回复： ASA5516-单公网地址NAT（端口映射）求助

TianLin23823 · ‎01-05-2021

ASA5516，版本：Version 9.8(2)
ASA防火墙做为出口，只有一个公网地址做了PAT。
在做内网服务器端口映射的时候，提示如下：
PVSZ-FW(config-network-object)# nat (inside,outside) static isp service tcp 80 80
ERROR: Address 202.100.100.6 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
谢谢。
配置如下：
PVSZ-FW(config)# show run
: Saved
:
: Serial Number: JAD24020KY1
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname PVSZ-FW
domain-name cbt.com
enable password $sha512$5000$Fk1JnccNsuAkCBo0jWYwOQ==$1jf0+tgn1akW9Gsv3LbJGg== pbkdf2
names
ip local pool ezvpn 10.10.100.100-10.10.100.200 mask 255.255.255.0
!
interface GigabitEthernet1/1
description link-to-ISP
nameif outside
security-level 0
ip address 202.100.100.6 255.255.255.252
!
interface GigabitEthernet1/2
description link-to-Sangfor
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name cbt.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PAT
subnet 0.0.0.0 0.0.0.0
object network vpnnet
subnet 10.10.100.0 255.255.255.0
object network vpn
subnet 10.10.30.0 255.255.255.0
object network vpn40
subnet 10.10.40.0 255.255.255.0
object network vpn-1
subnet 10.10.1.0 255.255.255.0
object network server
host 10.10.30.10
object service www-80
service tcp source eq www
object network isp
host 202.100.100.6
object-group network SZ
network-object 10.10.30.0 255.255.255.0
network-object 10.10.40.0 255.255.255.0
object-group network BJ
network-object 10.10.50.0 255.255.255.0
network-object 10.10.60.0 255.255.255.0
access-list out extended permit icmp any any
access-list out extended permit ip 10.10.100.0 255.255.255.0 any
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any host 10.10.30.10 eq www
access-list out extended permit tcp any host 202.100.100.6 eq www
access-list split extended permit ip 10.10.30.0 255.255.255.0 any
access-list split extended permit ip 10.10.40.0 255.255.255.0 any
access-list SZ-BJ extended permit ip object-group SZ object-group BJ
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static server interface service www-80 www-80
nat (inside,outside) source static SZ SZ destination static BJ BJ no-proxy-arp route-lookup
nat (inside,outside) source static SZ SZ destination static vpnnet vpnnet
!
object network PAT
nat (inside,outside) dynamic interface
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 202.100.100.5 1
route inside 10.10.10.0 255.255.255.0 10.10.1.2 1
route inside 10.10.20.0 255.255.255.0 10.10.1.2 1
route inside 10.10.30.0 255.255.255.0 10.10.1.2 1
route inside 10.10.40.0 255.255.255.0 10.10.1.2 1
route inside 192.168.111.0 255.255.255.0 10.10.1.2 1

TianLin23823 · ‎01-05-2021

show xlate
PVSZ-FW(config-network-object)# show xlate | include 10.10.30.10
TCP PAT from inside:10.10.30.10 80-80 to outside:202.100.100.6 80-80
UDP PAT from inside:10.10.30.10/58240 to outside:202.100.100.6/58240 flags ri idle 1:34:57 timeout 0:00:30
UDP PAT from inside:10.10.30.10/55411 to outside:202.100.100.6/55411 flags ri idle 0:00:17 timeout 0:00:30
TCP PAT from inside:10.10.30.10/49246 to outside:202.100.100.6/49246 flags ri idle 2:11:26 timeout 0:00:30
UDP PAT from inside:10.10.30.10/18801 to outside:202.100.100.6/18801 flags ri idle 1:49:49 timeout 0:00:30
TCP PAT from inside:10.10.30.101/55783 to outside:202.100.100.6/55783 flags ri idle 2:42:26 timeout 0:00:30

ilay · ‎01-05-2021

本帖最后由 gengchunlin 于 2021-1-6 12:37 编辑
internet出口地址掩码为/30，只有一个可用地址，做nat的时候就没有必要再对接口地址定义object了
直接使用interface即可
例如：
object network TEST
host 10.1.1.90
nat (inside,outside) static interface service tcp 3389 3389
!
-----
从整体的配置看，已经有了80端口的映射了啊，新加的只能使用其他的未占用的端口号了
nat (inside,outside) source static server interface service www-80 www-80

TianLin23823 · ‎01-05-2021

gengchunlin 发表于 2021-1-6 12:33
internet出口地址掩码为/30，只有一个可用地址，做nat的时候就没有必要再对接口地址定义object了
直接使用 ...

感谢，3389端口已经通了。
弄了半天才发现，运营商把80端口封了。

ilay · ‎01-05-2021

TianLin23823 发表于 2021-1-6 12:54
感谢，3389端口已经通了。
弄了半天才发现，运营商把80端口封了。

嗯，3389是做的一配置示例。配置时设置实际使用端口即可

shyq · ‎08-04-2024

我这边照你这么使用还是不行

ilay · ‎08-04-2024

？？？

完全不明白你是什么意思？什么意图？你在干什么？

你要是有问题的话，那就直接新开一个讨论或者帖子，将你遇到的问题、所执行的操作，操作的结果，测试的情况等有关联的信息发出来，然后再问别人该怎么处理，而不是跑到别人的帖子下面没有提供任何有效信息的情况下冒出一句“不行、不好使”类似的话。你发这句话别人不知道你的问题，同样也解决不了你的问题。

就这样吧，不知道怎么提问题的话可以搜索一下，这个帖子后续不再回复。

YilinChen · ‎01-06-2021

ERROR: Address 202.100.100.6 overlaps with outside interface address.
报错提示看仔细一点，就能发现问题了:P

CNModerator.Cisco · ‎08-12-2024

@shyq 建议您发布新的讨论贴，提供更多详细信息，也方便社区里的小伙伴帮忙解答