下面是配置。端口重定向正常,但访问列表中允许的端口范围和其他端口未打开:
object network TEST_PUBLIC_IP
host 10.10.10.10
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside
使用 ASA 代码 8.3+,您需要在入站外部访问列表中指定真实 IP 地址和真实端口。根据您提供的配置,如果您添加:
object-group service PROD_101 tcp
port-object eq www
它应该可以解决您的问题。
编辑:其他端口的工作配置
object service TCP-SOURCE-22
service tcp source eq 22
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-22 TCP-SOURCE-22
object service TCP-SOURCE-8000_8200
service tcp source range 8000 8200
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200