asa 5512 端口映射问题

hostname ciscoasa
enable password UBMuSr2NjOdZ6AiU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address *.*.188.101 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/2
 nameif outside1
 security-level 0
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
!
boot system disk0:/asa915-k8.bin
ftp mode passive
object network inside-net
 subnet 10.10.0.0 255.255.0.0
object network 192.168.110.0
 subnet 192.168.110.0 255.255.255.0
object network inside-net1
 subnet 192.168.10.0 255.255.255.0
object network 10.10.90.2
 host 10.10.90.2
object network 10.10.90.2-01
 host 10.10.90.2
object network 10.10.90.2-02
 host 10.10.90.2
object-group network 10.10.20.0
object-group network 10.10.30.0
object-group network 10.10.40.0
object-group network 10.10.50.0
object-group network 10.10.60.0
object-group network 10.10.70.0
object-group network 10.10.80.0
object-group network 10.10.90.0
object-group network 10.10.100.0
object-group network 192.168.0.0
access-list out extended permit icmp any any 
access-list out extended permit ip any4 any4 
access-list out extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0 
access-list out extended permit tcp any host 10.10.90.11 eq 8001 
access-list out extended permit tcp any host 10.10.90.11 eq 3001 
access-list out extended permit tcp any host 10.10.90.11 eq 3000 
access-list out extended permit tcp any host 10.10.90.11 eq 8000 
access-list out extended permit tcp any host 10.10.90.11 eq 3002 
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.110.0 255.255.255.0 
access-list inside extended permit ip any4 any4 
access-list inside extended permit icmp any4 any4 
access-list inside extended permit ip 10.10.40.0 255.255.255.0 any4 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu outside1 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static 192.168.110.0 192.168.110.0 no-proxy-arp route-lookup
!
object network inside-net
 nat (inside,outside) dynamic interface
object network inside-net1
 nat (inside,outside) dynamic interface
object network 10.10.90.11
 nat (inside,outside) static interface service tcp 8000 8001 
object network 10.10.90.11-02
 nat (inside,outside) static interface service tcp 3001 3002 
access-group out in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.188.113 1 
route inside 10.10.20.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.30.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.40.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.50.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.60.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.70.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.80.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.90.0 255.255.255.0 192.168.10.2 1 
route inside 10.10.100.0 255.255.255.0 192.168.10.2 1 
route inside 172.168.20.0 255.255.255.0 172.1.1.1 1 
route outside 192.168.110.0 255.255.255.0 *.*.188.113 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
snmp-server host inside 10.10.20.102 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map zhongxin 10 match address nonat
crypto map zhongxin 10 set peer *.*.57.242 
crypto map zhongxin 10 set ikev1 transform-set vpn
crypto map zhongxin interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
console timeout 0
vpdn username test password ***** store-local
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xinma2$ password 1e9gh.L.XaMzYLwr encrypted
username admin password 2oQYYbTOhyNUXKB4 encrypted
tunnel-group *.*.57.244 type ipsec-l2l
tunnel-group *.*.57.244 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:ce9e55fed38a72f49f631c90b9f36b37
: end

http://bbs.51cto.com/thread-1099521-1-1.html