28%20%E7%9A%84%E6%97%A7%20PIX%20515e%EF%BC%9A%E6%97%A0%E6%B3%95%E9%80%9A%E8%BF%87%E5%A4%96%E9%83%A8%E6%8E%A5%E5%8F%A3%E4%B8%8A%E7%9A%84%20DHCP%20%E8%AE%BF%E9%97%AE%E4%BA%92%E8%81%94%E7%BD%91.png)
好吧,我承认。我可能忽略了一些简单的事情。能帮点忙吗?
我有一台较旧的 PIX 515e,正在尝试运行它。外部接口连接到电缆调制解调器并配置为 DHCP。此接口从 ISP 分配一个 IP,因此这部分似乎可以正常工作。我的理解是,使用该命令应该会自动为 ISP 网关设置静态路由。如果是这样的话。从控制台,我还可以 ping ISP 网关和我尝试的任何其他站点 (yahoo.com)。
内部接口设置了静态地址 10.0.1.10,这将返回来自内部客户端的 ping。内部网络上的 DHCP 由 2012R2 机器处理,此服务以及 DNS 也在运行(测试 PIX 时的 DNS 转发除外)
但是,客户端无法访问互联网。没有 ping 回复等。我认为这是路由问题或 NAT/PAT 问题。我对 Cisco 配置的这个方面一窍不通,需要一些帮助。下面是我当前正在运行的配置。我尝试了网上找到的一些配置指南,但似乎都不起作用。有人能帮我解决这个问题吗?
谢谢!Michael
: Saved
:
PIX Version 8.0(4)28
!
hostname GripPix
domain-name Grip.com
enable password ... encrypted
passwd ... encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.1.10 255.255.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name Grip.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.0.0.0 netmask 255.255.0.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection-default
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9cceeff3166fd745e3569853ea5c178c
: end
asdm image flash:/asdm-613.bin
no asdm history enable
答案1
事实证明我做了一件蠢事。客户端实际上能够访问互联网,但我不知道,因为我实际上并没有尝试浏览等。我只是打开了一个 cmd 窗口并运行“ping www.yahoo.com -t”
我的假设是,一旦我收到 ping 回复,网关就可以正常工作。我忽略了允许 ICMP 流量通过 NAT 防火墙。因此,即使我的客户端实际上可以浏览等,我也没有收到 ping 回复,所以我假设我没有通过。一旦我启用 ICMP 流量,一切就都正常了。我对此感到有点不好意思,但我想活到老学到老。