我无法从本地内部 PC ping 到我的 DMZ 区域

我无法从本地内部 PC ping 到我的 DMZ 区域

大家好。

有人能帮我解决以下问题吗?我的网络上配置了 Cisco Asa 5520。

我无法从本地内部网络 PC ping 到我的 DMZ 接口。因此,ping DMZ 的唯一方法是直接从 Cisco ASA 防火墙,在那里我可以 ping 到所有 3 个接口,即内部、外部和 DMZ,,,,

但内部网络中的任何 PC 都无法访问 DMZ。

有谁可以帮忙吗?

我提前感谢大家

下面是我的 Cisco ASA 5520 防火墙演示运行;

ASA-FW# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ASA-FW
enable password      encrypted
passwd                encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description "Link-To-GW-Router"
 nameif outside
 security-level 0
 ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
 description "Link-To-Local-LAN"
 nameif inside
 security-level 100
 ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
 description "Link-To-DMZ"
 nameif dmz
 security-level 50
 ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description "Local-Management-Interface"
 no nameif
 no security-level
 ip address 192.168.192.1 255.255.255.0
!
ftp mode passive
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
no pager
logging enable
logging buffer-size 5000
logging monitor warnings
logging trap warnings
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255
.255
static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2
55.255
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.4.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
!
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
ASA-FW#

请帮忙。

大丹泽尔

答案1

编辑:我的回答如下可能对于运行 7.0 之前版本的 ASA 或 PIX 操作系统的用户来说很有用,但对于发帖者来说可能没用。

在 7.0 及更高版本中,nat-control下面描述的功能已被禁用(请参阅http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml)。


您没有用于nat (dmz) ...DMZ 网络的。默认情况下,如果流量未跨越网络,ASA 将不会在网络之间传递流量nat(即使是nat (interface) 0为了防止发生 NAT)。

添加一些命令(假设您希望从 DMZ 到 Internet 的出站流量经过 NAT,并且希望从内部到 DMZ 的流量不经过 NAT):

access-list inside_nat0_outbound 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz) 1 0.0.0.0 0.0.0.0

这会导致来自 DMZ 的出站流量被 NAT,并绕过从 LAN 子网到 DMZ 子网的流量的 NAT。

相关内容