當你需要架設不少的服務器,然而public IP卻不夠用,則port-forwarding是很好的解決方案,你只需要一個或幾個public IP,並於設備指定port號/服務,就可以將用戶端的請求指向內部配private IP的服務器。
比如架設HTTP、SSH server,但是我只有一個public IP,無論實體IP分配在哪一台服務器,另一個服務就無法使用;當然在相同的服務器配上實體IP並開啟HTTP、SSH service也可以,但這麼一來風險也大幅提高。
另外NAT inside有一server,它包含HTTP、SSH service;如上配置,Client也能正常存取。
然而,若將拓樸中的R1換成ASA firewall,情況有些不同。
請特別注意拓樸中的紅色配置,雖然NAT已經配置完成,但是要制定rule以允許流量放行。更重要的是,access-list WAN extend permit icmp any4 host 209.165.1.1的寫法是錯誤的!
需要修改為access-list WAN extend permit icmp any4 host 192.168.1.1,當然只是允許Server能ping出外網。
別忘了Server有開啟HTTP、SSH,所以需要在ASA設定如下
access-list WAN extend permit tcp any4 host 192.168.1.1 eq 80
access-list WAN extend permit tcp any4 host 192.168.1.1 eq 22
您應該已經發現,Cisco R1 router與Cisco ASA firewall在NAT的處理有一個很大的不同,即
Cisco router:先ACL再NAT
Cisco ASA firewall:先NAT再ACL
小心別被ASA firewall的port-forwarding給陰了!
If you need more server, but public IP address are not enough. How can you do? Maybe port-forwarding is good solution. You need only one or few that public IP address, and set specified port number/service for router. The router can forward request of client(s) to inside host.
Such as for HTTP, SSH server. But I have one public IP address only. No matter public IP address is assigned which server. Another serivce can not usage. Of course, I can enable HTTP/SSH in same server and set public IP address. But risk is much.
[topology]
[image]
There is server at NAT inside. It is include HTTP, SSH service; The configured as above, client can access.
However, if ASA firewall replace R1. The situation will difference.
[topology]
Pay attention please! For red configuration in topology. Alougth NAT has config finished. But you must to make rule that permit traffic. More important, command "access-list WAN extend permit icmp any4 host 209.165.1.1" is error!
The command should modify "access-list WAN extend permit icmp any4 host 192.168.1.1" . It is permit server can ping to outside only.
Not forget, the server has enable HTTP/SSH. So you need to set command in ASA
access-list WAN extend permit tcp any4 host 192.168.1.1 eq 80
access-list WAN extend permit tcp any4 host 192.168.1.1 eq 22
You should discovery, Cisco R1 router and Cisco ASA firewall, they are obvious difference for NAT process.
Cisco router: First ACL then NAT
Cisco ASA firewall: First NAT then ACL
Be careful with ASA port-forwarding!
回饋您這方面資訊,我是從 PTT搜尋引擎的排名,看到大家推薦的內容而輾轉來到這, 不然每次看到一堆 Blog 文章,卻不知哪幾篇才是值得花時間一看的, 謝謝您用心分享的好文, 也回饋給您這實用的主題排名網站資訊,可查看與您 Blog 內容相關的排名好文,應該對寫 Blog 也有所幫助,期待您持續產出好文章 ^^ https://searchptt.cc/
非常謝謝您的建議與支持喔!:)