溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶(hù)服務(wù)條款》

利用ASA的Twice NAT解決內(nèi)網(wǎng)無(wú)法訪問(wèn)映射后的公網(wǎng)地址

發(fā)布時(shí)間:2020-07-06 17:50:08 來(lái)源:網(wǎng)絡(luò) 閱讀:7225 作者:碧云天 欄目:安全技術(shù)

一.概述:
   默認(rèn)情況下,不管是Inside還是DMZ區(qū)映射到Outside區(qū)的地址或服務(wù),Inside和DMZ區(qū)都無(wú)法通過(guò)映射后地址來(lái)訪問(wèn)內(nèi)部服務(wù)器。ASA8.3版本之后有一種新的NAT叫Twice-NAT,它可以在一個(gè)NAT語(yǔ)句中既匹配源地址,又匹配目標(biāo)地址,并且可以對(duì)源地址、目標(biāo)地址,端口號(hào),三個(gè)參數(shù)中一~三個(gè)參數(shù)的轉(zhuǎn)換。
二.基本思路:
A.Inside區(qū)映射到Outside區(qū)
①Outside區(qū)訪問(wèn)Inside區(qū)映射后的地址沒(méi)有問(wèn)題
②Inside區(qū)訪問(wèn)Inside區(qū)映射后的地址,通過(guò)Twice NAT做源地址和目標(biāo)地址轉(zhuǎn)換
---將源地址轉(zhuǎn)換為Inside接口地址,目標(biāo)地址轉(zhuǎn)換為Inside設(shè)備實(shí)際地址
---如果不做源地址,因?yàn)樵L問(wèn)的數(shù)據(jù)流來(lái)回路徑不同,無(wú)法建立會(huì)話(huà)
③DMZ區(qū)訪問(wèn)Inside區(qū)映射后的地址,通過(guò)Twice NAT做目標(biāo)地址轉(zhuǎn)換
---將目標(biāo)地址轉(zhuǎn)換為Inside設(shè)備的實(shí)際地址
---因?yàn)閮蛇叾际菍?shí)際地址,因此需要Inside和DMZ互相有對(duì)方的路由
---也可以同時(shí)做源地址轉(zhuǎn)換,將源地址轉(zhuǎn)換為Iniside接口地址,為了便于審計(jì),不建議這樣做

