Доброго времени суток, друзья! После успешной настройки ASA 5520 в главном офисе, решили перетащить малые офисы на более слабые межсетевые экраны. Опыт в настройке NAT и пробросе портов имеется. Хотел подменить стандартный порт RDP на 32057, но ничего не получается. Делал это командой:
object network RDP
host 192.168.0.11
nat (Inside,Outside) static interface service tcp 3389 32057
ex
object-group service RDP_PORTS tcp
port-object eq 3389
port-object eq 32057
ex
access-list outside_acl line 3 extended permit tcp any object RDP object-group RDP_PORTS
access-group outside_acl in interface Outside
А используя NAT порт в порт, все работает:
object network RDP
host 192.168.0.12
nat (Inside,Outside) static interface service tcp 3389 3389
ex
access-list outside_acl line 2 extended permit tcp any object RDP eq3389
access-group outside_acl in interface Outside
Ребята, помогайте, не хочу светить в инет стандартный порт. Конфиг моей сиськи:
ASA Version 9.2(1)
!
hostname ciscoasa
enable password XXXXXX encrypted
passwd XXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 20
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan10
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan20
nameif Outside
security-level 0
ip address X.X.X.X Y.Y.Y.Y
!
boot system disk0:/asa921-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server X.X.X.X
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-subnet
subnet 192.168.0.0 255.255.255.0
object network Yealink1
host 192.168.0.100
object network Yealink2
host 192.168.0.101
object network NTP_SERVER
fqdn v4 ru.pool.ntp.org
object network Radmin
host 192.168.0.12
object network RDP
host 192.168.0.12
object network dmz-subnet
subnet 192.168.3.0 255.255.255.0
object service RDP-Service
service tcp source eq 3389
object service rdp32057
service tcp destination eq 32057
object service rdp3389
service tcp source eq 3389
object network 192.168.3.12
object network DMZ255-subnet
subnet 192.168.3.0 255.255.255.0
object-group network Phone
network-object object Yealink1
network-object object Yealink2
object-group service RDP_PORTS tcp
port-object eq 3389
port-object eq 32057
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_acl extended permit udp object-group Phone object NTP_SERVER eq ntp
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 9443
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 4443
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 10000
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 any eq 4443
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 any eq 10000
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 any eq 55777
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 4899
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 1024
access-list inside_acl extended permit icmp 192.168.0.0 255.255.255.0 any
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 465
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 993
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq imap4
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq smtp
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 host X.X.X.X eq domain
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 81.88.86.0 255.255.255.0 range 1024 65535
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 81.88.86.0 255.255.255.0 range 1024 65535
access-list inside_acl extended permit udp 192.168.0.0 255.255.255.0 81.88.88.0 255.255.255.0 range 1024 65535
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 81.88.88.0 255.255.255.0 range 1024 65535
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 3389
access-list inside_acl extended permit tcp 192.168.0.0 255.255.255.0 any eq 5649
access-list outside_acl extended permit tcp any object Radmin eq 4899
access-list outside_acl extended permit tcp any object RDP object-group RDP_PORTS
access-list DMZ_access_in extended permit tcp 192.168.3.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit udp 192.168.3.0 255.255.255.0 host X.X.X.X eq domain
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Inside-subnet
nat (Inside,Outside) dynamic interface
object network Radmin
nat (Inside,Outside) static interface service tcp 4899 4899
object network RDP
nat (Inside,Outside) static interface service tcp 3389 32057
access-group inside_acl in interface Inside
access-group outside_acl in interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.0.11 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh X.X.X.X Y.Y.Y.Y Inside
ssh X.X.X.X Y.Y.Y.Y Outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config Outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username X.X.X.X password X.X.X.X encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:XXXXXXXXXXXXXX
: end
