我有一台带有两个 WAN 连接和一个 LAN 连接的思科 ASA 5515X。
据我了解,我已将防火墙配置为允许 SMTP 流量通过 WAN2 接口,但不允许通过 WAN1 接口。
但是,我无法发送电子邮件,因为公网 IP 与反向 DNS 记录不匹配。此记录指向 WAN2 的公网地址,但电子邮件标有 WAN1 的 IP 地址。这是怎么回事?
我如何强制发出的电子邮件通过 WAN2 发送?
顺便说一句,您会在配置文件中注意到 WAN 接口具有私有 IP。这是因为此接口和公共网络之间有一个 ADSL 路由器。
这是我当前的 CLI 配置:
config t
config factory-default
interface Management 0/0
ip address 192.168.0.1 255.255.255.0
interface GigabitEthernet 0/0
ip address 192.168.10.36 255.255.255.0
security-level 0
nameif Telefonica1
no shutdown
interface GigabitEthernet 0/1
ip address 192.168.203.1 255.255.255.0
security-level 100
nameif LAN
no shutdown
interface GigabitEthernet 0/2
ip address 192.168.20.36 255.255.255.0
security-level 0
nameif Telefonica2
no shutdown
interface GigabitEthernet 0/3
ip address 192.168.100.1 255.255.255.0
security-level 100
nameif EUS
no shutdown
route Telefonica1 0.0.0.0 0.0.0.0 192.168.10.1 1
route Telefonica2 0.0.0.0 0.0.0.0 192.168.20.1 2
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (LAN,Telefonica1) dynamic interface
!nat (LAN,Telefonica2) dynamic interface
object network obj_eus
subnet 0.0.0.0 0.0.0.0
nat (EUS,Telefonica1) dynamic interface
policy-map global_policy
class inspection_default
inspect icmp
exit
exit
http server enable
http 192.168.203.0 255.255.255.0 LAN
http server enable
http 192.168.100.0 255.255.255.0 EUS
icmp permit any Telefonica1
icmp permit any Telefonica2
wr mem
! SERVICIOS ZURBANO
object network owaserver
host 192.168.203.11
nat (LAN,Telefonica2) static interface service tcp 443 443
object network RDPEUS
host 192.168.100.10
nat (EUS,Telefonica2) static interface service tcp 3387 3387
object network RDPMEXHUB1
host 192.168.100.11
nat (EUS,Telefonica2) static interface service tcp 3386 3386
object network RDPMEXHUB2
host 192.168.100.12
nat (EUS,Telefonica2) static interface service tcp 3385 3385
object network RDPMEXHUBOLD
host 192.168.203.11
nat (LAN,Telefonica2) static interface service tcp 3391 3391
object network exchange
host 192.168.203.11
nat (LAN,Telefonica2) static interface service tcp 25 25
object network TBOCAM
host 192.168.203.18
nat (LAN,Telefonica2) static interface service tcp 8081 8081
access-list OutsideToInside permit tcp any host 192.168.203.11 eq 443
access-list OutsideToInside permit tcp any host 192.168.203.18 eq 8081
access-list OutsideToInside permit tcp any host 192.168.100.10 eq 3387
access-list OutsideToInside permit tcp any host 192.168.100.11 eq 3386
access-list OutsideToInside permit tcp any host 192.168.100.12 eq 3385
access-list OutsideToInside permit tcp any host 192.168.203.11 eq 3391
access-list OutsideToInside permit tcp any host 192.168.203.11 eq 25
access-group OutsideToInside in interface Telefonica2
access-list AMZN_ACCESS_IN extended permit ip host 54.239.63.155 host 2.139.188.36
access-list AMZN_ACCESS_IN extended permit ip host 54.239.63.154 host 2.139.188.36
access-list acl-amzn-fra extended permit ip any 192.168.1.0 255.255.255.0
access-list amzn-fra-filter extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list amzn-fra-filter extended deny ip any any
group-policy filter-fra internal
group-policy filter-fra attributes
vpn-filter value amzn-fra-filter
tunnel-group 54.239.63.154 general-attributes
default-group-policy filter-fra
exit
tunnel-group 54.239.63.155 general-attributes
default-group-policy filter-fra
exit
object network obj-amzn-fra
subnet 192.168.1.0 255.255.255.0
nat (EUS,Telefonica1) 2 source static obj_any obj_any destination static obj-amzn-fra obj-amzn-fra
wr mem
谢谢