URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 21621
[ Назад ]

Исходное сообщение
"Cisco asa PAT"

Отправлено black_owl , 17-Сен-10 08:52 
Здравствуйте!
Есть задача сделать доступ извне к серверу 192.168.20.32 в локалке по https.
Перепробовал различные NAT, PAT, ничего не получается, при текущей настройке даже в логах ничего не появляется. На асе кроме этого настроен vpn сервер и ipsec туннели.

Подскажите в какую сторону думать чтобы придумать.

Конфига такая.

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 20
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 1111111111111111 encrypted
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Split_Tunnel_List remark N_lan
access-list Split_Tunnel_List standard permit 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.150.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.28.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list V_RC_net extended permit ip 192.168.20.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list policy_nat_web1 extended permit ip host 192.168.20.32 any log
access-list policy_nat_web2 extended permit ip host 192.168.20.32 any
access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
access-list inbound_outside extended permit tcp any host x.x.x.x eq https log
access-list inbound_outside extended permit icmp any host x.x.x.x echo-reply
access-list inbound_outside extended permit icmp any host x.x.x.x echo
pager lines 24
logging enable
logging list My level debugging
logging buffer-size 40096
logging buffered My
logging trap My
logging asdm informational
logging debug-trace
mtu Outside 1500
mtu Inside 1500
ip local pool vpnpool 192.168.150.2-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
nat (Inside) 0 access-list nonat
static (Inside,Outside) x.x.x.x  access-list policy_nat_web1
access-group inbound_outside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.y 1
route Inside 192.168.15.0 255.255.255.0 192.168.20.1 1
route Inside 192.168.1.3 255.255.255.255 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server T3v1 protocol radius
accounting-mode simultaneous
aaa-server T3v1 host 192.168.20.12
timeout 7
key *
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 110 match address V_RC_net
crypto map outside_map 110 set peer z.z.z.z
crypto map outside_map 110 set transform-set ESP-AES-MD5
crypto map outside_map 110 set security-association lifetime seconds 28800
crypto map outside_map 1000 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp disconnect-notify
telnet 192.168.1.3 255.255.255.255 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy VPN_GP internal
group-policy VPN_GP attributes
dns-server value 192.168.20.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 600 retry 2
tunnel-group VPN_GP type ipsec-ra
tunnel-group VPN_GP general-attributes
address-pool vpnpool
authentication-server-group T3v1
default-group-policy VPN_GP
tunnel-group VPN_GP ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 600 retry 2
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2696bcd6686cd68654dd3bbe8db6e276
: end


Содержание

Сообщения в этом обсуждении
"Cisco asa PAT"
Отправлено sh_ , 17-Сен-10 09:57 
Это уберите
>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>static (Inside,Outside) x.x.x.x  access-list policy_nat_web1

И напишите:
static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https


"Cisco asa PAT"
Отправлено black_owl , 17-Сен-10 12:25 
>Это уберите
>>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>>static (Inside,Outside) x.x.x.x  access-list policy_nat_web1
>
>И напишите:
>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https

Это уже было, не работает!



"Cisco asa PAT"
Отправлено black_owl , 17-Сен-10 12:37 
>>Это уберите
>>>access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
>>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo-reply
>>>access-list inbound_outside extended permit icmp any host 192.168.20.32 echo
>>>static (Inside,Outside) x.x.x.x  access-list policy_nat_web1
>>
>>И напишите:
>>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https
>
>Это уже было, не работает!

и при этом в логах такая запись была
2010-09-16 10:07:42    Local4.Error    192.168.20.254    :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397 to Outside:x.x.x.x/443
2010-09-16 10:07:42    Local4.Debug    192.168.20.254    :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443



"Cisco asa PAT"
Отправлено crash , 17-Сен-10 13:09 
>[оверквотинг удален]
>>>И напишите:
>>>static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https
>>
>>Это уже было, не работает!
>
>и при этом в логах такая запись была
>2010-09-16 10:07:42 Local4.Error 192.168.20.254 :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397
>to Outside:x.x.x.x/443
>2010-09-16 10:07:42 Local4.Debug 192.168.20.254 :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443
>

access-list inbound_outside extended permit tcp any host 192.168.20.32 eq https log
вместо 192.168.20.32 указать реальный айпишник, а не внутрений адрес вашего сервера
ну и естественно это должно быть
static (Inside,Outside) tcp x.x.x.x https 192.168.20.32 https netmask 255.255.255.255


"Cisco asa PAT"
Отправлено sh_ , 17-Сен-10 15:13 
2crash
Он пишет, что у него уже есть access-list inbound_outside extended permit tcp any host x.x.x.x eq https log

Возможно под x.x.x.x скрывается не то, о чем мы думаем.


И почему люди так боятся показать свои белые адреса... :(


"Cisco asa PAT"
Отправлено crash , 17-Сен-10 21:54 
>2crash
>Он пишет, что у него уже есть access-list inbound_outside extended permit tcp
>any host x.x.x.x eq https log
>
>Возможно под x.x.x.x скрывается не то, о чем мы думаем.
>

не заметил. Увидел в самом начале правило с внутренним айпишником и дальше не посмотрел



"Cisco asa PAT"
Отправлено andmv , 18-Сен-10 04:45 
>и при этом в логах такая запись была
>2010-09-16 10:07:42 Local4.Error 192.168.20.254 :%ASA-session-3-710003: TCP access denied by ACL from a.a.a.a/8397
>to Outside:x.x.x.x/443
>2010-09-16 10:07:42 Local4.Debug 192.168.20.254 :%ASA-session-7-710005: TCP request discarded from a.a.a.a/8397 to Outside:x.x.x.x/443
>

Можно попробовать
access-list inbound_Inside extended permit tcp host 192.168.20.32 any eq https
access-group inbound_Inside in interface Inside


"Cisco asa PAT"
Отправлено crash , 17-Сен-10 21:59 
ну еще как вариант добавить inspect для https