服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Cisco ASA5505 – 无法从Inside界面ping通DMZ
Intereting Posts
DPM 2012 R2错误30231 – Exchange 2013保护组 将Grouply POA从SLES移到Windows 任何方式来从删除的LVM逻辑卷恢复ext4文件系统? 跟踪数据发送到远程主机一段时间? Solaris ZFS卷:工作负载不符合L2ARC 我怎样才能运行Git子模块? debugging感知的networking饱和度 Windows XP模式:外部configuration网卡 redirect循环 – AWS ELB SSL Nginx SASL身份validation失败:密码validation失败(后缀+ cyrus + saslauthd) SNT0-MC1-F20 Mailman问题 如何从网上stream式传输高清video? NAT作为防火墙 RemoteFX在NVIDIA低成本video卡上 如何deviseADS以便只有选定的计算机名称才能join域

Cisco ASA5505 – 无法从Inside界面ping通DMZ

我知道思科CLI足够让我感到危险。 这里的情况是:我有一个带有DMZ(10.10.10.X)和Inside(192.168.0.X)Vlans的ASA5505。 我在一个外部IP块(1.2.3.X)上运行一对服务器,

从里面,我不能跟我的DMZ机器。 我可以跟外部地址,然后正确地转换到内部服务器(这是所谓的发夹?),但我想能够直接与DMZ地址交谈。

我在这里错过了什么? 预先感谢任何愿意提供意见的人! 

ciscoasa(config-if)# show running-config : Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name mycompanydomain.com names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 1.2.3.201 255.255.255.248 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 switchport access vlan 3 ! interface Ethernet0/4 switchport access vlan 3 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 switchport access vlan 3 ! interface Ethernet0/7 switchport access vlan 3 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns domain-lookup dmz dns server-group DefaultDNS name-server 208.67.222.222 name-server 208.67.220.220 domain-name mycompanydomain.com access-list out_dmz extended permit icmp any any echo access-list out_dmz extended permit icmp any any echo-reply access-list out_dmz extended permit icmp any any time-exceeded access-list out_dmz extended permit icmp any any unreachable access-list out_dmz extended permit tcp any host 1.2.3.201 eq 3389 access-list out_dmz extended permit tcp any host 1.2.3.201 eq https access-list out_dmz extended permit tcp any host 1.2.3.201 eq gopher access-list out_dmz extended permit tcp any host 1.2.3.201 eq 5500 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40000 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40001 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40002 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40003 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40004 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40005 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40006 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40007 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40008 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40009 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40010 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 5901 access-list out_dmz extended permit tcp any host 1.2.3.202 eq https access-list out_dmz extended permit tcp any host 1.2.3.201 eq 2222 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 2223 access-list out_dmz extended permit tcp any host 1.2.3.203 eq https access-list out_dmz extended permit tcp any host 1.2.3.203 eq ssh access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40011 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40012 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40013 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40014 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40015 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40016 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40017 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40018 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40019 access-list out_dmz extended permit tcp any host 1.2.3.201 eq 40020 access-list out_dmz extended permit tcp any host 1.2.3.202 eq ssh access-list icmp-dmz extended permit icmp any any access-list icmp-dmz extended permit ip any any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 10.10.10.0 255.255.255.0 nat (dmz) 1 0.0.0.0 0.0.0.0 static (dmz,outside) tcp interface 3389 10.10.10.201 3389 netmask 255.255.255.255 static (dmz,outside) tcp interface https 10.10.10.201 https netmask 255.255.255.255 static (dmz,outside) tcp interface gopher 10.10.10.201 gopher netmask 255.255.255.255 static (dmz,outside) tcp interface 5500 10.10.10.201 5500 netmask 255.255.255.255 static (dmz,outside) tcp interface 40000 10.10.10.201 40000 netmask 255.255.255.255 static (dmz,outside) tcp interface 40001 10.10.10.201 40001 netmask 255.255.255.255 static (dmz,outside) tcp interface 40002 10.10.10.201 40002 netmask 255.255.255.255 static (dmz,outside) tcp interface 40003 10.10.10.201 40003 netmask 255.255.255.255 static (dmz,outside) tcp interface 40004 10.10.10.201 40004 netmask 255.255.255.255 static (dmz,outside) tcp interface 40005 10.10.10.201 40005 netmask 255.255.255.255 static (dmz,outside) tcp interface 40006 10.10.10.201 40006 netmask 255.255.255.255 static (dmz,outside) tcp interface 40007 10.10.10.201 40007 netmask 255.255.255.255 static (dmz,outside) tcp interface 40008 10.10.10.201 40008 netmask 255.255.255.255 static (dmz,outside) tcp interface 40009 10.10.10.201 40009 netmask 255.255.255.255 static (dmz,outside) tcp interface 40010 10.10.10.201 40010 netmask 255.255.255.255 static (dmz,outside) tcp interface 5901 10.10.10.201 5901 netmask 255.255.255.255 static (dmz,outside) tcp interface 2222 10.10.10.201 2222 netmask 255.255.255.255 static (dmz,outside) tcp interface 2223 10.10.10.201 2223 netmask 255.255.255.255 static (dmz,outside) tcp interface 40011 10.10.10.201 40011 netmask 255.255.255.255 static (dmz,outside) tcp interface 40012 10.10.10.201 40012 netmask 255.255.255.255 static (dmz,outside) tcp interface 40013 10.10.10.201 40013 netmask 255.255.255.255 static (dmz,outside) tcp interface 40014 10.10.10.201 40014 netmask 255.255.255.255 static (dmz,outside) tcp interface 40015 10.10.10.201 40015 netmask 255.255.255.255 static (dmz,outside) tcp interface 40016 10.10.10.201 40016 netmask 255.255.255.255 static (dmz,outside) tcp interface 40017 10.10.10.201 40017 netmask 255.255.255.255 static (dmz,outside) tcp interface 40018 10.10.10.201 40018 netmask 255.255.255.255 static (dmz,outside) tcp interface 40019 10.10.10.201 40019 netmask 255.255.255.255 static (dmz,outside) tcp interface 40020 10.10.10.201 40020 netmask 255.255.255.255 static (dmz,outside) tcp 1.2.3.202 https 10.10.10.202 https netmask 255.255.255.255 static (dmz,outside) tcp 1.2.3.202 ssh 10.10.10.202 ssh netmask 255.255.255.255 static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 static (dmz,inside) 1.2.3.201 10.10.10.201 netmask 255.255.255.255 access-group out_dmz in interface outside access-group icmp-dmz in interface dmz route outside 0.0.0.0 0.0.0.0 1.2.3.206 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp dmz telnet timeout 5 ssh 192.168.0.0 255.255.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 dmz ssh timeout 5 ssh version 2 console timeout 0 dhcpd dns 208.67.222.222 208.67.220.220 dhcpd lease 360000 dhcpd auto_config outside dhcpd option 3 ip 10.10.10.1 ! dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd option 3 ip 192.168.1.1 interface inside dhcpd enable inside ! dhcpd address 10.10.10.20-10.10.10.33 dmz dhcpd option 3 ip 10.10.10.1 interface dmz dhcpd enable dmz ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:b0bf092f094c827c22cebbce653bc3e6 : end ciscoasa(config-if)# ciscoasa(config-if)#

