利用ASA的Twice NAT解决内网无法访问映射后的公网地址
发表于:2025-02-03 作者:千家信息网编辑
千家信息网最后更新 2025年02月03日,一.概述: 默认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice-
千家信息网最后更新 2025年02月03日利用ASA的Twice NAT解决内网无法访问映射后的公网地址一.概述: 默认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice-NAT,它可以在一个NAT语句中既匹配源地址,又匹配目标地址,并且可以对源地址、目标地址,端口号,三个参数中一~三个参数的转换。二.基本思路:A.Inside区映射到Outside区①Outside区访问Inside区映射后的地址没有问题②Inside区访问Inside区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为Inside接口地址,目标地址转换为Inside设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话③DMZ区访问Inside区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为Inside设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为Iniside接口地址,为了便于审计,不建议这样做
B.DMZ区映射到Outside区①Outside区访问DMZ区映射后的地址没有问题②Inside区访问DMZ区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为DMZ区设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为DMZ接口地址,为了便于审计,不建议这样做---实际用模拟器测试,却发现不做源地址转换,经常报 -- bad sequence number的错误---想不来为什么会报序列号错误,即使用MPF设置set connection random-sequence-number disable,也只是缓解,还是会偶尔出现,觉得可能是模拟器的缘故③DMZ区访问DMZ区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为DMZ接口地址,目标地址转换为DMZ区设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话三.测试拓扑:R1-----SW--(Inside)----ASA---(Outside)----R4 | | | | R2 R3(DMZ)四.测试需求:A.将R2的TCP23端口映射到ASA的Outside接口的23端口上----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口五.基本配置:A.R1:interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10B.R2interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10line vty 0 4
password cisco
loginC.ASA:interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutinterface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
no shutinterface GigabitEthernet2
nameif Outside
security-level 0 ip address 202.100.1.10 255.255.255.0 no shutD.R3:interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 192.168.1.10line vty 0 4
password cisco
loginE.R4:interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0 no shut五.ASA的NAT及策略配置:A.动态PAT允许Inside和DMZ区能访问公网object network Inside-NET
subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interfaceobject network DMZ-NET
subnet 192.168.1.0 255.255.255.0 nat (DMZ,Outside) dynamic interfaceB.静态PAT将R2和R3映射出去:object network Inside-R2 host 10.1.1.2
nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3 host 192.168.1.3
nat (DMZ,Outside) static interface service tcp 23 2323 C.防火墙策略:①开启icmp审查:policy-map global_policy
class inspection_default
inspect icmp ②Outside口放行策略:access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet access-group OUTSIDE in interface Outside③DMZ口放行策略:access-list DMZ extended permit tcp any object Inside-R2 eq telnetaccess-list DMZ extended permit icmp any anyaccess-list DMZ extended deny ip any object Inside-NETaccess-list DMZ extended permit ip any anyaccess-group DMZ in interface DMZ---备注:这里只是测试,实际除非必要,尽量不要放行DMZ到Inside的访问,要放行也需要针对主机放行D.测试:①Inside区和DMZ区能访问公网:R1#PING 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 msR2#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 msR3#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms②被映射后的端口只能被Outside区访问:R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:55:06
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R2>
R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:51:12
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R3>R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding六.ASA的Twice NAT配置:A.使得Inside区访问Inside区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23③允许相同接口的访问:same-security-traffic permit intra-interface---因为访问时,既从Inside口进,又从Inside出,所以需要这条④测试:R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:07:35
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
R2>
R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
B.使得Inside区访问DMZ区映射后的地址时,只做目标地址转换①配置对象:object network Public-R3
host 202.100.1.10object network DMZ-R3
host 192.168.1.3
object service tcp2323
service tcp destination eq 2323 ②配置twice-NAT:nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23③测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar 1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN 4128
*Mar 1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar 1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0④解决方法:---修改NAT,做源地址转换nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23⑤再次测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:15
* 66 vty 0 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:13
66 vty 0 idle 00:00:58 192.168.1.10
* 67 vty 1 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>C.使得DMZ区访问Inside区映射后的地址时,只做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23③测试:R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:02:49
* 66 vty 0 idle 00:00:00192.168.1.3
Interface User Mode Idle Peer Address
R2>D.使得DMZ区访问DMZ区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23③允许相同接口的访问:---前面已经配置:same-security-traffic permit intra-interface④测试:R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
66 vty 0 idle 00:07:01 192.168.1.10
