Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Không thể truy cập được Web server đặt ở vùng DMZ từ Internet

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Không thể truy cập được Web server đặt ở vùng DMZ từ Internet

    Mình hiện có 1 con ASA 5520 đã cấu hình các dịch vụ, chạy rất ổn. Giờ mình đặt 1 Web server ở vùng DMZ để public cái website. Đã cấu hình NAT, access-list... nhưng hiện giờ chỉ có thể truy cập đến website này ở mạng trong, còn ở ngoài Internet thì không thể truy cập được (mình đã tạo Virtual server trên router TP-LINK TL-WR741ND để Public Web server rồi).
    Đây là nội dung cấu hình của con ASA của mình :
    Code:
    ciscoasa# sh run
: Saved
ASA Version 8.0(4)
hostname ciscoasa
enable password .hQOPZWCbWEjkXvF encrypted
passwd 2KFQnbNIdI.2KWOU encrypted
names
!
interface GigabitEthernet0/0
duplex full
nameif LAN
security-level 100
ip address 10.20.140.1 255.255.255.224
ospf cost 10
!
interface GigabitEthernet0/1
nameif INTERNET
security-level 0
ip address 192.168.1.2 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/2
nameif Trungtam
security-level 50
ip address 10.20.16.140 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3
nameif Megawan
security-level 60
ip address 10.20.141.2 255.255.255.248
ospf cost 10
!
interface Management0/0
nameif DMZ
security-level 40
ip address 10.10.10.1 255.255.255.0
ospf cost 10
!
boot system disk0:/asa804-k8.bin
boot config disk0:/flash
no ftp mode passive
clock timezone ICT 7
access-list INTERNET_access_out extended permit tcp any any eq www
access-list INTERNET_access_out extended permit tcp any any eq domain
access-list INTERNET_access_out extended permit udp any any eq domain
access-list INTERNET_access_out extended permit tcp any any range ftp-data ftp
access-list INTERNET_access_out extended permit tcp any any eq ftp-data
access-list INTERNET_access_out extended permit tcp any any eq https
access-list INTERNET_access_out extended permit tcp any any eq pop3
access-list INTERNET_access_out extended permit tcp any any eq smtp
access-list INTERNET_access_out extended permit tcp any any eq 8080
access-list INTERNET_access_out extended permit udp any any eq isakmp
access-list INTERNET_access_out extended permit udp any any eq 4500
access-list Trungtam_access_out extended permit tcp any any
access-list Trungtam_access_out extended permit udp any any
access-list Trungtam_access_in extended permit tcp any any eq domain
access-list Trungtam_access_in extended permit udp any any eq domain
access-list Trungtam_access_in extended permit tcp any any eq https
access-list Trungtam_access_in extended permit tcp any any eq www
access-list Trungtam_access_in extended permit tcp any any eq ldap
access-list INTERNET_access_in extended permit tcp any host 192.168.1.5 eq www
access-list split-tunnel standard permit 10.20.140.0 255.255.252.0
access-list Megawan_access_in extended permit tcp any any eq domain
access-list Megawan_access_in extended permit udp any any eq domain
access-list Megawan_access_in extended permit tcp any any eq www
access-list Megawan_access_in extended permit tcp any any eq https
access-list Megawan_access_in extended permit tcp any any eq pop3
access-list Megawan_access_in extended permit tcp any any eq smtp
access-list Megawan_access_in extended permit tcp any any eq 3389
access-list Megawan_access_in extended permit tcp any any eq 8080
access-list Megawan_access_out extended permit tcp any any
access-list Megawan_access_out extended permit udp any any
access-list nonat remark Use for SlipTunnel
access-list nonat extended permit ip 10.20.140.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list nonat remark Use for SlipTunnel
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 10.20.140.0 255
.255.252.0
access-list Trungtam_access_in_1 extended permit tcp any any eq domain
access-list Trungtam_access_in_1 extended permit tcp any any eq www
access-list Trungtam_access_in_1 extended permit tcp any any eq https
