Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Không thể truy cập được Web server đặt ở vùng DMZ từ Internet

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Không thể truy cập được Web server đặt ở vùng DMZ từ Internet

    Mình hiện có 1 con ASA 5520 đã cấu hình các dịch vụ, chạy rất ổn. Giờ mình đặt 1 Web server ở vùng DMZ để public cái website. Đã cấu hình NAT, access-list... nhưng hiện giờ chỉ có thể truy cập đến website này ở mạng trong, còn ở ngoài Internet thì không thể truy cập được (mình đã tạo Virtual server trên router TP-LINK TL-WR741ND để Public Web server rồi).
    Đây là nội dung cấu hình của con ASA của mình :
    Code:
    ciscoasa# sh run
    : Saved
    ASA Version 8.0(4)
    hostname ciscoasa
    enable password .hQOPZWCbWEjkXvF encrypted
    passwd 2KFQnbNIdI.2KWOU encrypted
    names
    !
    interface GigabitEthernet0/0
    duplex full
    nameif LAN
    security-level 100
    ip address 10.20.140.1 255.255.255.224
    ospf cost 10
    !
    interface GigabitEthernet0/1
    nameif INTERNET
    security-level 0
    ip address 192.168.1.2 255.255.255.0
    ospf cost 10
    !
    interface GigabitEthernet0/2
    nameif Trungtam
    security-level 50
    ip address 10.20.16.140 255.255.255.0
    ospf cost 10
    !
    interface GigabitEthernet0/3
    nameif Megawan
    security-level 60
    ip address 10.20.141.2 255.255.255.248
    ospf cost 10
    !
    interface Management0/0
    nameif DMZ
    security-level 40
    ip address 10.10.10.1 255.255.255.0
    ospf cost 10
    !
    boot system disk0:/asa804-k8.bin
    boot config disk0:/flash
    no ftp mode passive
    clock timezone ICT 7
    access-list INTERNET_access_out extended permit tcp any any eq www
    access-list INTERNET_access_out extended permit tcp any any eq domain
    access-list INTERNET_access_out extended permit udp any any eq domain
    access-list INTERNET_access_out extended permit tcp any any range ftp-data ftp
    access-list INTERNET_access_out extended permit tcp any any eq ftp-data
    access-list INTERNET_access_out extended permit tcp any any eq https
    access-list INTERNET_access_out extended permit tcp any any eq pop3
    access-list INTERNET_access_out extended permit tcp any any eq smtp
    access-list INTERNET_access_out extended permit tcp any any eq 8080
    access-list INTERNET_access_out extended permit udp any any eq isakmp
    access-list INTERNET_access_out extended permit udp any any eq 4500
    access-list Trungtam_access_out extended permit tcp any any
    access-list Trungtam_access_out extended permit udp any any
    access-list Trungtam_access_in extended permit tcp any any eq domain
    access-list Trungtam_access_in extended permit udp any any eq domain
    access-list Trungtam_access_in extended permit tcp any any eq https
    access-list Trungtam_access_in extended permit tcp any any eq www
    access-list Trungtam_access_in extended permit tcp any any eq ldap
    access-list INTERNET_access_in extended permit tcp any host 192.168.1.5 eq www
    access-list split-tunnel standard permit 10.20.140.0 255.255.252.0
    access-list Megawan_access_in extended permit tcp any any eq domain
    access-list Megawan_access_in extended permit udp any any eq domain
    access-list Megawan_access_in extended permit tcp any any eq www
    access-list Megawan_access_in extended permit tcp any any eq https
    access-list Megawan_access_in extended permit tcp any any eq pop3
    access-list Megawan_access_in extended permit tcp any any eq smtp
    access-list Megawan_access_in extended permit tcp any any eq 3389
    access-list Megawan_access_in extended permit tcp any any eq 8080
    access-list Megawan_access_out extended permit tcp any any
    access-list Megawan_access_out extended permit udp any any
    access-list nonat remark Use for SlipTunnel
    access-list nonat extended permit ip 10.20.140.0 255.255.252.0 192.168.10.0 255.255.255.0
    access-list nonat remark Use for SlipTunnel
    access-list nonat extended permit ip 192.168.10.0 255.255.255.0 10.20.140.0 255
    .255.252.0
    access-list Trungtam_access_in_1 extended permit tcp any any eq domain
    access-list Trungtam_access_in_1 extended permit tcp any any eq www
    access-list Trungtam_access_in_1 extended permit tcp any any eq https
    access-list Trungtam_access_in_1 extended permit tcp any any eq ftp
    access-list Trungtam_access_in_1 extended permit tcp any any eq ftp-data
    access-list Trungtam_access_in_1 extended permit tcp any any eq telnet
    access-list Trungtam_access_in_1 extended permit udp any any eq domain
    access-list Trungtam_access_in_1 extended permit tcp any any eq ldap
