asa 5510 port forwarding

http://www.cisco.com/en/US/docs/security/asa/asa70/quick/guide/70_ASAqk.html

bu dokumanlara baktim fakat cozumunu bulamadim..

Merhaba,

show access-lists  ile show ip nat translations çıktılarını alırmısınız

NAT policies on Interface DMZ:
  match ip DMZ host 10.0.0.2 Outside 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 2, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 DMZ 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 Inside 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 213, untranslate_hits = 75
  match ip DMZ host 10.0.0.2 management 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 Outside any
    static translation to 83.83.83.83
    translate_hits = 1, untranslate_hits = 597
  match ip DMZ any DMZ any
    dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any Inside any
    dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any management any
    dynamic translation to pool 200 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface Inside:
  match ip Inside 172.20.1.0 255.255.255.128 Outside host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 DMZ host 10.0.0.2
    NAT exempt
    translate_hits = 75, untranslate_hits = 213
  match ip Inside 172.20.1.0 255.255.255.128 Inside host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 management host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 Outside any
    dynamic translation to pool 200 (83.83.83.83 [Interface PAT])
    translate_hits = 3195, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 DMZ any
    dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 Inside any
    dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 management any
    dynamic translation to pool 200 (No matching global)
    translate_hits = 0, untranslate_hits = 0

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_nat0_outbound; 1 elements
access-list Inside_nat0_outbound line 1 extended permit ip 172.20.1.0 255.255.25
5.128 host 10.0.0.2 (hitcnt=0)
access-list DMZ_nat0_outbound; 1 elements
access-list DMZ_nat0_outbound line 1 extended permit ip host 10.0.0.2 172.20.1.0
 255.255.255.128 (hitcnt=0)
access-list Outside_access_in; 16 elements
access-list Outside_access_in line 1 extended permit tcp any any object-group pe
rmitgroup
access-list Outside_access_in line 1 extended permit tcp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq www (hitcnt=
80)
access-list Outside_access_in line 1 extended permit tcp any any eq h323 (hitcnt
=3)
access-list Outside_access_in line 1 extended permit tcp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 1 extended permit tcp any any eq pop3 (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 1 extended permit tcp any any eq ftp (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq smtp (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any range 1719 h323
 (hitcnt=4)
access-list Outside_access_in line 2 extended permit udp any any object-group pe
rmitgroupudp
access-list Outside_access_in line 2 extended permit udp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 3 extended permit tcp any any object-group pe
rmitdmz
access-list Outside_access_in line 3 extended permit tcp any any eq www (hitcnt=
0)
access-list Outside_access_in line 3 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 4 extended permit udp any any object-group pe
rmitdmzudp
access-list Outside_access_in line 4 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 5 extended permit icmp any any echo-reply (hi
tcnt=0)
access-list DMZ_pnat_inbound; 1 elements
access-list DMZ_pnat_inbound line 1 extended permit ip any any (hitcnt=0)

sip portu icin disaridan gelen istekleri iceride web server haricinde baska bir server'a yonlendirmek istiyorum.

yardimlar icin simdiden tesekkurler..

pazartesi size calisan konfigimi gönderebilirim, karsilastrirsiniz

merhabalar

http://www.cozumpark.com/blogs/cisco_system/archive/2008/04/03/cisco-asa-5510-un-temel-konfig-rasyonu.aspx

yukarıdaki makaleyi incelermisiniz.

kolay gelsin

Mesela firewall oncelikle port 80 e gelenlere izin versin

access-list Outside_access_in extended permit tcp any host 94.102.22.36 eq 80  (94.102.22.36 sizin public ipniz )

ve bu gelen trafigi 192.168.2.200 ipli servera yonlendirsin

static (Inside,Outside) tcp 94.102.22.36 80 192.168.2.200 80 netmask 255.255.255.255

izin vermek istediginiz her turlu trafik icin  bu satirlardan birer tane ekliyeceksiniz. Mesela 3389 sanirim remote desktopti. Eger bu tur bir trafige izin vermek istiyorsaniz 80 yazdigimiz yerlere 3389 yazacaksiniz, 192.168.2.220 un yerinde hangi pc veya servera ulasacaksaniz onu yazin.