Forum
Merhaba,
Bir tane asa5510 konfigüre ettim. Networkte bir adet web server barindiriyoruz. Dis ip'mize gelen butun istekleri nat yaparak bu server'a yonlendirdim. Simdi birkac port icin disaridan gelecek isteklerin yine icerdeki farkli bir server'a yonlenmesini istiyorum. Port belirterek nat yaptigimda diger nat kurali oldugu icin kabul etmiyor. Belirleyecegim birkac port icin bu yonlendirmeyi nasil yapabilirim?
Simdiden tesekkurler..
bu dokumanlara baktim fakat cozumunu bulamadim..
Merhaba,
show access-lists ile show ip nat translations çıktılarını alırmısınız
NAT policies on Interface DMZ:
match ip DMZ host 10.0.0.2 Outside 172.20.1.0 255.255.255.128
NAT exempt
translate_hits = 2, untranslate_hits = 0
match ip DMZ host 10.0.0.2 DMZ 172.20.1.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ host 10.0.0.2 Inside 172.20.1.0 255.255.255.128
NAT exempt
translate_hits = 213, untranslate_hits = 75
match ip DMZ host 10.0.0.2 management 172.20.1.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip DMZ host 10.0.0.2 Outside any
static translation to 83.83.83.83
translate_hits = 1, untranslate_hits = 597
match ip DMZ any DMZ any
dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip DMZ any Inside any
dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip DMZ any management any
dynamic translation to pool 200 (No matching global)
translate_hits = 0, untranslate_hits = 0
NAT policies on Interface Inside:
match ip Inside 172.20.1.0 255.255.255.128 Outside host 10.0.0.2
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 DMZ host 10.0.0.2
NAT exempt
translate_hits = 75, untranslate_hits = 213
match ip Inside 172.20.1.0 255.255.255.128 Inside host 10.0.0.2
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 management host 10.0.0.2
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 Outside any
dynamic translation to pool 200 (83.83.83.83 [Interface PAT])
translate_hits = 3195, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 DMZ any
dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 Inside any
dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip Inside 172.20.1.0 255.255.255.128 management any
dynamic translation to pool 200 (No matching global)
translate_hits = 0, untranslate_hits = 0
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside_nat0_outbound; 1 elements
access-list Inside_nat0_outbound line 1 extended permit ip 172.20.1.0 255.255.25
5.128 host 10.0.0.2 (hitcnt=0)
access-list DMZ_nat0_outbound; 1 elements
access-list DMZ_nat0_outbound line 1 extended permit ip host 10.0.0.2 172.20.1.0
255.255.255.128 (hitcnt=0)
access-list Outside_access_in; 16 elements
access-list Outside_access_in line 1 extended permit tcp any any object-group pe
rmitgroup
access-list Outside_access_in line 1 extended permit tcp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq www (hitcnt=
80)
access-list Outside_access_in line 1 extended permit tcp any any eq h323 (hitcnt
=3)
access-list Outside_access_in line 1 extended permit tcp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 1 extended permit tcp any any eq pop3 (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 1 extended permit tcp any any eq ftp (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq smtp (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any range 1719 h323
(hitcnt=4)
access-list Outside_access_in line 2 extended permit udp any any object-group pe
rmitgroupudp
access-list Outside_access_in line 2 extended permit udp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 3 extended permit tcp any any object-group pe
rmitdmz
access-list Outside_access_in line 3 extended permit tcp any any eq www (hitcnt=
0)
access-list Outside_access_in line 3 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 4 extended permit udp any any object-group pe
rmitdmzudp
access-list Outside_access_in line 4 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 5 extended permit icmp any any echo-reply (hi
tcnt=0)
access-list DMZ_pnat_inbound; 1 elements
access-list DMZ_pnat_inbound line 1 extended permit ip any any (hitcnt=0)
sip portu icin disaridan gelen istekleri iceride web server haricinde baska bir server'a yonlendirmek istiyorum.
yardimlar icin simdiden tesekkurler..
pazartesi size calisan konfigimi gönderebilirim, karsilastrirsiniz
merhabalar
yukarıdaki makaleyi incelermisiniz.
kolay gelsin
Mesela firewall oncelikle port 80 e gelenlere izin versin
access-list Outside_access_in extended permit tcp any host 94.102.22.36 eq 80 (94.102.22.36 sizin public ipniz )
ve bu gelen trafigi 192.168.2.200 ipli servera yonlendirsin
static (Inside,Outside) tcp 94.102.22.36 80 192.168.2.200 80 netmask 255.255.255.255
izin vermek istediginiz her turlu trafik icin bu satirlardan birer tane ekliyeceksiniz. Mesela 3389 sanirim remote desktopti. Eger bu tur bir trafige izin vermek istiyorsaniz 80 yazdigimiz yerlere 3389 yazacaksiniz, 192.168.2.220 un yerinde hangi pc veya servera ulasacaksaniz onu yazin.