利用ASA的Twice NAT解决内网无法访问映射后的公网地址
发表于:2024-11-15 作者:千家信息网编辑
千家信息网最后更新 2024年11月15日,一.概述: 默认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice-
千家信息网最后更新 2024年11月15日利用ASA的Twice NAT解决内网无法访问映射后的公网地址一.概述: 默认情况下,不管是Inside还是DMZ区映射到Outside区的地址或服务,Inside和DMZ区都无法通过映射后地址来访问内部服务器。ASA8.3版本之后有一种新的NAT叫Twice-NAT,它可以在一个NAT语句中既匹配源地址,又匹配目标地址,并且可以对源地址、目标地址,端口号,三个参数中一~三个参数的转换。二.基本思路:A.Inside区映射到Outside区①Outside区访问Inside区映射后的地址没有问题②Inside区访问Inside区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为Inside接口地址,目标地址转换为Inside设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话③DMZ区访问Inside区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为Inside设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为Iniside接口地址,为了便于审计,不建议这样做
B.DMZ区映射到Outside区①Outside区访问DMZ区映射后的地址没有问题②Inside区访问DMZ区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为DMZ区设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为DMZ接口地址,为了便于审计,不建议这样做---实际用模拟器测试,却发现不做源地址转换,经常报 -- bad sequence number的错误---想不来为什么会报序列号错误,即使用MPF设置set connection random-sequence-number disable,也只是缓解,还是会偶尔出现,觉得可能是模拟器的缘故③DMZ区访问DMZ区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为DMZ接口地址,目标地址转换为DMZ区设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话三.测试拓扑:R1-----SW--(Inside)----ASA---(Outside)----R4 | | | | R2 R3(DMZ)四.测试需求:A.将R2的TCP23端口映射到ASA的Outside接口的23端口上----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口五.基本配置:A.R1:interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10B.R2interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10line vty 0 4
password cisco
loginC.ASA:interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutinterface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
no shutinterface GigabitEthernet2
nameif Outside
security-level 0 ip address 202.100.1.10 255.255.255.0 no shutD.R3:interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 192.168.1.10line vty 0 4
password cisco
loginE.R4:interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0 no shut五.ASA的NAT及策略配置:A.动态PAT允许Inside和DMZ区能访问公网object network Inside-NET
subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interfaceobject network DMZ-NET
subnet 192.168.1.0 255.255.255.0 nat (DMZ,Outside) dynamic interfaceB.静态PAT将R2和R3映射出去:object network Inside-R2 host 10.1.1.2
nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3 host 192.168.1.3
nat (DMZ,Outside) static interface service tcp 23 2323 C.防火墙策略:①开启icmp审查:policy-map global_policy
class inspection_default
inspect icmp ②Outside口放行策略:access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet access-group OUTSIDE in interface Outside③DMZ口放行策略:access-list DMZ extended permit tcp any object Inside-R2 eq telnetaccess-list DMZ extended permit icmp any anyaccess-list DMZ extended deny ip any object Inside-NETaccess-list DMZ extended permit ip any anyaccess-group DMZ in interface DMZ---备注:这里只是测试,实际除非必要,尽量不要放行DMZ到Inside的访问,要放行也需要针对主机放行D.测试:①Inside区和DMZ区能访问公网:R1#PING 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 msR2#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 msR3#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms②被映射后的端口只能被Outside区访问:R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:55:06
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R2>
R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:51:12
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R3>R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding六.ASA的Twice NAT配置:A.使得Inside区访问Inside区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23③允许相同接口的访问:same-security-traffic permit intra-interface---因为访问时,既从Inside口进,又从Inside出,所以需要这条④测试:R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:07:35
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
R2>
R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
B.使得Inside区访问DMZ区映射后的地址时,只做目标地址转换①配置对象:object network Public-R3
host 202.100.1.10object network DMZ-R3
host 192.168.1.3
object service tcp2323
service tcp destination eq 2323 ②配置twice-NAT:nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23③测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar 1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN 4128
*Mar 1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar 1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0④解决方法:---修改NAT,做源地址转换nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23⑤再次测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:15
* 66 vty 0 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:13
66 vty 0 idle 00:00:58 192.168.1.10
* 67 vty 1 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>C.使得DMZ区访问Inside区映射后的地址时,只做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23③测试:R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:02:49
* 66 vty 0 idle 00:00:00192.168.1.3
Interface User Mode Idle Peer Address
R2>D.使得DMZ区访问DMZ区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23③允许相同接口的访问:---前面已经配置:same-security-traffic permit intra-interface④测试:R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
66 vty 0 idle 00:07:01 192.168.1.10
67 vty 1 idle 00:06:02 192.168.1.10
* 68 vty 2 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>
