已解决: 5520 asa9.1version NAT

332953358 · ‎07-14-2022

DC-ASA(config)# sh run
: Saved
:
: Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(6)
!
hostname DC-ASA

names
dns-guard
!
interface GigabitEthernet0/0
nameif outside0
security-level 0
ip address 1.1.1.2 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside3
security-level 100
ip address 192.168.15.254 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST 8
dns domain-lookup outside0
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 114..114.114.114
same-security-traffic permit inter-interface
object network peer_efc
subnet 192.168.4.0 255.255.255.0
object network peer_tokyo
subnet 192.168.5.0 255.255.255.0
object network peer_local
subnet 192.168.15.0 255.255.255.0
object network openvpn_host
host 192.168.15.20
object network line_1
host 1.1.1.3
object network network_local
subnet 192.168.15.0 255.255.255.0
object network peer_dc_tech
subnet 172.16.1.0 255.255.255.0
object network peer_shanghai
subnet 192.168.3.0 255.255.255.0
network-object host 192.168.15.1
network-object host 192.168.15.68
network-object host 192.168.15.69
object-group service service_mail
service-object tcp destination eq imap4
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq 995
object-group network peer_pool
network-object object peer_efc
network-object object peer_tokyo
network-object object peer_shanghai
network-object object peer_dc_tech
object-group service openvpn_service
service-object udp destination eq 1194
service-object tcp destination eq https
access-list outside_cryptomap_1 extended permit ip object peer_local object peer_efc
access-list outside_into_inside extended permit object-group openvpn_service any object openvpn_host
access-list outside_cryptomap_2 extended permit ip object peer_local object peer_tokyo
access-list outside_cryptomap_3 extended permit ip object peer_local object peer_dc_tech
access-list outside_cryptomap_4 extended permit ip object peer_local object peer_shanghai
pager lines 24
mtu outside0 1500
mtu inside3 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7161.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside3,outside0) source static network_local network_local destination static peer_pool peer_pool
!
object network openvpn_host
nat (inside3,outside0) static line_1
access-group outside_into_inside in interface outside0
route outside0 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.15.0 255.255.255.0 inside3
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_cryptomap 1 match address outside_cryptomap_1
crypto map outside_cryptomap 1 set peer 2.2.2.2
crypto map outside_cryptomap 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap 2 match address outside_cryptomap_2
crypto map outside_cryptomap 2 set peer 3.3.3.3
crypto map outside_cryptomap 2 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap 3 match address outside_cryptomap_3
crypto map outside_cryptomap 3 set peer 4.4.4.4
crypto map outside_cryptomap 3 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap 4 match address outside_cryptomap_4
crypto map outside_cryptomap 4 set peer 5.5.5.5
crypto map outside_cryptomap 4 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_cryptomap interface outside0
crypto ca trustpool policy
crypto ikev1 enable outside0
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.15.0 255.255.255.0 inside3
telnet timeout 300
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.15.101-192.168.15.199 inside3
dhcpd dns 192.168.15.1 interface inside3
dhcpd wins 192.168.15.1 interface inside3
dhcpd option 3 ip 192.168.15.254 interface inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username olandadmin password t9kAbjMwnZfmD/HX encrypted
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
password encryption aes
Cryptochecksum*****************
: end

问题：

1、如何让内网192.168.15.0/24只访问外网的邮箱（例如pop3，smtp端口），不能访问其他网络。

2、如何让内网用户192.168.15.100/24 可以访问任意网络。

3、以上策略不能影响我现有的IPsec服务，例如本端192.168.15.0/24 到对端192.168.4.0/24的访问。

4、以上配置是开放了内网服务器（openvpn服务192.168.15.20），帮我看下有没有问题，因为我总觉得哪里不对。

5、非常感谢大家。

ilay · ‎07-18-2022

acl这么写是ok的，处理思路没啥问题。有可能是你邮件的端口没有写全，我用网易的邮箱+Foxmail客户端（网易的邮箱大师登录自家的邮箱貌似不是用的imap或者pop3）做测试，是可以正常收发邮件的。

object-group service service_mail tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
port-object eq 995
port-object eq 994
port-object eq 465
port-object eq 993

//因为使用SSL所以单独又单独加了所需的tcp 465和tcp993

ACL:

access-list ot extended permit udp any any eq domain //测试时dns用的是外部的dns，所以需要把dns解析的流量先放行出去
access-list ot extended permit ip host 192.168.12.10 any // 一台例外主机
access-list ot extended permit tcp host 192.168.12.150 any object-group service_mail

!

access-group ot out interface outside

! //再加上nat的配置，就完事儿了

你测试不成功有肯能是dns没放行，邮件相关的端口没有完全放行。可以用一台客户端抓一下包，看看访问的端口都有哪些，可以做一些补充。

ACL优先级，这个说法不是太准确，ACL中是按照从上到下匹配的，添加ACE条目的时候需要保证新加的规则不受其他策略的影响，这就需要对插入的ACE的位置有所调整。show access-list ACL-NAME的时候可以看到对应ACL的num号码(输出如下)，在特定位置添加ACE的时候只需要加上line num即可：例如 access-list ot line 1 extended permit tcp any any eq www,执行之后该条策略会放在整个acl的第一行，也就做到了最先匹配

