asa 5512 端口映射问题

hostname ciscoasaenable password UBMuSr2NjOdZ6AiU encryptedxlate per-session deny tcp any4 any4xlate per-session deny tcp any4 any6xlate per-session deny tcp any6 any4xlate per-session deny tcp any6 any6xlate per-session deny udp any4 any4 eq domainxlate per-session deny udp any4 any6 eq domainxlate per-session deny udp any6 any4 eq domainxlate per-session deny udp any6 any6 eq domainpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address *.*.188.101 255.255.255.248 !interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 !interface Ethernet0/2 nameif outside1 security-level 0 no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 management-only nameif management security-level 100 ip address 192.168.100.1 255.255.255.0 !boot system disk0:/asa915-k8.binftp mode passiveobject network inside-net subnet 10.10.0.0 255.255.0.0object network 192.168.110.0 subnet 192.168.110.0 255.255.255.0object network inside-net1 subnet 192.168.10.0 255.255.255.0object network 10.10.90.2 host 10.10.90.2object network 10.10.90.2-01 host 10.10.90.2object network 10.10.90.2-02 host 10.10.90.2object-group network 10.10.20.0object-group network 10.10.30.0object-group network 10.10.40.0object-group network 10.10.50.0object-group network 10.10.60.0object-group network 10.10.70.0object-group network 10.10.80.0object-group network 10.10.90.0object-group network 10.10.100.0object-group network 192.168.0.0access-list out extended permit icmp any any access-list out extended permit ip any4 any4 access-list out extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0 access-list out extended permit tcp any host 10.10.90.11 eq 8001 access-list out extended permit tcp any host 10.10.90.11 eq 3001 access-list out extended permit tcp any host 10.10.90.11 eq 3000 access-list out extended permit tcp any host 10.10.90.11 eq 8000 access-list out extended permit tcp any host 10.10.90.11 eq 3002 access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0 access-list inside extended permit ip any4 any4 access-list inside extended permit icmp any4 any4 access-list inside extended permit ip 10.10.40.0 255.255.255.0 any4 pager lines 24mtu outside 1500mtu inside 1500mtu outside1 1500mtu management 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectednat (inside,outside) source static inside-net inside-net destination static 192.168.110.0 192.168.110.0 no-proxy-arp route-lookup!object network inside-net nat (inside,outside) dynamic interfaceobject network inside-net1 nat (inside,outside) dynamic interfaceobject network 10.10.90.11 nat (inside,outside) static interface service tcp 8000 8001 object network 10.10.90.11-02 nat (inside,outside) static interface service tcp 3001 3002 access-group out in interface outsideaccess-group inside in interface insideroute outside 0.0.0.0 0.0.0.0 *.*.188.113 1 route inside 10.10.20.0 255.255.255.0 192.168.10.2 1 route inside 10.10.30.0 255.255.255.0 192.168.10.2 1 route inside 10.10.40.0 255.255.255.0 192.168.10.2 1 route inside 10.10.50.0 255.255.255.0 192.168.10.2 1 route inside 10.10.60.0 255.255.255.0 192.168.10.2 1 route inside 10.10.70.0 255.255.255.0 192.168.10.2 1 route inside 10.10.80.0 255.255.255.0 192.168.10.2 1 route inside 10.10.90.0 255.255.255.0 192.168.10.2 1 route inside 10.10.100.0 255.255.255.0 192.168.10.2 1 route inside 172.168.20.0 255.255.255.0 172.1.1.1 1 route outside 192.168.110.0 255.255.255.0 *.*.188.113 1 timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCAL snmp-server host inside 10.10.20.102 community *****no snmp-server locationno snmp-server contactsnmp-server community *****snmp-server enable traps syslogcrypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association pmtu-aging infinitecrypto map zhongxin 10 match address nonatcrypto map zhongxin 10 set peer *.*.57.242 crypto map zhongxin 10 set ikev1 transform-set vpncrypto map zhongxin interface outsidecrypto ca trustpool policycrypto ikev1 enable outsidecrypto ikev1 policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400telnet 0.0.0.0 0.0.0.0 insidetelnet timeout 5console timeout 0vpdn username test password ***** store-localthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername xinma2$ password 1e9gh.L.XaMzYLwr encryptedusername admin password 2oQYYbTOhyNUXKB4 encryptedtunnel-group *.*.57.244 type ipsec-l2ltunnel-group *.*.57.244 ipsec-attributes ikev1 pre-shared-key *****!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:ce9e55fed38a72f49f631c90b9f36b37: end

http://bbs.51cto.com/thread-1099521-1-1.html