CISCO ASA5505在只有一个公网地址的情况下，做内部服务器端口映射供外网访问!!

      之前在网上找了很多资料，也没能解决。怎么没人说要做映射呢？今天半天时间终于搞定了。端口映射要做双向的，也就是做了内问到外部的映射后，反过来还得做外部到内部的映射。
以下是ASA 5505的配置资料，希望对大家有用：
ciscoasa# sh run
ciscoasa# sh running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0   //内网口地址
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.222 255.255.255.0   //外网口地址
!
interface Ethernet0/0
 switchport access vlan 2                //将接口加入到区域VLAN 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive

access-list 101 extended permit tcp any host 192.168.0.222  eq www   //ACL开放以下端口
access-list 101 extended permit tcp any host 192.168.0.222  eq ftp
access-list 101 extended permit tcp any host 192.168.0.222  eq smtp
access-list 101 extended permit tcp any host 192.168.0.222  eq pop3
access-list 101 extended permit tcp any host 192.168.0.222  eq 254
access-list 101 extended permit tcp any host 192.168.0.222  eq 3389
access-list 101 extended permit tcp any host 192.168.0.222  eq 12333
access-list 101 extended permit tcp any host 192.168.0.222  eq 8781
access-list 101 extended permit icmp any any    //允许ICMP

access-list 1 extended permit ip any any
access-list 1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (inside,outside) tcp interface www 192.168.1.17 www netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.17 ftp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.17 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.17 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 254 192.168.1.17 254 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.17 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8781 192.168.1.17 8781 netmask 255.255.255.255
static (inside,outside) tcp interface 12333 192.168.1.17 12333 netmask 255.255.255.255
//以上是内部到外部映射
static (outside,inside) tcp 192.168.1.17 www 192.168.0.222 www netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 ftp 192.168.0.222 ftp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 smtp 192.168.0.222 smtp netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 pop3 192.168.0.222 pop3 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 3389 192.168.0.222 3389 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 8781 192.168.0.222 8781 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 254 192.168.0.222 254 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.17 12333 192.168.0.222 12333 netmask 255.255.255.255
//以上是外部到内部映射
access-group 101 in interface outside   //应用ACL到接口
access-group 1 in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1    //配置一条到外网的默认路由
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55c46ca0a2333529ea9bec3162feb8d0
: end
ciscoasa#