    access-list POLICY extended permit tcp any host 192.168.1.5 eq www
    access-list ACCESS_DMZ extended permit ip 10.20.140.0 255.255.252.0 host 10.10.10.5
    pager lines 24
    logging asdm informational
    mtu LAN 1500
    mtu INTERNET 1500
    mtu Trungtam 1500
    mtu Megawan 1500
    mtu DMZ 1500
    ip local pool vpnpool 192.168.10.1-192.168.10.30 mask 255.255.255.224
    ip audit attack action alarm drop
    no failover
    icmp unreachable rate-limit 10 burst-size 5
    asdm image disk0:/asdm-641.bin
    no asdm history enable
    arp timeout 14400
    global (LAN) 1 interface
    global (INTERNET) 1 interface
    nat (LAN) 0 access-list ACCESS_DMZ
    nat (LAN) 1 10.20.140.0 255.255.252.0
    nat (DMZ) 1 10.10.10.0 255.255.255.0
    static (DMZ,INTERNET) tcp 192.168.1.5 www 10.10.10.5 www netmask 255.255.255.255
    static (LAN,Trungtam) 10.20.140.0 10.20.140.0 netmask 255.255.252.0
    static (LAN,Megawan) 10.20.140.0 10.20.140.0 netmask 255.255.252.0
    access-group POLICY in interface INTERNET
    access-group INTERNET_access_out out interface INTERNET
    access-group Trungtam_access_in_1 in interface Trungtam
    access-group Trungtam_access_out out interface Trungtam
    access-group Megawan_access_in in interface Megawan
    access-group Megawan_access_out out interface Megawan
    route INTERNET 0.0.0.0 0.0.0.0 192.168.1.1 1
    route Trungtam 10.20.0.0 255.255.0.0 10.20.16.54 1
    route LAN 10.20.140.0 255.255.252.0 10.20.140.5 1
    route Megawan 10.20.142.0 255.255.255.0 10.20.141.1 1
    route Megawan 10.20.143.0 255.255.255.0 10.20.141.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa local authentication attempts max-fail 16
    http server enable
    http 10.20.140.0 255.255.252.0 LAN
    sysopt noproxyarp LAN
    sysopt noproxyarp INTERNET
    sysopt noproxyarp Trungtam
    sysopt noproxyarp Megawan
    sysopt noproxyarp DMZ
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map INTERNET_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map INTERNET_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto dynamic-map LAN_dyn_map 20 set security-association lifetime seconds 28800
    crypto dynamic-map LAN_dyn_map 20 set security-association lifetime kilobytes 4608000
    crypto map LAN_map 65535 set security-association lifetime seconds 28800
    crypto map LAN_map 65535 set security-association lifetime kilobytes 4608000
    crypto map INTERNET_map 65535 set security-association lifetime seconds 28800
    crypto map INTERNET_map 65535 set security-association lifetime kilobytes 4608000
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet 10.20.140.0 255.255.252.0 LAN
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    no threat-detection basic-threat
    no threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    tftp-server LAN 10.20.140.10 \TFTPRoot
    webvpn
    enable INTERNET
    svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
    svc enable
    tunnel-group-list enable
    group-policy sslvpn internal
    group-policy sslvpn attributes
    dns-server value 10.20.140.11 10.20.140.13
    vpn-tunnel-protocol l2tp-ipsec svc
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value q4.tphcm.egov.vn
    address-pools value VpnPool
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask none default svc
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol l2tp-ipsec
    group-policy vpngroup internal
    group-policy vpngroup attributes
    dns-server value 10.20.140.11 10.20.140.13
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value abc.vn
    username uservpn password XCzoAZkRET0tLOg9 encrypted
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group sslvpn type remote-access
    tunnel-group sslvpn general-attributes
    address-pool vpnpool
    default-group-policy sslvpn
    tunnel-group sslvpn webvpn-attributes
    group-alias SSLVPNClient enable
    tunnel-group vpngroup type remote-access
    tunnel-group vpngroup general-attributes
    address-pool vpnpool
    default-group-policy vpngroup
    tunnel-group vpngroup ipsec-attributes
    pre-shared-key *
    !
    class-map class_default
    match any
    class-map inspection_default
    match default-inspection-traffic
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    inspect icmp
    inspect esmtp
    inspect http
    class class-default
    set connection decrement-ttl
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:573ead4b759bc6f5c3bf47733681e913
    : end
    Mong mọi người tìm ra nguyên nhân và hướng giải quyết giúp mình.
    Trân trọng cảm ơn..
    Last edited by nhannt4; 29-06-2011, 11:38 AM.

