服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ASA 5520,我无法与DMZ沟通
Intereting Posts
为什么从计划任务运行powershell命令“Restart-Service Tomcat6”失败? ipv6,静态的一些目的地,其余的dynamic Linux / Ubuntu上的ZFS:在Ubuntu从13.04升级到13.10后,帮助导入zpool,设备ID已经更改 适用于Windows的开源HelpDesk解决scheme? 用于多个VLAN的DHCP服务器 失败的完整备份是否会使将来的事务日志备份失效? VPN SBS2008无法连接 超时OpenVPN Windows服务器备份 – 我可以恢复到一个特定的修订? 当我尝试使用公有IP访问站点时,Apache服务器抛出502错误 使用SQLlogin批量加载 – 凭据不再有效 初始Windows 2008 VPS安装 多个Nics,Server 2012R2集群上的多个默认网关 iptables允许来自任何地方的HTTP,MySQL内部和lockingSSH到一个特定的IP 通过Powershell添加一个链接的服务器

ASA 5520,我无法与DMZ沟通

那么我在这里有一些严重的问题。

我的内部电脑无法与DMZ通信访问www加上邮件服务器 – 我有点新的游戏,因此我不会聊什么好…请帮助

波纹pipe是我的ASA sh run 

ASA Version 7.0(8) ! hostname ASA2 domain-name parlamento.ao enable password 8Ry2YjIyt7RRXU24 encrypted passwd mTKIgScrUQsYFO0h encrypted names dns-guard ! interface GigabitEthernet0/0 description "Link-To-GW-Router" nameif outside security-level 0 ip address 41.223.156.109 255.255.255.248 ! interface GigabitEthernet0/1 description Link To Local Lan nameif inside security-level 100 ip address 10.1.4.1 255.255.252.0 ! interface GigabitEthernet0/2 description "Link-To-DMZ" nameif dmz security-level 50 ip address 172.16.16.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www access-list OUT-TO-DMZ extended permit icmp any any log access-list OUT-TO-DMZ extended deny ip any any access-list inside extended permit tcp any any eq pop3 access-list inside extended permit tcp any any eq smtp access-list inside extended permit tcp any any eq ssh access-list inside extended permit tcp any any eq telnet access-list inside extended permit tcp any any eq https access-list inside extended permit udp any any eq domain access-list inside extended permit tcp any any eq domain access-list inside extended permit tcp any any eq www access-list inside extended permit ip any any access-list inside extended permit icmp any any access-list dmz extended permit ip any any access-list dmz extended permit icmp any any access-list DMZ_IN extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25 2.0 access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25 5.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.1.4.0 255.255.252.0 static (dmz,outside) tcp 41.223.156.106 www 172.16.16.80 www netmask 255.255.255 .255 static (dmz,outside) tcp 41.223.156.107 smtp 172.16.16.25 smtp netmask 255.255.2 55.255 static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0 access-group OUT-TO-DMZ in interface outside access-group inside in interface inside access-group dmz in interface dmz route outside 0.0.0.0 0.0.0.0 41.223.156.108 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076 : end

Jorge Decimo

你为什么有这条线?

static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0

在您的configuration中似乎没有意义,请尝试删除它。

同样默认情况下,具有更高级别的接口可以访问较低级别,并且由于ASA是有状态的,所以stream量将被允许返回。 所以你可以删除access-group dmz in interface dmz行中的access-group dmz in interface dmz

除非你想要你应该也应该告诉asa不要NAT在DMZ和里面之间的交通。 

  access-list dmz_nat permit ip 172.16.16.1 255.255.255.0 10.1.4.1 255.255.252.0 nat(dmz) 0 access-list dmz_nat