B.DMZ區(qū)映射到Outside區(qū)
①Outside區(qū)訪問(wèn)DMZ區(qū)映射后的地址沒(méi)有問(wèn)題
②Inside區(qū)訪問(wèn)DMZ區(qū)映射后的地址,通過(guò)Twice NAT做目標(biāo)地址轉(zhuǎn)換
---將目標(biāo)地址轉(zhuǎn)換為DMZ區(qū)設(shè)備的實(shí)際地址
---因?yàn)閮蛇叾际菍?shí)際地址,因此需要Inside和DMZ互相有對(duì)方的路由
---也可以同時(shí)做源地址轉(zhuǎn)換,將源地址轉(zhuǎn)換為DMZ接口地址,為了便于審計(jì),不建議這樣做
---實(shí)際用模擬器測(cè)試,卻發(fā)現(xiàn)不做源地址轉(zhuǎn)換,經(jīng)常報(bào) -- bad sequence number的錯(cuò)誤
---想不來(lái)為什么會(huì)報(bào)序列號(hào)錯(cuò)誤,即使用MPF設(shè)置set connection random-sequence-number disable,也只是緩解,還是會(huì)偶爾出現(xiàn),覺(jué)得可能是模擬器的緣故
③DMZ區(qū)訪問(wèn)DMZ區(qū)映射后的地址,通過(guò)Twice NAT做源地址和目標(biāo)地址轉(zhuǎn)換
---將源地址轉(zhuǎn)換為DMZ接口地址,目標(biāo)地址轉(zhuǎn)換為DMZ區(qū)設(shè)備實(shí)際地址
---如果不做源地址,因?yàn)樵L問(wèn)的數(shù)據(jù)流來(lái)回路徑不同,無(wú)法建立會(huì)話(huà)
三.測(cè)試拓?fù)洌?/span>
R1-----SW--(Inside)----ASA---(Outside)----R4
            |                     |
            |                     |
           R2                 R3(DMZ)
四.測(cè)試需求:
A.將R2的TCP23端口映射到ASA的Outside接口的23端口上
----要求R1~R4都能通訪問(wèn)ASA的Outside接口的23端口訪問(wèn)到R2的23端口
B.將R3的TCP23端口映射到ASA的Outside接口的2323端口上
----要求R1~R4都能通訪問(wèn)ASA的Outside接口的2323端口訪問(wèn)到R3的23端口
五.基本配置:
A.R1:
interface FastEthernet0/0
     ip address 10.1.1.1 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
B.R2
interface FastEthernet0/0
     ip address 10.1.1.2 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
line vty 0 4
     password cisco
     login
C.ASA:
interface GigabitEthernet0
     nameif Inside
     security-level 100
     ip address 10.1.1.10 255.255.255.0
     no shut
interface GigabitEthernet1
     nameif DMZ
     security-level 50
     ip address 192.168.1.10 255.255.255.0
     no shut
interface GigabitEthernet2
     nameif Outside
     security-level 0
     ip address 202.100.1.10 255.255.255.0
     no shut
D.R3:
interface FastEthernet0/0
     ip address 192.168.1.3 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.10
line vty 0 4
     password cisco
     login
E.R4:
interface FastEthernet0/0
     ip address 202.100.1.4 255.255.255.0
     no shut
五.ASA的NAT及策略配置:
A.動(dòng)態(tài)PAT允許Inside和DMZ區(qū)能訪問(wèn)公網(wǎng)
object network Inside-NET
     subnet 10.1.1.0 255.255.255.0
     nat (Inside,Outside) dynamic interface
object network DMZ-NET
     subnet 192.168.1.0 255.255.255.0
     nat (DMZ,Outside) dynamic interface
B.靜態(tài)PAT將R2和R3映射出去:
object network Inside-R2
     host 10.1.1.2
     nat (Inside,Outside) static interface service tcp 23 23
object network DMZ-R3
     host 192.168.1.3
     nat (DMZ,Outside) static interface service tcp 23 2323
C.防火墻策略:
①開(kāi)啟icmp審查
policy-map global_policy
     class inspection_default
           inspect icmp
②Outside口放行策略:
access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet
access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnet
access-group OUTSIDE in interface Outside
③DMZ口放行策略:
access-list DMZ extended permit tcp any object Inside-R2 eq telnet
access-list DMZ extended permit icmp any any
access-list DMZ extended deny ip any object Inside-NET
access-list DMZ extended permit ip any any
access-group DMZ in interface DMZ
---備注:這里只是測(cè)試,實(shí)際除非必要,盡量不要放行DMZ到Inside的訪問(wèn),要放行也需要針對(duì)主機(jī)放行
D.測(cè)試:
①I(mǎi)nside區(qū)和DMZ區(qū)能訪問(wèn)公網(wǎng):
R1#PING 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/80/168 ms
R2#ping 202.100.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/67/156 ms
R3#ping 202.100.1.4          

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/120/204 ms
②被映射后的端口只能被Outside區(qū)訪問(wèn):
R4#TELNET 202.100.1.10 23
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users  
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:55:06  
* 66 vty 0                idle                 00:00:00 202.100.1.4

 Interface    User               Mode         Idle     Peer Address

R2>

R4#TELNET 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:51:12  
* 66 vty 0                idle                 00:00:00 202.100.1.4