  • #2
    Bạn nào giúp mình vấn đề này với.
    Up.

    Comment


    • #3
      Up lên để có ai xem và giúp mình.
      Xin lỗi vì spam.

      Comment


      • #4
        upload cái mô hình lên được hok ban
        Lâm Văn Tú
        Email :
        cntt08520610@gmail.com
        Viet Professionals Co. Ltd. (VnPro)
        149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
        Tel: (08) 35124257 (5 lines)
        Fax (08) 35124314
        Tập tành bước đi....


        Comment


        • #5
          Originally posted by lamvantu View Post
          upload cái mô hình lên được hok ban
          Cám ơn bạn. Đây là cái mô hình kết nối của con ASA 5520 ở đơn vị mình.
          Click image for larger version

Name:	mohinhmang.jpg
Views:	1
Size:	49.0 KB
ID:	205592

          Comment


          • #6
            Nếu bạn đã dùng modem linksys thì mình nghĩ bạn nên nat trên modem đó. Trên modem bạn tạo thêm route về dải ip 10.10.10.0/24, làm thế này đỡ phải nat 2 lần.
            Last edited by Gunz; 10-07-2011, 12:46 PM.

            Comment


            • #7
              Trên modem linksys bạn có telnet được cổng 80 của 192.168.1.5 ko?

              Comment


              • #8
                Originally posted by Gunz View Post
                Trên modem linksys bạn có telnet được cổng 80 của 192.168.1.5 ko?
                Sao mà telnet được khi mình chưa khai báo telnet hả bạn? Tại Modem (hoặc mình gắn 1 cái switch có các máy client tại mạng 192.168.1.0/24 đều ko thể truy cập đến vùng DMZ. Về lý thuyết thì mình thấy lệnh NAT là đúng. Mà ko biết sao lại ko thể truy cập đến vùng DMZ (trước kia khi mình tạo NAT lần đầu là truy cập được, mà ko hiểu sao sau này truy cập lại ko được) thật đau đầu.

                Comment


                • #9
                  Minh lai co truong hop nguoc lai khong truy cap duoc vao webserver trong Lan nhung ngoai internet co the truy cap duoc,minh co gui kem cau hinh cac ban xem giup nhe:
                  ASA5510 cua minh la 8.3 nat hoi khac mot chut

                  ASA Version 8.3(1)
                  !
                  hostname
                  enable password hNoJA51JsYfVzHT6 encrypted
                  passwd hNoJA51JsYfVzHT6 encrypted
                  names
                  !
                  interface Ethernet0/0
                  nameif outside
                  security-level 0
                  ip address 113.160.18.226 255.255.255.0
                  !
                  interface Ethernet0/1
                  nameif inside
                  security-level 100
                  ip address 192.168.1.200 255.255.255.0
                  !
                  interface Ethernet0/2
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Ethernet0/3
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Management0/0
                  nameif management
                  security-level 100
                  no ip address
                  management-only
                  !
                  ftp mode passive
                  object network obj_any
                  subnet 0.0.0.0 0.0.0.0
                  object network remote
                  host 192.168.1.199
                  object network https
                  host 192.168.1.199
                  object network http
                  host 192.168.1.199
                  object network smtp
                  host 192.168.1.199
                  object network pop3
                  host 192.168.1.199
                  object network imap
                  host 192.168.1.199
                  object network 81
                  host 192.168.1.197
                  object network 82
                  host 192.168.1.197
                  object-group service FTP tcp
                  description FTP TID
                  port-object eq 81
                  port-object eq 82
                  access-list internet_access_in extended permit icmp any any
                  access-list lan_access_in extended permit icmp any any
                  access-list 100 extended permit icmp any any echo-reply
                  access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
                  access-list Internal_access_in extended permit tcp any interface inside object-g
                  roup FTP
                  access-list External_access_in extended permit icmp any any echo-reply
                  access-list External_access_in extended permit icmp any interface outside time-e
                  xceeded
                  access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
                  access-list External_access_in extended permit tcp any interface outside eq http
                  s
                  access-list External_access_in extended permit tcp any interface outside eq www
                  access-list External_access_in extended permit tcp any interface outside eq imap
                  4
                  access-list External_access_in extended permit tcp any interface outside eq smtp