access-list Trungtam_access_in_1 extended permit tcp any any eq ftp
access-list Trungtam_access_in_1 extended permit tcp any any eq ftp-data
access-list Trungtam_access_in_1 extended permit tcp any any eq telnet
access-list Trungtam_access_in_1 extended permit udp any any eq domain
access-list Trungtam_access_in_1 extended permit tcp any any eq ldap
access-list POLICY extended permit tcp any host 192.168.1.5 eq www
access-list ACCESS_DMZ extended permit ip 10.20.140.0 255.255.252.0 host 10.10.10.5
pager lines 24
logging asdm informational
mtu LAN 1500
mtu INTERNET 1500
mtu Trungtam 1500
mtu Megawan 1500
mtu DMZ 1500
ip local pool vpnpool 192.168.10.1-192.168.10.30 mask 255.255.255.224
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (LAN) 1 interface
global (INTERNET) 1 interface
nat (LAN) 0 access-list ACCESS_DMZ
nat (LAN) 1 10.20.140.0 255.255.252.0
nat (DMZ) 1 10.10.10.0 255.255.255.0
static (DMZ,INTERNET) tcp 192.168.1.5 www 10.10.10.5 www netmask 255.255.255.255
static (LAN,Trungtam) 10.20.140.0 10.20.140.0 netmask 255.255.252.0
static (LAN,Megawan) 10.20.140.0 10.20.140.0 netmask 255.255.252.0
access-group POLICY in interface INTERNET
access-group INTERNET_access_out out interface INTERNET
access-group Trungtam_access_in_1 in interface Trungtam
access-group Trungtam_access_out out interface Trungtam
access-group Megawan_access_in in interface Megawan
access-group Megawan_access_out out interface Megawan
route INTERNET 0.0.0.0 0.0.0.0 192.168.1.1 1
route Trungtam 10.20.0.0 255.255.0.0 10.20.16.54 1
route LAN 10.20.140.0 255.255.252.0 10.20.140.5 1
route Megawan 10.20.142.0 255.255.255.0 10.20.141.1 1
route Megawan 10.20.143.0 255.255.255.0 10.20.141.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 16
http server enable
http 10.20.140.0 255.255.252.0 LAN
sysopt noproxyarp LAN
sysopt noproxyarp INTERNET
sysopt noproxyarp Trungtam
sysopt noproxyarp Megawan
sysopt noproxyarp DMZ
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map INTERNET_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map INTERNET_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map LAN_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map LAN_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map LAN_map 65535 set security-association lifetime seconds 28800
crypto map LAN_map 65535 set security-association lifetime kilobytes 4608000
crypto map INTERNET_map 65535 set security-association lifetime seconds 28800
crypto map INTERNET_map 65535 set security-association lifetime kilobytes 4608000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.20.140.0 255.255.252.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server LAN 10.20.140.10 \TFTPRoot
webvpn
enable INTERNET
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy sslvpn internal
group-policy sslvpn attributes
dns-server value 10.20.140.11 10.20.140.13
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value q4.tphcm.egov.vn
address-pools value VpnPool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy vpngroup internal
group-policy vpngroup attributes
dns-server value 10.20.140.11 10.20.140.13
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value abc.vn
username uservpn password XCzoAZkRET0tLOg9 encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group sslvpn type remote-access
tunnel-group sslvpn general-attributes
address-pool vpnpool
default-group-policy sslvpn
tunnel-group sslvpn webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpnpool
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
!
class-map class_default
match any
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
inspect esmtp
inspect http
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:573ead4b759bc6f5c3bf47733681e913
: end
    Mong mọi người tìm ra nguyên nhân và hướng giải quyết giúp mình.
    Trân trọng cảm ơn..
    Last edited by nhannt4; 29-06-2011, 11:38 AM.
    Tags: None
  • #2
    Bạn nào giúp mình vấn đề này với.
    Up.