67 vty 1 idle 00:06:02 192.168.1.10
* 68 vty 2 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>
B.DMZ区映射到Outside区①Outside区访问DMZ区映射后的地址没有问题②Inside区访问DMZ区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为DMZ区设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为DMZ接口地址,为了便于审计,不建议这样做---实际用模拟器测试,却发现不做源地址转换,经常报 -- bad sequence number的错误---想不来为什么会报序列号错误,即使用MPF设置set connection random-sequence-number disable,也只是缓解,还是会偶尔出现,觉得可能是模拟器的缘故③DMZ区访问DMZ区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为DMZ接口地址,目标地址转换为DMZ区设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话三.测试拓扑:R1-----SW--(Inside)----ASA---(Outside)----R4 | | | | R2 R3(DMZ)四.测试需求:A.将R2的TCP23端口映射到ASA的Outside接口的23端口上----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口五.基本配置:A.R1:interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10B.R2interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10line vty 0 4
password cisco
loginC.ASA:interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutinterface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
no shutinterface GigabitEthernet2
nameif Outside
security-level 0 ip address 202.100.1.10 255.255.255.0 no shutD.R3:interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 192.168.1.10line vty 0 4
password cisco
loginE.R4:interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0 no shut五.ASA的NAT及策略配置:A.动态PAT允许Inside和DMZ区能访问公网object network Inside-NET
subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interfaceobject network DMZ-NET
subnet 192.168.1.0 255.255.255.0 nat (DMZ,Outside) dynamic interfaceB.静态PAT将R2和R3映射出去:object network Inside-R2 host 10.1.1.2
nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3 host 192.168.1.3
nat (DMZ,Outside) static interface service tcp 23 2323 C.防火墙策略:①开启icmp审查:policy-map global_policy
class inspection_default
inspect icmp ②Outside口放行策略:access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet access-group OUTSIDE in interface Outside③DMZ口放行策略:access-list DMZ extended permit tcp any object Inside-R2 eq telnetaccess-list DMZ extended permit icmp any anyaccess-list DMZ extended deny ip any object Inside-NETaccess-list DMZ extended permit ip any anyaccess-group DMZ in interface DMZ---备注:这里只是测试,实际除非必要,尽量不要放行DMZ到Inside的访问,要放行也需要针对主机放行D.测试:①Inside区和DMZ区能访问公网:R1#PING 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 msR2#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 msR3#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms②被映射后的端口只能被Outside区访问:R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:55:06
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R2>
R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:51:12
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R3>R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding六.ASA的Twice NAT配置:A.使得Inside区访问Inside区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23③允许相同接口的访问:same-security-traffic permit intra-interface---因为访问时,既从Inside口进,又从Inside出,所以需要这条④测试:R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:07:35
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
R2>
R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
B.使得Inside区访问DMZ区映射后的地址时,只做目标地址转换①配置对象:object network Public-R3
host 202.100.1.10object network DMZ-R3
host 192.168.1.3
object service tcp2323
service tcp destination eq 2323 ②配置twice-NAT:nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23③测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar 1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN 4128
*Mar 1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar 1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0④解决方法:---修改NAT,做源地址转换nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23⑤再次测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:15
* 66 vty 0 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:13
66 vty 0 idle 00:00:58 192.168.1.10
* 67 vty 1 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>C.使得DMZ区访问Inside区映射后的地址时,只做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23③测试:R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:02:49
* 66 vty 0 idle 00:00:00192.168.1.3
Interface User Mode Idle Peer Address
R2>D.使得DMZ区访问DMZ区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23③允许相同接口的访问:---前面已经配置:same-security-traffic permit intra-interface④测试:R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
66 vty 0 idle 00:07:01 192.168.1.10
67 vty 1 idle 00:06:02 192.168.1.10
* 68 vty 2 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>
地址
目标
配置
接口
测试
端口
实际
对象
策略
设备
A.
公网
不同
相同
三个
参数
只是
同时
对方
建议
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
vscode 数据库设计
苹果手机和安卓游戏服务器不同步
如何评估服务器能运行几台虚拟机
华为t3500服务器管理口
传奇世界单机改技能数据库
数据库查找显示李姓
服务器芯片与普通桌面芯片
嘉定区智能软件开发设备
网络技术发展案例说明什么
幻塔服务器未准备好无法传送
数据库文件删不干净怎么办
网络安全有防范论文
执法依据数据库意见建议
重庆市林地变更数据库
网络安全简单的绕口令
数据库中链表查询语句
php删除数据库表中的内容
辛集公安局网络安全办理
数仓人员要懂数据库技术
数据库服务器设计与实现
能用的时间服务器地址
近五年来软件开发的失败案例
调查问卷与数据库表设计
国外软件开发注重设计模式么
陕西智慧养老软件开发电话
疫情对网络安全行情影响
at软件开发公司
亲爱的热爱的为什么是网络安全
ibm服务器授权
汝阳软件开发选哪家
