试图设置ASA5505。 半工作,但有外部访问服务的问题。
ASA5505基本许可证,版本8.2。 (加上升级到无限的内部主机)。
警报:我是Cisco Noob。
10.10.39.X是隐私的地方持有人。 (编辑:减less混淆)
我想出了这个configuration,并在今晚进行testing。
ASA Version 8.2(1) ! hostname <removed> domain-name <removed> enable password <removed> encrypted passwd <removed> encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.21.36.1 255.255.252.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.39.10 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name <removed> access-list outside_inbound extended permit tcp any host 10.10.39.10 eq pptp access-list outside_inbound extended permit tcp any host 10.10.39.11 eq https access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 993 access-list outside_inbound extended permit tcp any host 10.10.39.11 eq smtp access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 1001 access-list outside_inbound extended permit tcp any host 10.10.39.11 eq 465 access-list outside_inbound extended permit tcp any host 10.10.39.11 eq domain access-list outside_inbound extended permit udp any eq domain host 10.10.39.11 eq domain access-list outside_inbound extended permit tcp any host 10.10.39.12 eq www access-list outside_inbound extended permit tcp any host 10.10.39.12 eq https access-list outside_inbound extended permit tcp any host 10.10.39.13 eq www access-list outside_inbound extended permit tcp any host 10.10.39.13 eq https access-list outside_inbound extended permit icmp any any echo-reply access-list outside_inbound extended permit icmp any any source-quench access-list outside_inbound extended permit icmp any any unreachable access-list outside_inbound extended permit icmp any any time-exceeded access-list outside_inbound extended permit icmp any any traceroute access-list outside_inbound extended permit icmp any any echo pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 2 10.10.39.11-10.10.39.14 netmask 255.255.255.248 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface pptp 172.21.37.20 pptp netmask 255.255.255.255 static (inside,outside) 10.10.39.11 172.21.37.14 netmask 255.255.255.255 static (inside,outside) 10.10.39.12 172.21.37.24 netmask 255.255.255.255 static (inside,outside) 10.10.39.13 172.21.37.17 netmask 255.255.255.255 access-group outside_inbound in interface outside route outside 0.0.0.0 0.0.0.0 10.10.39.9 1 route inside 192.168.15.0 255.255.255.0 172.21.36.52 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 172.21.36.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 172.21.36.0 255.255.252.0 inside telnet timeout 60 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp inspect ipsec-pass-thru inspect http ! service-policy global_policy global prompt hostname context 具有静态转发的服务器没有任何外部networking访问权限。 例如无法ping通google.com。 邮件服务器不能域名POP从我们的ISP等Barracuda垃圾邮件filter。
因此,在读完一些东西之后,我删除了10.10.39.11,12和13的静态图,并用下面的内容replace了这三个静态图。(编辑:修正了这个表中的IP。)
static (inside,outside) tcp 10.10.39.11 https 172.21.37.14 https netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.11 993 172.21.37.14 993 netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.11 smtp 172.21.37.14 smtp netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.11 1001 172.21.37.14 1001 netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.11 465 172.21.37.14 465 netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.11 domain 172.21.37.14 domain netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.12 www 172.21.37.24 www netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.12 https 172.21.37.24 https netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.13 www 172.21.37.17 www netmask 255.255.255.255 static (inside,outside) tcp 10.10.39.13 https 172.21.37.17 https netmask 255.255.255.255
现在服务器(例如172.21.37.14)可以再次ping外部世界。 邮件开始stream动(域名POP成功了)等等等等。但是我忘了检查webmail是否从外面工作承认。
但是172.21.37.17和172.21.37.24的networking服务器仍然没有回应外部世界。 虽然我可以在10.10.39.10(接口)这是外部接口IP地址PPTP VPN。 它是静态映射到172.21.37.20。
所以我想在某个地方NAT一定有什么问题? 10.10.39.11至10.10.39.14没有回应
任何人都可以看看configuration,请让我知道我做错了什么? 有什么我错过了吗? 很明显,但..请帮助! 谢谢。
(您的示例IP地址scheme令人困惑…不要这样做!)
使用Cisco ASDM GUI向导演练设置基本的PAT规则。 我还build议转移到可能包含在包装中的ASA 8.3或8.4软件(和相应的ASDM)。 我认为这使得设置静态NAT条目变得更容易,因为它可以在一个对话框中逐个主机地完成。