    Comment

    • #3
      Up lên để có ai xem và giúp mình.
      Xin lỗi vì spam.

      Comment

      • #4
        upload cái mô hình lên được hok ban
        Lâm Văn Tú
        Email :         cntt08520610@gmail.com
        Viet Professionals Co. Ltd. (VnPro)
        149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
        Tel: (08) 35124257 (5 lines)
        Fax (08) 35124314
        Tập tành bước đi....


        Comment

        • #5
          Originally posted by lamvantu View Post
          upload cái mô hình lên được hok ban
          Cám ơn bạn. Đây là cái mô hình kết nối của con ASA 5520 ở đơn vị mình.
          Click image for larger version Name: mohinhmang.jpg Views: 1 Size: 49.0 KB ID: 205592

          Comment

          • #6
            Nếu bạn đã dùng modem linksys thì mình nghĩ bạn nên nat trên modem đó. Trên modem bạn tạo thêm route về dải ip 10.10.10.0/24, làm thế này đỡ phải nat 2 lần.
            Last edited by Gunz; 10-07-2011, 12:46 PM.

            Comment

            • #7
              Trên modem linksys bạn có telnet được cổng 80 của 192.168.1.5 ko?

              Comment

              • #8
                Originally posted by Gunz View Post
                Trên modem linksys bạn có telnet được cổng 80 của 192.168.1.5 ko?
                Sao mà telnet được khi mình chưa khai báo telnet hả bạn? Tại Modem (hoặc mình gắn 1 cái switch có các máy client tại mạng 192.168.1.0/24 đều ko thể truy cập đến vùng DMZ. Về lý thuyết thì mình thấy lệnh NAT là đúng. Mà ko biết sao lại ko thể truy cập đến vùng DMZ (trước kia khi mình tạo NAT lần đầu là truy cập được, mà ko hiểu sao sau này truy cập lại ko được) thật đau đầu.

                Comment

                • #9
                  Minh lai co truong hop nguoc lai khong truy cap duoc vao webserver trong Lan nhung ngoai internet co the truy cap duoc,minh co gui kem cau hinh cac ban xem giup nhe:
                  ASA5510 cua minh la 8.3 nat hoi khac mot chut

                  ASA Version 8.3(1)
                  !
                  hostname
                  enable password hNoJA51JsYfVzHT6 encrypted
                  passwd hNoJA51JsYfVzHT6 encrypted
                  names
                  !
                  interface Ethernet0/0
                  nameif outside
                  security-level 0
                  ip address 113.160.18.226 255.255.255.0
                  !
                  interface Ethernet0/1
                  nameif inside
                  security-level 100
                  ip address 192.168.1.200 255.255.255.0
                  !
                  interface Ethernet0/2
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Ethernet0/3
                  shutdown
                  no nameif
                  no security-level
                  no ip address
                  !
                  interface Management0/0
                  nameif management
                  security-level 100
                  no ip address
                  management-only
                  !
                  ftp mode passive
                  object network obj_any
                  subnet 0.0.0.0 0.0.0.0
                  object network remote
                  host 192.168.1.199
                  object network https
                  host 192.168.1.199
                  object network http
                  host 192.168.1.199
                  object network smtp
                  host 192.168.1.199
                  object network pop3
                  host 192.168.1.199
                  object network imap
                  host 192.168.1.199
                  object network 81
                  host 192.168.1.197
                  object network 82
                  host 192.168.1.197
                  object-group service FTP tcp
                  description FTP TID
                  port-object eq 81
                  port-object eq 82
                  access-list internet_access_in extended permit icmp any any
                  access-list lan_access_in extended permit icmp any any
                  access-list 100 extended permit icmp any any echo-reply
                  access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
                  access-list Internal_access_in extended permit tcp any interface inside object-g
                  roup FTP
                  access-list External_access_in extended permit icmp any any echo-reply
                  access-list External_access_in extended permit icmp any interface outside time-e
                  xceeded
                  access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
                  access-list External_access_in extended permit tcp any interface outside eq http
                  s
                  access-list External_access_in extended permit tcp any interface outside eq www
                  access-list External_access_in extended permit tcp any interface outside eq imap
                  4
                  access-list External_access_in extended permit tcp any interface outside eq smtp

                  access-list External_access_in extended permit tcp any interface outside eq pop3

                  access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199
                  eq 3389
                  access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.19
                  7
                  pager lines 24
                  logging enable
                  logging asdm informational
                  mtu outside 1500
                  mtu inside 1500
                  mtu management 1500
                  icmp unreachable rate-limit 1 burst-size 1
                  icmp permit any outside
                  icmp permit any inside
                  icmp permit any management
                  asdm image disk0:/asdm-631.bin
                  no asdm history enable
                  arp timeout 14400
                  !
                  object network obj_any
                  nat (inside,outside) dynamic interface
                  object network remote
                  nat (inside,outside) static interface service tcp 3389 3389
                  object network https
                  nat (inside,outside) static interface service tcp https https
                  object network http
                  nat (inside,outside) static interface service tcp www www
                  object network smtp
                  nat (inside,outside) static interface service tcp smtp smtp
                  object network pop3
                  nat (inside,outside) static interface service tcp pop3 pop3
                  object network imap
                  nat (inside,outside) static interface service tcp imap4 imap4
                  object network 81
                  nat (inside,outside) static interface service tcp 81 81
                  object network 82
                  nat (inside,outside) static interface service tcp 82 82
                  access-group External_access_in in interface outside
                  access-group Internal_access_in in interface inside
                  route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
                  timeout xlate 3:00:00
                  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                  timeout tcp-proxy-reassembly 0:01:00
                  dynamic-access-policy-record DfltAccessPolicy
                  http server enable
                  http 192.168.1.0 255.255.255.0 management
                  http 192.168.1.0 255.255.255.0 inside
                  no snmp-server location
                  no snmp-server contact
                  snmp-server enable traps snmp authentication linkup linkdown coldstart
                  crypto ipsec security-association lifetime seconds 28800
                  crypto ipsec security-association lifetime kilobytes 4608000
                  telnet 0.0.0.0 0.0.0.0 outside
                  telnet 192.168.1.0 255.255.255.0 inside
                  telnet timeout 5
                  ssh timeout 5
                  console timeout 0
                  dhcpd dns 203.162.0.181
                  !
                  threat-detection basic-threat
                  threat-detection statistics access-list
                  no threat-detection statistics tcp-intercept
                  webvpn
                  username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
                  !
                  class-map inspection_default
                  match default-inspection-traffic
                  !
                  !
                  policy-map type inspect dns preset_dns_map
                  parameters
                  message-length maximum client auto
                  message-length maximum 512
                  policy-map global_policy
                  class inspection_default
                  inspect dns preset_dns_map
                  inspect ftp
                  inspect h323 h225
                  inspect h323 ras
                  inspect rsh
                  inspect rtsp
                  inspect esmtp
                  inspect sqlnet
                  inspect skinny
                  inspect sunrpc
                  inspect xdmcp
                  inspect sip
                  inspect netbios
                  inspect tftp
                  inspect ip-options
                  !
                  service-policy global_policy global
                  prompt hostname context
                  Cryptochecksum:8927290d902f19986679f00fad6930a0
                  : end

                  Comment

                  • #10
                    Bookmark cái này thấy hay hay. Anh em nào có lab ASA cơ bản đến nâng cao cho em xin với heng!

                    Comment

                    • #11
                      Khi thực hiện NAT bên con router gateway thì nhớ deny cái mạng cho telnet hay truy cập vô web-server nhé anh.
                      Lâm Văn Tú
                      Email :                       cntt08520610@gmail.com
                      Viet Professionals Co. Ltd. (VnPro)
                      149/1D Ung Văn Khiêm P25 Q.Bình thạnh TPHCM
                      Tel: (08) 35124257 (5 lines)
                      Fax (08) 35124314
                      Tập tành bước đi....


                      Comment

                      • #12
                        ko ai giup minh a???

                        Comment

                        • #13
                          Hi ban Nhannt4.

                          Trên modem Tplink,bạn Nat ip public của web server về ip 192.168.1.5 nhé.
                          access-list INTERNET_access_in extended permit tcp any host 192.168.1.5 eq www --> đúng rồi.
                          static (DMZ,INTERNET) tcp 192.168.1.5 www 10.10.10.5 www netmask 255.255.255.255 --> đúng rồi.
                          access-group INTERNET_access_in in interface INTERNET --> thêm vào cái này nữa.

                          Tks.
                          Hugo

                          Comment

                          • #14
                            Ban Phungpq thu cai nay thu nhe:

                            object network net_dmz
                            range 192.168.0.1 192.168.0.254
                            nat (inside,dmz) source static net_dmz net_dmz

                            Tks.
                            Hugo

                            Comment

                            • #15
                              Minh lon,tuong webserver cua ban phungpq nam o dmz chu,
                              Xem file cau hinh,chi co inside interface va outside interface,tu outside co the truy cap den webserve duoc,
                              Con hosts trong inside tat nhien phai access den webserver duoc chu?
                              Hugo

                              Comment

                              Previous template Next
                              Working...
                              X