(我知道这已经一年多了,但希望对别人有用)

我认为你有基本许可的ASA 5505。 基本许可证只允许2个完整的vlans,第三个必须使用这个命令“no forward interface VlanX”来限制,这就是为什么你不能删除它。

从思科帮助阅读:

使用Base许可证,如果使用此命令限制它,则只能configuration第三个VLAN。

例如,您将一个VLAN分配给外部Internet访问,一个VLAN分配给内部业务networking,第三个VLAN分配给您的家庭networking。 家庭networking不需要访问企业networking,因此您可以在家庭VLAN上使用此选项; 业务networking可以访问家庭networking,但家庭networking不能访问业务networking。

如果您已经有两个configuration了名称的VLAN接口,请务必在设置第三个接口上的名称之前configuration此设置; ASA不允许三个function齐全的VLAN接口与ASA 5505上的基本许可证。

有几个问题。

  1. 默认情况下,ICMP被ASA接口阻止
  2. 您不能通过较低的安全级别界面与较高级别的安全级别界面通话。

虽然这是针对Cisco PIX的,但这个链接对您来说应该还是有用的。

如果configuration“同安全许可证间接口”,并且在接口上启用了nat,则必须在相同安全级别的接口之间使用nat。 将以下内容添加到您的configuration中:

access-list nat_inside_dmz extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nat_dmz_inside extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat(内部)0访问列表nat_inside_dmz
nat(dmz)0 access-list nat_dmz_inside
同一安全许可证接口
no static(inside,dmz)192.168.1.0 192.168.1.0 netmask 255.255.255.0