在我发帖之前,我想感谢 Shane Madden... 推动我继续深入研究并找到解决方案。
今天我在我的网络上运行了 ASA 5520 版本 7。
我的问题是:一切正常,但最大的问题是这个。内部区域的 PC 无法访问我的 DMZ 服务器(www 和电子邮件服务器),这意味着内部 PC 无法浏览 www,甚至无法从内部 IP 地址 ping 服务器,例如 www 的 172.16.16.80 和邮件服务器的 172.16.16.25。
请有人帮助我找出下面真正存在的问题sh run,以及我是否也遇到了一些配置错误。
ASA Version 7.0(8)
!
hostname ASA2
domain-name xxxxxx
enable password xxxxxx
passwd
names
dns-guard
!
interface GigabitEthernet0/0
description "Link-To-GW-Router"
nameif outside
security-level 0
ip address 41.223.156.109 255.255.255.248
!
interface GigabitEthernet0/1
description Link To Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description "Link-To-DMZ"
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp
access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq telnet
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25
2.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25
5.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0
access-group OUT-TO-DMZ in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 41.223.156.108 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076
: end
另一方面,我应该向你们承认,我对 ASA 行业还很陌生,还需要学习很多东西。
答案1
在我看来这是一个路由问题,您没有将流量从 DMZ 发送到 LAN 接口的路由,也没有将流量从 LAN 发送到 DMZ 接口的路由。
大致如下:
route inside 172.16.16.0 255.255.255.0 172.16.16.1 1
route dmz 10.1.4.0 255.255.252.0 10.1.4.1 1