标签:http 远程 portmap conf water 要求 idle outside proc
一、实验拓扑:
ASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list nameout; 1 elements; name hash: 0xb3be6588
access-list nameout line 1 extended permit tcp host 202.100.1.1 host 10.1.2.3 eq telnet (hitcnt=1) 0x96543a58 //可以看到是有匹配ACL的,匹配数目为1
ASA(config)# show xlate //目前没有NAT转换信息
0 in use, 3 most used
R3#show users //R1用的真实地址来远程管理R3
Line User Host(s) Idle Location
3、用静态NAT将DMZ区域地址转换到Outside地址:202.101.1.101
ASA(config)# object network dmzquyu
ASA(config-network-object)# host 10.1.2.3
ASA(config-network-object)# nat (dmz,outside) static 202.100.1.101
验证:
ASA# show xlate
1 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:10.1.2.3 to outside:202.100.1.101
flags s idle 0:00:31 timeout 0:00:00 //该槽位是永久存在的,所以没有超时时间 。
遇到问题:R1没法Telnet R3转换后地址:202.100.1.101,GNS3中右键reload R3、R1,两个都重启下可以了,但是仍然Ping不通。
R1#ping 10.1.2.10 //老师这个地方可以Ping通的
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2 seconds:.....
Success rate is 0 percent (0/5)
R1#telnet 202.100.1.101
Trying 202.100.1.101 ... Open
User Access Verification
Username: cc
Password:
R3>
4、干掉R1的默认路由以后:
R1(config)#no ip route 0.0.0.0 0.0.0.0 202.100.1.10
验证:
R1#telnet 202.100.1.101
Trying 202.100.1.101 ... Open
User Access Verification
Username: cc
Password:
R3>//成功了,即使没有默认路由,R1一样可以远程到R3。
标签:http 远程 portmap conf water 要求 idle outside proc
原文地址:http://blog.51cto.com/13856092/2138605