 Interface    User               Mode         Idle     Peer Address

R3>
R1#telnet 202.100.1.10
Trying 202.100.1.10 ...
% Connection timed out; remote host not responding
六.ASA的Twice NAT配置:
A.使得Inside區(qū)訪問(wèn)Inside區(qū)映射后的地址時(shí),既做源地址轉(zhuǎn)換,又做目標(biāo)地址轉(zhuǎn)換
①配置對(duì)象:
object network Public-R2
host 202.100.1.10
object service tcp23
service tcp destination eq telnet
②配置twice-NAT:
nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23
③允許相同接口的訪問(wèn):
same-security-traffic permit intra-interface
---因?yàn)樵L問(wèn)時(shí),既從Inside口進(jìn),又從Inside出,所以需要這條
④測(cè)試:
R1#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 01:07:35  
* 66 vty 0                idle                 00:00:0010.1.1.10

 Interface    User               Mode         Idle     Peer Address

R2>

R2#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:00:00
* 66 vty 0                idle                 00:00:0010.1.1.10

 Interface    User               Mode         Idle     Peer Address

B.使得Inside區(qū)訪問(wèn)DMZ區(qū)映射后的地址時(shí),只做目標(biāo)地址轉(zhuǎn)換
①配置對(duì)象:
object network Public-R3
     host 202.100.1.10
object network DMZ-R3
     host 192.168.1.3
object service tcp2323
     service tcp destination eq 2323
②配置twice-NAT:
nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23
③測(cè)試:
R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ...
% Connection timed out; remote host not responding

R3#debug ip tcp packet port 23
TCP Packet debugging is on for port number 23
R3#
*Mar  1 13:18:25.648: tcp0: I LISTEN 10.1.1.1:17155 192.168.1.3:23 seq 1568429504
       OPTS 4 SYN  WIN 4128
*Mar  1 13:18:25.652: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
       OPTS 4 ACK 1568429505 SYN  WIN 4128
*Mar  1 13:18:25.656: tcp0: I SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 4193850862
       OPTS 4 SYN  WIN 4128
*Mar  1 13:18:25.660: tcp0: O SYNRCVD 10.1.1.1:17155 192.168.1.3:23 seq 1603796811
       ACK 1568429505  WIN 4128
*Mar  1 13:18:25.660: TCP0: bad seg from 10.1.1.1 -- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0
④解決方法:
---修改NAT,做源地址轉(zhuǎn)換
nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23
⑤再次測(cè)試:
R1#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:02:15  
* 66 vty 0                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>
R2#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                idle                 00:03:13  
 66 vty 0                idle                 00:00:58 192.168.1.10
* 67 vty 1                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>
C.使得DMZ區(qū)訪問(wèn)Inside區(qū)映射后的地址時(shí),只做目標(biāo)地址轉(zhuǎn)換
①配置對(duì)象:
---前面已經(jīng)定義
②配置twice-NAT:
nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23
③測(cè)試:
R3#telnet 202.100.1.10
Trying 202.100.1.10 ... Open


User Access Verification

Password:
R2>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:02:49
* 66 vty 0                idle                 00:00:00192.168.1.3

 Interface    User               Mode         Idle     Peer Address

R2>
D.使得DMZ區(qū)訪問(wèn)DMZ區(qū)映射后的地址時(shí),既做源地址轉(zhuǎn)換,又做目標(biāo)地址轉(zhuǎn)換
①配置對(duì)象:
---前面已經(jīng)定義
②配置twice-NAT:
nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23
③允許相同接口的訪問(wèn):
---前面已經(jīng)配置:same-security-traffic permit intra-interface
④測(cè)試:
R3#telnet 202.100.1.10 2323
Trying 202.100.1.10, 2323 ... Open


User Access Verification

Password:
R3>show users
   Line       User       Host(s)              Idle       Location
  0 con 0                202.100.1.10         00:00:00
 66 vty 0                idle                 00:07:01 192.168.1.10
 67 vty 1                idle                 00:06:02 192.168.1.10
* 68 vty 2                idle                 00:00:00 192.168.1.10

 Interface    User               Mode         Idle     Peer Address

R3>


向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI