Cisco ASA NAT: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 14: Zeile 14:
 
*ciscoasa(config-network-object)# host 172.18.122.101
 
*ciscoasa(config-network-object)# host 172.18.122.101
 
*ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp smtp smtp
 
*ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp smtp smtp
 
+
;Ssh von 8472 auf 22
*ciscoasa(config)# object network obj-www
+
*ciscoasa(config)# object network obj-ssh
 
*ciscoasa(config-network-object)# host 172.18.122.101
 
*ciscoasa(config-network-object)# host 172.18.122.101
*ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp 8472 ssh
+
*ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp ssh 8472
 
+
=Acls bilden=
==ACL zum Portforwarding auf internen Webserver==
+
*ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-www  eq www
*ciscoasa(config)# access-list acl-outside extended permit tcp any object obj-bastion eq www
+
*ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-smtp eq smtp
*ciscoasa(config)# access-group acl-outside in interface if-outside
+
*ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-ssh  eq ssh
==Portforwarding auf Port 8472 zu Port 22 internen ==
+
=Acl anwenden=
*ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp 22 8472
+
*ciscoasa(config)# access-group acl-bastion in interface if-outside
*ciscoasa(config)# access-list acl-outside extended permit tcp any object obj-bastion eq 22
 

Version vom 15. Februar 2016, 12:16 Uhr

Maskieren auf ausgehende Interface (Regular Dynamic PAT)

  • ciscoasa(config)# object network obj-lan
  • ciscoasa(config-network-object)# subnet 172.18.122.0 255.255.255.0
  • ciscoasa(config-network-object)# nat (if-inside,if-outside) dynamic interface

Nat auf einen Rechner im Lan (Regular Static NAT)

Portforwarding auf internen Bastion Host

Webserver
  • ciscoasa(config)# object network obj-www
  • ciscoasa(config-network-object)# host 172.18.122.101
  • ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp www www
Smtp
  • ciscoasa(config)# object network obj-smtp
  • ciscoasa(config-network-object)# host 172.18.122.101
  • ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp smtp smtp
Ssh von 8472 auf 22
  • ciscoasa(config)# object network obj-ssh
  • ciscoasa(config-network-object)# host 172.18.122.101
  • ciscoasa(config-network-object)# nat (if-inside,if-outside) static interface service tcp ssh 8472

Acls bilden

  • ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-www eq www
  • ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-smtp eq smtp
  • ciscoasa(config)# access-list acl-bastion extended permit tcp any object obj-ssh eq ssh

Acl anwenden

  • ciscoasa(config)# access-group acl-bastion in interface if-outside
Abgerufen von „http://wiki.ixheim.de/index.php?title=Cisco_ASA_NAT&oldid=8391