利用ASA的Twice NAT解決內網沒法訪問映射後的公網地址

時間 2021-01-02

標籤 web 服務器 dom tcp ide 測試 spa debug orm 對象欄目 HTML 简体版

原文原文鏈接

一.概述：

默認狀況下，無論是Inside仍是DMZ區映射到Outside區的地址或服務，Inside和DMZ區都沒法經過映射後地址來訪問內部服務器。ASA8.3版本以後有一種新的NAT叫Twice-NAT,它能夠在一個NAT語句中既匹配源地址，又匹配目標地址，而且能夠對源地址、目標地址，端口號，三個參數中一~三個參數的轉換。

二.基本思路：

A.Inside區映射到Outside區

①Outside區訪問Inside區映射後的地址沒有問題

②Inside區訪問Inside區映射後的地址，經過Twice NAT作源地址和目標地址轉換

---將源地址轉換爲Inside接口地址，目標地址轉換爲Inside設備實際地址

---若是不作源地址，由於訪問的數據流來回路徑不一樣，沒法創建會話

③DMZ區訪問Inside區映射後的地址，經過Twice NAT作目標地址轉換

---將目標地址轉換爲Inside設備的實際地址

---由於兩邊都是實際地址，所以須要Inside和DMZ互相有對方的路由

---也能夠同時作源地址轉換，將源地址轉換爲Iniside接口地址，爲了便於審計，不建議這樣作

B.DMZ區映射到Outside區

①Outside區訪問DMZ區映射後的地址沒有問題

②Inside區訪問DMZ區映射後的地址，經過Twice NAT作目標地址轉換

---將目標地址轉換爲DMZ區設備的實際地址

---由於兩邊都是實際地址，所以須要Inside和DMZ互相有對方的路由

---也能夠同時作源地址轉換，將源地址轉換爲DMZ接口地址，爲了便於審計，不建議這樣作

---實際用模擬器測試，卻發現不作源地址轉換，常常報 -- bad sequence number的錯誤

---想不來爲何會報序列號錯誤，即便用MPF設置set connection random-sequence-number disable，也只是緩解，仍是會偶爾出現，以爲多是模擬器的緣故

③DMZ區訪問DMZ區映射後的地址，經過Twice NAT作源地址和目標地址轉換

---將源地址轉換爲DMZ接口地址，目標地址轉換爲DMZ區設備實際地址

---若是不作源地址，由於訪問的數據流來回路徑不一樣，沒法創建會話

三.測試拓撲：

R1-----SW--(Inside)----ASA---（Outside）----R4

| |

R2 R3（DMZ)

四.測試需求：

A.將R2的TCP23端口映射到ASA的Outside接口的23端口上

----要求R1~R4都能通訪問ASA的Outside接口的23端口訪問到R2的23端口

B.將R3的TCP23端口映射到ASA的Outside接口的2323端口上

----要求R1~R4都能通訪問ASA的Outside接口的2323端口訪問到R3的23端口

五.基本配置：

A.R1：

interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10

B.R2

interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10

line vty 0 4
password cisco
login

C.ASA:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0

no shut

interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0

no shut

interface GigabitEthernet2
nameif Outside
security-level 0

ip address 202.100.1.10 255.255.255.0

no shut

D.R3:

interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

line vty 0 4
password cisco
login

E.R4:

interface FastEthernet0/0
ip address 202.100.1.4 255.255.255.0

no shut

五.ASA的NAT及策略配置：

A.動態PAT容許Inside和DMZ區能訪問公網

object network Inside-NET
subnet 10.1.1.0 255.255.255.0

nat (Inside,Outside) dynamic interface

object network DMZ-NET
subnet 192.168.1.0 255.255.255.0

nat (DMZ,Outside) dynamic interface

B.靜態PAT將R2和R3映射出去：

object network Inside-R2

host 10.1.1.2
nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3

host 192.168.1.3
nat (DMZ,Outside) static interface service tcp 23 2323

C.防火牆策略：

①開啓icmp審查 ：

policy-map global_policy
class inspection_default
inspect icmp

②Outside口放行策略：

access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet

access-group OUTSIDE in interface Outside

③DMZ口放行策略：

access-list DMZ extended permit tcp any object Inside-R2 eq telnet

access-list DMZ extended permit icmp any any

access-list DMZ extended deny ip any object Inside-NET

access-list DMZ extended permit ip any any

access-group DMZ in interface DMZ

---備註：這裏只是測試，實際除非必要，儘可能不要放行DMZ到Inside的訪問，要放行也須要針對主機放行

D.測試：

①Inside區和DMZ區能訪問公網：

R1#PING 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 ms

R2#ping 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 ms

R3#ping 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms

②被映射後的端口只能被Outside區訪問：

R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open

User Access Verification

Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:55:06
* 66 vty 0 idle 00:00:00 202.100.1.4

Interface User Mode Idle Peer Address

R2>

R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open

User Access Verification

Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:51:12
* 66 vty 0 idle 00:00:00 202.100.1.4

Interface User Mode Idle Peer Address

R3>

R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding

六.ASA的Twice NAT配置：

A.使得Inside區訪問Inside區映射後的地址時，既作源地址轉換，又作目標地址轉換

①配置對象：

object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:

nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23

③容許相同接口的訪問：

same-security-traffic permit intra-interface

---由於訪問時，既從Inside口進，又從Inside出，因此須要這條

④測試：

R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open

User Access Verification

Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 01:07:35
* 66 vty 0 idle 00:00:00 10.1.1.10

Interface User Mode Idle Peer Address

R2>

R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open

User Access Verification

Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:00:00
* 66 vty 0 idle 00:00:00 10.1.1.10

Interface User Mode Idle Peer Address

B.使得Inside區訪問DMZ區映射後的地址時，只作目標地址轉換

①配置對象：

object network Public-R3
host 202.100.1.10

object network DMZ-R3
host 192.168.1.3
object service tcp2323
service tcp destination eq 2323

②配置twice-NAT:

nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23

③測試：

R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding

R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar 1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
OPTS 4 ACK 1568429505 SYN WIN 4128
*Mar 1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
OPTS 4 SYN WIN 4128
*Mar 1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
ACK 1568429505 WIN 4128
*Mar 1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0

④解決方法：

---修改NAT，作源地址轉換

nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23

⑤再次測試：

R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open

User Access Verification

Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:15
* 66 vty 0 idle 00:00:00 192.168.1.10

Interface User Mode Idle Peer Address

R3>

R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open

User Access Verification

Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:13
66 vty 0 idle 00:00:58 192.168.1.10
* 67 vty 1 idle 00:00:00 192.168.1.10

Interface User Mode Idle Peer Address

R3>

C.使得 DMZ 區訪問 Insid e 區映射後的地址時，只作目標地址轉換

①配置對象：

---前面已經定義

②配置twice-NAT:

nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23

③測試：

R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open

User Access Verification

Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 202.100.1.10 00:02:49
* 66 vty 0 idle 00:00:00 192.168.1.3

Interface User Mode Idle Peer Address

R2>

D.使得 DMZ 區訪問 DMZ 區映射後的地址時， 既作源地址轉換，又作目標地址轉換

①配置對象：

---前面已經定義

②配置twice-NAT:

nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23

③容許相同接口的訪問：

---前面已經配置:same-security-traffic permit intra-interface

④測試：

R3#telnet 202.100.1.10 2323Trying 202.100.1.10, 2323 ... OpenUser Access VerificationPassword:R3>show users Line User Host(s) Idle Location 0 con 0 202.100.1.10 00:00:00 66 vty 0 idle 00:07:01 192.168.1.10 67 vty 1 idle 00:06:02 192.168.1.10* 68 vty 2 idle 00:00:00 192.168.1.10 Interface User Mode Idle Peer AddressR3>