Добрый день, есть ipsec туннель между двумя железками 5520 и 5510 (не суть какими). Все работает , локальные сети с одной и другой стороны видят друг друга. Задача занатить порт 3389 с реального ип адреса одной циски в локальную сеть другой. Как это сделать? что-то ничего в голову не идет
По идее должно работать:
static (inside,outside) tcp interface 3389 10.2.2.27 3389 netmask 255.255.255.255
но не работает и понятно почему 10.2.2.27 на другом конце туннеля, но как тогда задать правило ната? не могу понять.
Код:
:
ASA Version 8.2(5)59
!
hostname gor
domain-name intern
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.*.27 255.255.255.128
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.28.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.4.30 255.255.255.0
management-only
!
boot system disk0:/asa825-59-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.4.250
domain-name intern
access-list 100 extended permit ip 172.28.1.0 255.255.255.0 172.17.2.0 255.255.255.252
access-list 100 extended permit ip 172.28.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 100 extended permit ip 172.28.1.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list nonat extended permit ip 172.28.1.0 255.255.255.0 172.17.2.0 255.255.255.252
access-list nonat extended permit ip 172.28.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.28.1.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list outside-in extended permit tcp any any eq www
access-list outside-in extended permit tcp any any eq https
access-list outside-in extended permit tcp any any eq 3389
access-list outside-in extended permit tcp any any eq ssh
access-list outside-in extended permit tcp any any eq 9915
access-list outside-in extended permit tcp any any eq telnet
access-list outside-in extended permit tcp any any eq 2222
access-list outside-in extended permit icmp any any
access-list outside-in extended permit tcp any any eq 1158
access-list outside-in extended permit tcp any any eq sqlnet
access-list outside-in extended permit tcp any any eq 2484
access-list dmz-acl extended permit ip 172.17.2.0 255.255.255.252 any
access-list dmz-acl extended permit tcp any any eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group dmz-acl in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*. 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer *.*.*.*.94
crypto map outside_map 20 set transform-set myset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate c95fbc4b
308201dd 30820146 a0030201 020204c9 5fbc4b30 0d06092a 864886f7 0d010104
05003033 3111300f 06035504 03130863 6973636f 61736131 1e301c06 092a8648
86f70d01 0902160f 63697363 6f617361 2e696e74 65726e30 1e170d31 30303430
37313033 3434395a 170d3230 30343034 31303334 34395a30 33311130 0f060355
04031308 63697363 6f617361 311e301c 06092a86 4886f70d 01090216 0f636973
636f6173 612e696e 7465726e 30819f30 0d06092a 864886f7 0d010101 05000381
8d003081 89028181 00dc8a8a a30ca2ab 7396bc9e 48b17a2c 03ee0967 9b2aa53a
a45a916e 830c63f9 47897921 f5307835 8529c443 255d9759 220dc894 ea188cee
06e92a80 1e584879 506f67b2 7bfc7cda 90e29b3f 7e653bd1 a23c541d 3d9b2051
71531aea 848589d8 e1286789 7911a941 d8306f3f 49b84811 fbc2250f f1e19efd
e612e2b6 7cf6568b 09020301 0001300d 06092a86 4886f70d 01010405 00038181
00694af5 ef142762 6fe39d77 c6115cc9 3139945c 310ac573 892612c8 bc3f164e
86895a5e 521828b2 2b4ffcf0 b7cf8dfd 850f28f7 299e4820 bb1439f0 637357c5
8bf9ae71 014fb699 1e941d46 0f29b8ce ba067449 5a7aadd9 d9823011 82b91d89
99324d32 6032c81a 17232061 5daf7f4a b92d1c7f 5443732f 1c556ac7 658e3c26
a3
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group *.*.*.94 type ipsec-l2l
tunnel-group *.*.*.94 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af115b131e6d693c31e05b7bf336d8c6
: end
