大家好,在此先谢谢大家的帮助。我在让思科防火墙 (asa 5505) 在区域之间 ping 时遇到了一些问题。内部区域无法与外部区域 ping 通,反之亦然。但我可以让内部区域与 DMZ 进行 ping,外部区域可以与 DMZ 进行 ping。但不知出于什么原因,我无法让内部和外部互相接受 ping。这一切都是使用 CLI/控制台完成的,如果答案不涉及使用 ASDM(由于某些原因我不能使用 ASDM),我将不胜感激。我尝试了大量谷歌搜索,但没有一个解决方案对我有用或涉及使用 ASDM。
我认为是 NAT(到目前为止,这不完全是我的强项,从来都不是)。但是,我已经包含了大部分启动/运行配置。一些信息被省略了(即主机名和密码)。
!
ASA Version 7.2(4)
interface Ethernet0/0
description inside network
nameif inside
security-level 100
ip address 10.27.6.2 255.255.255.252
!
interface Ethernet0/1
description DMZ network
nameif DMZ
security-level 50
ip address 10.65.4.1 255.255.255.0
!
interface Ethernet0/2
description outside network
nameif outside
security-level 0
ip address 209.65.5.2 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside extended permit tcp any any eq smtp
access-list outside extended permit udp any any eq domain
access-list outside extended permit tcp any any eq www
access-list outside extended permit icmp any any
access-list DMZ extended permit tcp any any eq smtp
access-list DMZ extended permit tcp any any eq 50636
access-list DMZ extended permit tcp any any eq domain
access-list DMZ extended permit tcp any any eq www
access-list DMZ extended permit udp any any eq domain
access-list DMZ extended permit icmp any any
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (DMZ) 1 10.65.4.10-10.65.4.30
global (DMZ) 1 10.65.4.31
global (outside) 1 interface
nat (inside) 1 10.25.0.0 255.255.0.0
static (inside,DMZ) 10.25.0.0 10.25.0.0 netmask 255.255.0.0
static (outside,DMZ) 10.65.4.2 209.65.5.3 netmask 255.255.255.255
static (outside,DMZ) 10.65.4.3 209.65.5.4 netmask 255.255.255.255
access-group DMZ in interface DMZ
access-group outside in interface outside
route inside 10.25.0.0 255.255.0.0 10.27.6.1 1
route outside 0.0.0.0 0.0.0.0 209.65.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bfa954ee3900016b01cca15cfcf36eec
: end
上面的文本块中,关于外部和 DMZ 的静态 NAT 的行static (outside,DMZ) 10.65.4.X 209.65.5.X最初是这样static (DMZ,outside) 209.65.5.X 10.65.4.X的,但是我读到将较高安全级别映射到较低安全级别是一种不好的做法,所以我更改了它。我还尝试切换 ACL 以允许所有内容通过进行测试,代替ip any any我实际想要通过的内容,但仍然没有结果。感谢您审阅这一大段文字并提供任何建议,非常感谢。