B.DMZ区映射到Outside区①Outside区访问DMZ区映射后的地址没有问题②Inside区访问DMZ区映射后的地址,通过Twice NAT做目标地址转换---将目标地址转换为DMZ区设备的实际地址---因为两边都是实际地址,因此需要Inside和DMZ互相有对方的路由---也可以同时做源地址转换,将源地址转换为DMZ接口地址,为了便于审计,不建议这样做---实际用模拟器测试,却发现不做源地址转换,经常报 -- bad sequence number的错误---想不来为什么会报序列号错误,即使用MPF设置set connection random-sequence-number disable,也只是缓解,还是会偶尔出现,觉得可能是模拟器的缘故③DMZ区访问DMZ区映射后的地址,通过Twice NAT做源地址和目标地址转换---将源地址转换为DMZ接口地址,目标地址转换为DMZ区设备实际地址---如果不做源地址,因为访问的数据流来回路径不同,无法建立会话三.测试拓扑:R1-----SW--(Inside)----ASA---(Outside)----R4 | | | | R2 R3(DMZ)四.测试需求:A.将R2的TCP23端口映射到ASA的Outside接口的23端口上----要求R1~R4都能通访问ASA的Outside接口的23端口访问到R2的23端口B.将R3的TCP23端口映射到ASA的Outside接口的2323端口上----要求R1~R4都能通访问ASA的Outside接口的2323端口访问到R3的23端口五.基本配置:A.R1:interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10B.R2interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10line vty 0 4
password cisco
loginC.ASA:interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shutinterface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
no shutinterface GigabitEthernet2
nameif Outside
security-level 0 ip address 202.100.1.10 255.255.255.0 no shutD.R3:interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 192.168.1.10line vty 0 4
password cisco
loginE.R4:interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0 no shut五.ASA的NAT及策略配置:A.动态PAT允许Inside和DMZ区能访问公网object network Inside-NET
subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interfaceobject network DMZ-NET
subnet 192.168.1.0 255.255.255.0 nat (DMZ,Outside) dynamic interfaceB.静态PAT将R2和R3映射出去:object network Inside-R2 host 10.1.1.2
nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3 host 192.168.1.3
nat (DMZ,Outside) static interface service tcp 23 2323 C.防火墙策略:①开启icmp审查:policy-map global_policy
class inspection_default
inspect icmp ②Outside口放行策略:access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet access-group OUTSIDE in interface Outside③DMZ口放行策略:access-list DMZ extended permit tcp any object Inside-R2 eq telnetaccess-list DMZ extended permit icmp any anyaccess-list DMZ extended deny ip any object Inside-NETaccess-list DMZ extended permit ip any anyaccess-group DMZ in interface DMZ---备注:这里只是测试,实际除非必要,尽量不要放行DMZ到Inside的访问,要放行也需要针对主机放行D.测试:①Inside区和DMZ区能访问公网:R1#PING 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 msR2#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 msR3#ping 202.100.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms②被映射后的端口只能被Outside区访问:R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:55:06
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R2>
R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:51:12
* 66 vty 0 idle 00:00:00 202.100.1.4
Interface User Mode Idle Peer Address
R3>R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding六.ASA的Twice NAT配置:A.使得Inside区访问Inside区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23③允许相同接口的访问:same-security-traffic permit intra-interface---因为访问时,既从Inside口进,又从Inside出,所以需要这条④测试:R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:07:35
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
R2>
R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
* 66 vty 0 idle 00:00:0010.1.1.10
Interface User Mode Idle Peer Address
B.使得Inside区访问DMZ区映射后的地址时,只做目标地址转换①配置对象:object network Public-R3
host 202.100.1.10object network DMZ-R3
host 192.168.1.3
object service tcp2323
service tcp destination eq 2323 ②配置twice-NAT:nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23③测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding
R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar 1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN 4128
*Mar 1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar 1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0④解决方法:---修改NAT,做源地址转换nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23⑤再次测试:R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:15
* 66 vty 0 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:13
66 vty 0 idle 00:00:58 192.168.1.10
* 67 vty 1 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>C.使得DMZ区访问Inside区映射后的地址时,只做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23③测试:R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:02:49
* 66 vty 0 idle 00:00:00192.168.1.3
Interface User Mode Idle Peer Address
R2>D.使得DMZ区访问DMZ区映射后的地址时,既做源地址转换,又做目标地址转换①配置对象:---前面已经定义②配置twice-NAT:nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23③允许相同接口的访问:---前面已经配置:same-security-traffic permit intra-interface④测试:R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
66 vty 0 idle 00:07:01 192.168.1.10
67 vty 1 idle 00:06:02 192.168.1.10
* 68 vty 2 idle 00:00:00 192.168.1.10
Interface User Mode Idle Peer Address
R3>
地址
目标
配置
接口
测试
端口
实际
对象
策略
设备
A.
公网
不同
相同
三个
参数
只是
同时
对方
建议
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
关于单位网络安全的知识竞赛
互联网科技类公司办对公账户
服务器带外管理开机
南京大学网络安全培训
阿里云服务器域名控制台
服务器性能监控好的有哪些
数据库 cur_list
软件开发转资本化的条件
河北时代网络技术服务产品介绍
朝阳区正规软件开发售后保障
电信网络安全日活动
金完美汽修管理软件服务器
sql数据库的索引
湖北三力通信网络技术有线公司
书籍数据库
山东安卓智能软件开发公司
网络安全责任分工细化表
服务器机柜使用说明书
梦战更新服务器尚未开放
跑腿软件开发赚钱吗
linux服务器凭据如何删除
数据库回滚的含义
t320服务器电源报警
江西赞不绝口网络技术
天津数据库空投箱销售厂家
网络安全洞察
工商银行软件开发中心
1995年只后信息网络安全
网络安全观察报告范文
服务器什么时候维修比较短