                  access-list External_access_in extended permit tcp any interface outside eq pop3

                  access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199
                  eq 3389
                  access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.19
                  7
                  pager lines 24
                  logging enable
                  logging asdm informational
                  mtu outside 1500
                  mtu inside 1500
                  mtu management 1500
                  icmp unreachable rate-limit 1 burst-size 1
                  icmp permit any outside
                  icmp permit any inside
                  icmp permit any management
                  asdm image disk0:/asdm-631.bin
                  no asdm history enable
                  arp timeout 14400
                  !
                  object network obj_any
                  nat (inside,outside) dynamic interface
                  object network remote
                  nat (inside,outside) static interface service tcp 3389 3389
                  object network https
                  nat (inside,outside) static interface service tcp https https
                  object network http
                  nat (inside,outside) static interface service tcp www www
                  object network smtp
                  nat (inside,outside) static interface service tcp smtp smtp
                  object network pop3
                  nat (inside,outside) static interface service tcp pop3 pop3
                  object network imap
                  nat (inside,outside) static interface service tcp imap4 imap4
                  object network 81
                  nat (inside,outside) static interface service tcp 81 81
                  object network 82
                  nat (inside,outside) static interface service tcp 82 82
                  access-group External_access_in in interface outside
                  access-group Internal_access_in in interface inside
                  route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
                  timeout xlate 3:00:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                  timeout tcp-proxy-reassembly 0:01:00
                  dynamic-access-policy-record DfltAccessPolicy
                  http server enable
                  http 192.168.1.0 255.255.255.0 management
                  http 192.168.1.0 255.255.255.0 inside
                  no snmp-server location
                  no snmp-server contact
                  snmp-server enable traps snmp authentication linkup linkdown coldstart
                  crypto ipsec security-association lifetime seconds 28800
                  crypto ipsec security-association lifetime kilobytes 4608000
                  telnet 0.0.0.0 0.0.0.0 outside
                  telnet 192.168.1.0 255.255.255.0 inside
                  telnet timeout 5
                  ssh timeout 5
                  console timeout 0
                  dhcpd dns 203.162.0.181
                  !
                  threat-detection basic-threat
                  threat-detection statistics access-list
                  no threat-detection statistics tcp-intercept
                  webvpn
                  username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
                  !
                  class-map inspection_default
                  match default-inspection-traffic
                  !
                  !
                  policy-map type inspect dns preset_dns_map
                  parameters
                  message-length maximum client auto
                  message-length maximum 512
                  policy-map global_policy
                  class inspection_default
                  inspect dns preset_dns_map
                  inspect ftp
                  inspect h323 h225
                  inspect h323 ras
                  inspect rsh
                  inspect rtsp
                  inspect esmtp
                  inspect sqlnet
                  inspect skinny
                  inspect sunrpc
                  inspect xdmcp
                  inspect sip
                  inspect netbios
                  inspect tftp
                  inspect ip-options
                  !
                  service-policy global_policy global
                  prompt hostname context
                  Cryptochecksum:8927290d902f19986679f00fad6930a0
                  : end

                  Comment


                  • #10
                    Bookmark cái này thấy hay hay. Anh em nào có lab ASA cơ bản đến nâng cao cho em xin với heng!

                    Comment


                    • #11
                      Khi thực hiện NAT bên con router gateway thì nhớ deny cái mạng cho telnet hay truy cập vô web-server nhé anh.
                      Lâm Văn Tú
                      Email :
                      cntt08520610@gmail.com
                      Viet Professionals Co. Ltd. (VnPro)
                      149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
                      Tel: (08) 35124257 (5 lines)
                      Fax (08) 35124314
                      Tập tành bước đi....


                      Comment


                      • #12
                        ko ai giup minh a???

                        Comment


                        • #13
                          Hi ban Nhannt4.

                          Trên modem Tplink,bạn Nat ip public của web server về ip 192.168.1.5 nhé.
                          access-list INTERNET_access_in extended permit tcp any host 192.168.1.5 eq www --> đúng rồi.
                          static (DMZ,INTERNET) tcp 192.168.1.5 www 10.10.10.5 www netmask 255.255.255.255 --> đúng rồi.
                          access-group INTERNET_access_in in interface INTERNET --> thêm vào cái này nữa.

                          Tks.
                          Hugo

                          Comment


                          • #14
                            Ban Phungpq thu cai nay thu nhe:

                            object network net_dmz
                            range 192.168.0.1 192.168.0.254
                            nat (inside,dmz) source static net_dmz net_dmz

                            Tks.
                            Hugo

                            Comment


                            • #15
                              Minh lon,tuong webserver cua ban phungpq nam o dmz chu,
                              Xem file cau hinh,chi co inside interface va outside interface,tu outside co the truy cap den webserve duoc,
                              Con hosts trong inside tat nhien phai access den webserver duoc chu?
                              Hugo

                              Comment

                              Working...
                              X