Что имеем:
1) ASA 5512-x с 9.1 на борту, нас интересуют два интерфейса inside_old_local (192.168.0.35) и outside (193.211.40.x)
2) веб-сервер 192.168.0.8, слушающий 80-ый порт
Что хотим:
Пробросить порт 8081 внешнего интерфейса ASA (193.211.40.x) на веб-сервер во внутренней сети (192.168.0.

Что знаем:
1) Подрезанный конфиг -
Код: Выделить всё
ASA Version 9.1(2)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
interface GigabitEthernet0/0
description global_network
nameif outside
security-level 0
ip address 193.211.40.x 255.255.255.x
!
interface GigabitEthernet0/5
description old_local_net
nameif inside_old_local
security-level 100
ip address 192.168.0.35 255.255.254.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone BDT 6
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object network old_localnet_erc
subnet 192.168.0.0 255.255.254.0
description old_localnet_erc
object network megaplan
host 192.168.0.8
object service 80
service tcp destination eq www
object service 8081
service tcp destination eq 8081
object network outside
host 193.211.40.x
object network test1
host 192.168.0.8
object-group service DM_INLINE_SERVICE_6 (все объекты DM_INLINE_SERVICE существуют, просто вырезаны)
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_14
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_9
service-object ip
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_10
service-object ip
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_15
service-object icmp
service-object icmp echo-reply
access-list outside_access_in extended permit tcp any host 192.168.0.8 eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 any any
access-list inside_old_local_access_out extended permit object-group DM_INLINE_SERVICE_10 any any
access-list inside_old_local_access_in extended permit object-group DM_INLINE_SERVICE_9 any any
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any
access-list Megaplan extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Megaplan extended permit ip any any
access-list OUTSIDE extended permit tcp any object test1 eq www
access-list OUTSIDE extended permit object-group DM_INLINE_SERVICE_15 any any
access-list OUTSIDE extended permit tcp any object test1 eq 2323
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_old_local 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside_old_local,outside) source dynamic old_localnet_erc interface
nat (inside_old_local,outside) source static outside megaplan service 8081 80
object network test1
nat (inside_old_local,outside) static interface service tcp 2323 2323
access-group OUTSIDE in interface outside
access-group outside_access_out out interface outside
access-group inside_old_local_access_in in interface inside_old_local
access-group inside_old_local_access_out out interface inside_old_local
route outside 0.0.0.0 0.0.0.0 193.211.40.x2 1
timeout xlate 3:00:00
timeout pat-xlate 0:05:00
timeout conn 3:00:00 half-closed 3:00:00 udp 3:00:00 icmp 1:00:00
timeout sunrpc 3:00:00 h323 3:00:00 h225 3:00:00 mgcp 3:00:00 mgcp-pat 3:00:00
timeout sip 3:00:00 sip_media 3:00:00 sip-invite 0:30:00 sip-disconnect 0:10:00
timeout sip-provisional-media 0:30:00 uauth 3:00:00 absolute
timeout tcp-proxy-reassembly 3:00:00
timeout floating-conn 3:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.33.191.69 source outside prefer
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
: end
Код: Выделить всё
nameASA# packet-tracer input outside tcp 2.2.2.2 34 193.211.40.x $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 193.211.40.x 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9827b250, priority=1, domain=nat-per-session, deny=true
hits=8586917, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff9f8433b0, priority=0, domain=permit, deny=true
hits=1386570, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Все статьи (привожу пару русских и последних, которыми пользовался http://cisco-ru.livejournal.com/348122.html и http://www.go-to-easyit.com/2013/07/cisco-asa-3.html) говорят что, чтобы NAT нормально работал (а проброс вообщем то NAT'ом и реализуется) нужно указывать в ACL именно внутренний адрес + внешний порт, диаграмма в ASDM тоже самое показывает
Вообщем, господа, нужен ваш хелп или советы где копать, ошибка наверняка глупая, но мешает сильно. Если не сложно - NAT тоже посмотрите, верно или нет, их в конфиге два (с портом 2323 - тестовый)