大家好。
我已经配置了我的 aa 5520 v7。到目前为止,我的连接出现了问题,因此我希望这里有人可以帮助我解决这个问题。
- wright 现在内部网络可以访问互联网
现在什么不起作用并且我现在想要得到帮助的是:
区域内部无法与 dmz 通信,甚至无法通过 ping 通信
外部或互联网用户无法通过 IP(172.16.16.80 eq www 和 172.16.16.25 eq smtp)访问我的 dmz 服务器
4:dmz 区域没有 Internet。
下面是我的 sh 运行,以便您可以更好地理解我的配置。
所以,有人能仔细看看我的 sh run 配置,并弄清楚为什么我的内部用户甚至无法通过 ping 访问我的 dmz 吗?为什么外部或互联网用户无法访问我的 dmz?为什么我在 dmz 上没有互联网?我如何允许从内部区域成功 ping 到 dmz?
ciscoasa(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name xxxxxxxxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Link to Gateway
nameif outside
security-level 0
ip address 41.223.xx.xx 255.255.255.255
!
interface GigabitEthernet0/1
description Link to Local Lan
nameif inside
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface GigabitEthernet0/2
description Link to dmz
nameif dmz
security-level 50
ip address 172.16.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_in extended permit tcp any host 41.223.xx.xx eq smtp
access-list outside_in extended permit tcp any host 41.223.xx.xx eq www
access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp
access-list dmz_int extended permit tcp host 172.16.16.80 any eq www
access-list outside_int extended permit tcp any host 41.223.xx.xx eq smtp
access-list outside_int extended permit icmp any any
access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any
access-list OUT-TO-DMZ extended permit icmp any any log
access-list OUT-TO-DMZ extended deny ip any any
access-list inside extended permit tcp any any eq pop3
access-list inside extended permit tcp any any eq smtp
access-list inside extended permit tcp any any eq ssh
access-list inside extended permit tcp any any eq https
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq domain
access-list inside extended permit tcp any any eq www
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list dmz extended permit ip any any
access-list dmz extended permit icmp any any
access-list DMZ_IN extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 10.1.4.0 255.255.252.0
static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0
static (dmz,outside) 41.223.xx.xx 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.xx.xx 172.16.16.80 netmask 255.255.255.255
access-group dmz_int in interface dmz
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 41.223.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.4.x 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.1.4.x 255.255.255.255 inside
ssh timeout 10
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38
: end
我真的很感激您的任何帮助,因为我有点绝望,同时我提前感谢大家的时间和合作。
屋宇署
答案1
static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255
static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255
这非常非常糟糕 - 你绝不将流量从低安全接口 NAT 到高安全接口。
您应该反过来做:
static (outside,dmz) 172.16.16.25 41.223.156.106 netmask 255.255.255.255
static (outside,dmz) 172.16.16.80 41.223.156.107 netmask 255.255.255.255
除此之外,除了 dmz_int 和内部 ACL 之外,其他 ACL 均不适用。