#sh access-list ot
access-list ot; 10 elements; name hash: 0xf6c3bbdf
access-list ot line 1 extended permit udp any any eq domain (hitcnt=549) 0xe331a148
access-list ot line 2 extended permit ip host 192.168.12.10 any (hitcnt=730) 0x7397610c
access-list ot line 3 extended permit tcp host 192.168.12.150 any object-group service_mail (hitcnt=37) 0x7da0d418
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq imap4 (hitcnt=30) 0x38ec6d09
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq pop2 (hitcnt=0) 0x471f3af8
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq pop3 (hitcnt=0) 0x6fc038ab
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq smtp (hitcnt=0) 0xe72f0d44
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 995 (hitcnt=0) 0xb9eb7f20
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 994 (hitcnt=0) 0x59b36a05
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 465 (hitcnt=1) 0x00d577f7
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 993 (hitcnt=6) 0x934b9153

在原帖中查看解决方案

ilay · ‎07-15-2022

这个貌似只能通过在inside in方向或者outside out方向挂一个acl来限制部分流量

1首先是特殊应用

>permit 192.168.15.100/32 any

>permit 192.168.15.0/24 --> 192.168.4.0/24

>permit 192.168.15.20 any //openvpn看着没啥问题，不过加acl之后需要提前放行

2其次是做有限制的策略

>permit 192.168.15.0/24 any eq service_mail

>deny 192.168.15.0/24 any

>permit ip any any <--//如果有类似的其他受限网段，ACE需要插在permit any any 前面

3. 192.168.15.0/24访问mail服务需要额外做一个PAT，我看只有两条静态的nat，需要添加一条才行

object network network_local

nat (inside3,outside0) dynamic interface

!

332953358 · ‎07-17-2022

谢谢您的回复，但是我按照你的方法好像不太行，不知道是不是我弄错了。如果有详细的条目列出来就好了。

ilay · ‎07-17-2022

不太行是什么情况？

你做了哪些配置，如何测试的，测试情况如何？acl中的ACE可以慢慢加，一个一个的来处理。如果有不好使的地方，把你做的改动和相关的配置带出来再分析。

332953358 · ‎07-17-2022

比如，内网络访问邮件的问题，我是这样配的：

object-group service service_mail tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
port-object eq 995
port-object eq 994

access-list test extended permit tcp 192.168.15.0 255.255.255.0 any object-group service_mail

object network network_local

nat (inside3,outside0) dynamic interface

access-group test out interface outside0

我这个配置无效。内网同样无法收发邮件，去掉 access-group test 就可以收发，但是这样内网就能访问全部网络了（这是不被允许的）。我还没明白你说的ACL优先级怎么配

ilay · ‎07-18-2022

acl这么写是ok的，处理思路没啥问题。有可能是你邮件的端口没有写全，我用网易的邮箱+Foxmail客户端（网易的邮箱大师登录自家的邮箱貌似不是用的imap或者pop3）做测试，是可以正常收发邮件的。

object-group service service_mail tcp
port-object eq imap4
port-object eq pop2
port-object eq pop3
port-object eq smtp
port-object eq 995
port-object eq 994
port-object eq 465
port-object eq 993

//因为使用SSL所以单独又单独加了所需的tcp 465和tcp993

ACL:

access-list ot extended permit udp any any eq domain //测试时dns用的是外部的dns，所以需要把dns解析的流量先放行出去
access-list ot extended permit ip host 192.168.12.10 any // 一台例外主机
access-list ot extended permit tcp host 192.168.12.150 any object-group service_mail

!

access-group ot out interface outside

! //再加上nat的配置，就完事儿了

你测试不成功有肯能是dns没放行，邮件相关的端口没有完全放行。可以用一台客户端抓一下包，看看访问的端口都有哪些，可以做一些补充。

ACL优先级，这个说法不是太准确，ACL中是按照从上到下匹配的，添加ACE条目的时候需要保证新加的规则不受其他策略的影响，这就需要对插入的ACE的位置有所调整。show access-list ACL-NAME的时候可以看到对应ACL的num号码(输出如下)，在特定位置添加ACE的时候只需要加上line num即可：例如 access-list ot line 1 extended permit tcp any any eq www,执行之后该条策略会放在整个acl的第一行，也就做到了最先匹配

#sh access-list ot
access-list ot; 10 elements; name hash: 0xf6c3bbdf
access-list ot line 1 extended permit udp any any eq domain (hitcnt=549) 0xe331a148
access-list ot line 2 extended permit ip host 192.168.12.10 any (hitcnt=730) 0x7397610c
access-list ot line 3 extended permit tcp host 192.168.12.150 any object-group service_mail (hitcnt=37) 0x7da0d418
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq imap4 (hitcnt=30) 0x38ec6d09
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq pop2 (hitcnt=0) 0x471f3af8
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq pop3 (hitcnt=0) 0x6fc038ab
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq smtp (hitcnt=0) 0xe72f0d44
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 995 (hitcnt=0) 0xb9eb7f20
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 994 (hitcnt=0) 0x59b36a05
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 465 (hitcnt=1) 0x00d577f7
access-list ot line 3 extended permit tcp host 192.168.12.150 any eq 993 (hitcnt=6) 0x934b9153

YilinChen · ‎07-19-2022

楼主还可以通过Packet-input 命令模拟源IP/端口到目标IP/端口的访问，并且根据返回检测结果来排障。

1570668154 · ‎07-25-2022

object network openvpn_host
nat (inside3,outside0) static line_1 //服务器发布//

outside接口放行的流量是openvpn_host，好像你没放吧