encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Split_Tunnel_List remark N_lan
access-list Split_Tunnel_List standard permit 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.150.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.28.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list policy_nat_web1 extended permit ip host 192.168.20.32 any log
access-list policy_nat_web2 extended permit ip host 192.168.20.32 any
access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
access-list inbound_outside extended permit tcp any host x.x.x.x eq https log
access-list inbound_outside extended permit icmp any host x.x.x.x echo-reply
access-list inbound_outside extended permit icmp any host x.x.x.x echo
pager lines 24
logging enable
logging list My level debugging
logging buffer-size 40096
logging buffered My
logging trap My
logging asdm informational
logging debug-trace
mtu Outside 1500
mtu Inside 1500
ip local pool vpnpool 192.168.150.2-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
nat (Inside) 0 access-list nonat
static (Inside,Outside) x.x.x.x access-list policy_nat_web1
access-group inbound_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.y 1
route Inside 192.168.15.0 255.255.255.0 192.168.20.1 1
route Inside 192.168.1.3 255.255.255.255 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server T3v1 protocol radius
accounting-mode simultaneous
aaa-server T3v1 host 192.168.20.12
timeout 7
key *
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 110 match address V_RC_net
crypto map outside_map 110 set peer z.z.z.z
crypto map outside_map 110 set transform-set ESP-AES-MD5
crypto map outside_map 110 set security-association lifetime seconds 28800
crypto map outside_map 1000 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp disconnect-notify
telnet 192.168.1.3 255.255.255.255 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy VPN_GP internal
group-policy VPN_GP attributes
dns-server value 192.168.20.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group VPN_GP type ipsec-ra
tunnel-group VPN_GP general-attributes
address-pool vpnpool
authentication-server-group T3v1
default-group-policy VPN_GP
tunnel-group VPN_GP ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 600 retry 2
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2696bcd6686cd68654dd3bbe8db6e276
: end
Это уберите
>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>static (Inside,Outside) x.x.x.x access-list policy_nat_web1И напишите:
static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https
>Это уберите
>>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>>static (Inside,Outside) x.x.x.x access-list policy_nat_web1
>
>И напишите:
>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 httpsЭто уже было, не работает!
>>Это уберите
>>>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>>>static (Inside,Outside) x.x.x.x access-list policy_nat_web1
>>
>>И напишите:
>>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https
>
>Это уже было, не работает!и при этом в логах такая запись была
2010-09-16 10:07:42 Local4.Error 192.168.20.254 :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397 to Outside:x.x.x.x/443
2010-09-16 10:07:42 Local4.Debug 192.168.20.254 :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443
>[оверквотинг удален]
>>>И напишите:
>>>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https
>>
>>Это уже было, не работает!
>
>и при этом в логах такая запись была
>2010-09-16 10:07:42 Local4.Error 192.168.20.254 :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397
>to Outside:x.x.x.x/443
>2010-09-16 10:07:42 Local4.Debug 192.168.20.254 :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443
>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
вместо 192.168.20.32 указать реальный айпишник, а не внутрений адрес вашего сервера
ну и естественно это должно быть
static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https netmask 255.255.255.255
2crash
Он пишет, что у него уже есть access-list inbound_outside extended permit tcp any host x.x.x.x eq https logВозможно под x.x.x.x скрывается не то, о чем мы думаем.
И почему люди так боятся показать свои белые адреса... :(
>2crash
>Он пишет, что у него уже есть access-list inbound_outside extended permit tcp
>any host x.x.x.x eq https log
>
>Возможно под x.x.x.x скрывается не то, о чем мы думаем.
>не заметил. Увидел в самом начале правило с внутренним айпишником и дальше не посмотрел
>и при этом в логах такая запись была
>2010-09-16 10:07:42 Local4.Error 192.168.20.254 :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397
>to Outside:x.x.x.x/443
>2010-09-16 10:07:42 Local4.Debug 192.168.20.254 :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443
>Можно попробовать
access-list inbound_Inside extended permit tcp host 192.168.20.32 any eq https
access-group inbound_Inside in interface Inside
ну еще как вариант добавить inspect для https