求助各位大神:
我在ASA5525-X (PPPOE拨号,获取公网地址),以TCP为例(UDP一样不通):
对单个TCP端口映射,外网可以访问服务器,按如下做端口组后,不通:
object service TCP6632_6642
service tcp destination range 6632 6642
object network server01
host 172.16.143.63
nat (inside,outside) source static server01 interface service TCP6632_6642 TCP6632_6642
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 172.16.143.63 range 6632 6642
access-group OUTSIDE_ACCESS_IN in interface outside
配置中存在其他nat,包括隧道分离和上网; 按照上述配置完成后,show run清单中:MAP下面的NAT,跟其他NAT是平行关系,无法看出来是在OBJECT下面做的映射,升级版本到Version 9.12(3)12 问题依旧
已解决! 转到解答。
感谢大神, 跟踪后发现:drop在我的拨号上网PAT这段
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network nat-pat-grp
nat (inside,outside) dynamic interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005642b6c0c4f9 flow (NA)/NA