Forum

asa 5510 port forwa...
 
Bildirimler
Hepsini Temizle

asa 5510 port forwarding

8 Yazılar
5 Üyeler
0 Reactions
557 Görüntüleme
(@GurcemSemercioglu)
Gönderiler: 14
Eminent Member
Konu başlatıcı
 

Merhaba,


Bir tane asa5510 konfigüre ettim. Networkte bir adet web server barindiriyoruz. Dis ip'mize gelen butun istekleri nat yaparak bu server'a yonlendirdim. Simdi birkac port icin disaridan gelecek isteklerin yine icerdeki farkli bir server'a yonlenmesini istiyorum. Port belirterek nat yaptigimda diger nat kurali oldugu icin kabul etmiyor. Belirleyecegim birkac port icin bu yonlendirmeyi nasil yapabilirim?


Simdiden tesekkurler..

 
Gönderildi : 23/12/2008 18:10

(@Hubyar)
Gönderiler: 3
New Member

(@GurcemSemercioglu)
Gönderiler: 14
Eminent Member
Konu başlatıcı
 

bu dokumanlara baktim fakat cozumunu bulamadim..

 
Gönderildi : 23/12/2008 20:00

(@mesutsariyar)
Gönderiler: 2515
Co-Founder
 

Merhaba,


show access-lists  ile show ip nat translations çıktılarını alırmısınız


 

 
Gönderildi : 24/12/2008 02:48

(@GurcemSemercioglu)
Gönderiler: 14
Eminent Member
Konu başlatıcı
 

NAT policies on Interface DMZ:
  match ip DMZ host 10.0.0.2 Outside 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 2, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 DMZ 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 Inside 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 213, untranslate_hits = 75
  match ip DMZ host 10.0.0.2 management 172.20.1.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ host 10.0.0.2 Outside any
    static translation to 83.83.83.83
    translate_hits = 1, untranslate_hits = 597
  match ip DMZ any DMZ any
    dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any Inside any
    dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip DMZ any management any
    dynamic translation to pool 200 (No matching global)
    translate_hits = 0, untranslate_hits = 0

NAT policies on Interface Inside:
  match ip Inside 172.20.1.0 255.255.255.128 Outside host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 DMZ host 10.0.0.2
    NAT exempt
    translate_hits = 75, untranslate_hits = 213
  match ip Inside 172.20.1.0 255.255.255.128 Inside host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 management host 10.0.0.2
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 Outside any
    dynamic translation to pool 200 (83.83.83.83 [Interface PAT])
    translate_hits = 3195, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 DMZ any
    dynamic translation to pool 200 (10.0.0.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 Inside any
    dynamic translation to pool 200 (172.20.1.8 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
  match ip Inside 172.20.1.0 255.255.255.128 management any
    dynamic translation to pool 200 (No matching global)
    translate_hits = 0, untranslate_hits = 0

 

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside_nat0_outbound; 1 elements
access-list Inside_nat0_outbound line 1 extended permit ip 172.20.1.0 255.255.25
5.128 host 10.0.0.2 (hitcnt=0)
access-list DMZ_nat0_outbound; 1 elements
access-list DMZ_nat0_outbound line 1 extended permit ip host 10.0.0.2 172.20.1.0
 255.255.255.128 (hitcnt=0)
access-list Outside_access_in; 16 elements
access-list Outside_access_in line 1 extended permit tcp any any object-group pe
rmitgroup
access-list Outside_access_in line 1 extended permit tcp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq www (hitcnt=
80)
access-list Outside_access_in line 1 extended permit tcp any any eq h323 (hitcnt
=3)
access-list Outside_access_in line 1 extended permit tcp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 1 extended permit tcp any any eq pop3 (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 1 extended permit tcp any any eq ftp (hitcnt=
0)
access-list Outside_access_in line 1 extended permit tcp any any eq smtp (hitcnt
=0)
access-list Outside_access_in line 1 extended permit tcp any any range 1719 h323
 (hitcnt=4)
access-list Outside_access_in line 2 extended permit udp any any object-group pe
rmitgroupudp
access-list Outside_access_in line 2 extended permit udp any any eq sip (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 2 extended permit udp any any eq domain (hitc
nt=0)
access-list Outside_access_in line 3 extended permit tcp any any object-group pe
rmitdmz
access-list Outside_access_in line 3 extended permit tcp any any eq www (hitcnt=
0)
access-list Outside_access_in line 3 extended permit tcp any any eq https (hitcn
t=0)
access-list Outside_access_in line 4 extended permit udp any any object-group pe
rmitdmzudp
access-list Outside_access_in line 4 extended permit udp any any eq www (hitcnt=
0)
access-list Outside_access_in line 5 extended permit icmp any any echo-reply (hi
tcnt=0)
access-list DMZ_pnat_inbound; 1 elements
access-list DMZ_pnat_inbound line 1 extended permit ip any any (hitcnt=0)

 

sip portu icin disaridan gelen istekleri iceride web server haricinde baska bir server'a yonlendirmek istiyorum.

yardimlar icin simdiden tesekkurler..

 
Gönderildi : 29/01/2009 21:25

(@selimatmaca)
Gönderiler: 242
Reputable Member
 

pazartesi size calisan konfigimi gönderebilirim, karsilastrirsiniz

 
Gönderildi : 30/01/2009 22:54

(@cozumpark)
Gönderiler: 16307
Illustrious Member Yönetici
 

merhabalar


http://www.cozumpark.com/blogs/cisco_system/archive/2008/04/03/cisco-asa-5510-un-temel-konfig-rasyonu.aspx


yukarıdaki makaleyi incelermisiniz.


kolay gelsin

 
Gönderildi : 31/01/2009 01:52

(@selimatmaca)
Gönderiler: 242
Reputable Member
 

Mesela firewall oncelikle port 80 e gelenlere izin versin

access-list Outside_access_in extended permit tcp any host 94.102.22.36 eq 80  (94.102.22.36 sizin public ipniz )

 

ve bu gelen trafigi 192.168.2.200 ipli servera yonlendirsin

static (Inside,Outside) tcp 94.102.22.36 80 192.168.2.200 80 netmask 255.255.255.255

 

izin vermek istediginiz her turlu trafik icin  bu satirlardan birer tane ekliyeceksiniz. Mesela 3389 sanirim remote desktopti. Eger bu tur bir trafige izin vermek istiyorsaniz 80 yazdigimiz yerlere 3389 yazacaksiniz, 192.168.2.220 un yerinde hangi pc veya servera ulasacaksaniz onu yazin.

 
Gönderildi : 06/02/2009 03:26

Paylaş: