anahaym
Full Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
настраиваю ASA 5510 c нуля (в плане до этого с АСАми дела не имел). Задачи NAT, проброс портов RDP, SSL VPN.
Вторую задачу решил (для хоста NUC-16), но вот с NAT чего-то не получается. Вот конфиг:
Код: FRA-ASA1# sh run
: Saved
:
: Serial Number: JMX1414L1E8
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)15
!
hostname FRA-ASA1
domain-name TESTDOMAIN.MYDOMAIN.LOCAL
enable password **************** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***************** encrypted
names
!
interface Ethernet0/0
duplex full
nameif WAN
security-level 0
ip address 10.254.1.200 255.255.255.0
!
interface Ethernet0/1
duplex full
nameif LAN-MSP
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
duplex full
nameif LAN-AD
security-level 100
ip address 10.255.8.254 255.255.255.0
!
interface Management0/0
duplex full
management-only
nameif management
security-level 100
ip address 192.168.2.200 255.255.255.0
!
boot system disk0:/asa917-15-k8.bin
ftp mode passive
clock timezone GMT 2
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.254.1.9
name-server 10.255.9.11
domain-name TESTDOMAIN.MYDOMAIN.LOCAL
object network NUC-16
host 172.16.16.222
object network LAN-MSP
subnet 172.16.16.0 255.255.255.0
access-list ALLOW-LAN extended permit ip any any
access-list ALLOW-RDP-NUC-16 extended permit tcp any object NUC-16 eq 3389
!
object network NUC-16
nat (LAN-MSP,WAN) static interface service tcp 3389 3389
object network LAN-MSP
nat (WAN,LAN-MSP) dynamic interface
access-group ALLOW-RDP-NUC-16 in interface WAN
access-group ALLOW-LAN in interface LAN-MSP
route WAN 0.0.0.0 0.0.0.0 10.254.1.1 1
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:*****************************
: end
|
С хоста NUC-16 просто не идёт трасерт на внешние адреса:
Код: С:\>tracert 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 * * * Request timed out.
2 * ^C
C:\>tracert 172.16.16.254
Tracing route to 172.16.16.254 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.16.16.254
Trace complete.
|
Код: C:\>ipconfig /all
IPv4 Address. . . . . . . . . . . : 172.16.16.222(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.16.254
DNS Servers . . . . . . . . . . . : 10.254.1.9
NetBIOS over Tcpip. . . . . . . . : Enabled
|
Код: FRA-ASA1# ICMP echo request from LAN-MSP:172.16.16.222 to WAN:8.8.8.8 ID=1 seq=233 len=64
ICMP echo request from LAN-MSP:172.16.16.222 to WAN:8.8.8.8 ID=1 seq=234 len=64
ICMP echo request from LAN-MSP:172.16.16.222 to WAN:8.8.8.8 ID=1 seq=235 len=64
ICMP echo request from LAN-MSP:172.16.16.222 to WAN:8.8.8.8 ID=1 seq=236 len=64
ICMP echo request from LAN-MSP:172.16.16.222 to WAN:8.8.8.8 ID=1 seq=237 len=64
|
|
Всего записей: 586 | Зарегистр. 24-03-2007 | Отправлено: 19:23 04-12-2017 | Исправлено: anahaym, 19:55 04-12-2017 |
|
