我怎样才能configuration我的networking允许两个之间的双向stream量？

这是我目前的设置:(可能需要重新工作）：

2个LANnetworking – 192.168.41.0,192.168.21.0
2公有IP（通过指定MAC地址 – 不是子网划分给我们）24.53.xx，另一个是192.34.xx
NETGEAR路由器
Linksys路由器
ASA 5505与基础许可证

我会尽力为我现在所能做到的最好的networking画出来。稍后当我更好地访问工具时，我会改进它。我已经包含了我的ASA运行configuration：

电缆调制解调器 – >开关
交换机 – > NETGEAR路由器和ASA 5505 NETGEAR
路由器主机192.168.41.0networking，并被分配一个公共IP
ASA 5505主机192.168.21.0networking，并被分配其他公共IP
我把交换机连接到每个networking后面（到路由器和ASA） – 所以总共有3个交换机
在尝试join这两个networking时，我在21.0networking后面的交换机上添加了一台Linksys路由器，并在21.0networking（192.168.21.254）上为该路由器分配了一个地址。
然后，我将一条线连接到Linksys路由器的networking端口，并在41.0networking（192.168.41.2）上分配了一个WAN IP地址。
在41.0路由器（Netgear路由器）我通过41.2地址添加到21.0networking的路由
在21.0networking的ASA上，我通过21.254地址添加了一条到41.0networking的路由。我还添加了几条ACL线路以允许通信以及相同的安全性内部接口。

以前，我能够获得单向stream量（21.0可以访问41.0，而不是其他方式）。我假设它与我的结构逻辑或我的nat逻辑中的一个问题有关。目前，我可以从21.0networkingping 41.0networking，但试图使用其他端口（如telnet smtp服务器端口25）失败。我希望在您的支持下，我们可以从我在这里开始并开始排除故障。

ASAconfiguration

: Saved : ASA Version 8.2(1) ! hostname lilprecious domain-name mydomain.local enable password 8Ry2YjIyt7RRXU24 encrypted passwd lVYsshR/yoydoM2/ encrypted no names name 192.168.21.10 precious_private name 192.168.21.1 asa_private name 192.34.x.56 precious_public ! interface Vlan1 nameif inside security-level 100 ip address 192.168.21.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.34.x.56 255.255.252.0 ! interface Ethernet0/0 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 switchport access vlan 2 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS domain-name mydomain.local dns server-group PRECIOUS name-server 192.168.21.10 domain-name mydomain.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service exchange_server service-object icmp service-object tcp-udp eq www service-object tcp eq 587 service-object tcp eq https service-object tcp eq smtp object-group service temp service-object tcp-udp eq 64092 object-group service temp2 service-object tcp-udp eq 59867 access-list CASVPN_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0 access-list CASVPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 access-list CASVPN_splitTunnelAcl standard permit 192.168.41.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.21.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.41.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.21.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.21.0 255.255.255.0 192.168.41.0 255.255.255.0 access-list ping extended permit icmp any any echo-reply access-list ping extended permit tcp any host 192.34.x.56 eq www access-list ping extended permit object-group exchange_server any host 192.34.x.56 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn_clients 192.168.20.100-192.168.20.199 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.21.10 smtp netmask 255.255.255.255 static (inside,outside) tcp interface www 192.168.21.10 www netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.21.10 https netmask 255.255.255.255 static (inside,outside) tcp interface 587 192.168.21.10 587 netmask 255.255.255.255 access-group ping in interface outside route outside 0.0.0.0 0.0.0.0 192.34.xx.1 1 route inside 192.168.41.0 255.255.255.0 192.168.21.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server Precious protocol ldap aaa-server Precious (inside) host 192.168.21.10 timeout 5 ldap-base-dn DC=mydomain,DC=local ldap-scope subtree ldap-login-password * ldap-login-dn CN=aduser,CN=Users,DC=mydomain,DC=local server-type auto-detect http server enable http 192.168.21.0 255.255.255.0 inside http 192.168.20.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 192.168.21.0 255.255.255.0 inside telnet 192.168.20.0 255.255.255.0 inside telnet timeout 20 ssh timeout 20 console timeout 0 management-access inside dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy CASVPN internal group-policy CASVPN attributes wins-server value 192.168.21.10 dns-server value 192.168.21.10 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value CASVPN_splitTunnelAcl default-domain value mydomain.local tunnel-group CASVPN type remote-access tunnel-group CASVPN general-attributes address-pool vpn_clients authentication-server-group Precious default-group-policy CASVPN tunnel-group CASVPN ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:3b181b87399ae99bb504d3cd42adc880 : end

您似乎有不对称路由的问题，如在示例B这里： https : //supportforums.cisco.com/docs/DOC-14491

此外，添加基本许可证的第三个界面可能不会帮助您，因为ASA5505需要DMZ或第三VLAN的单独许可证。这是来自思科：

许可证的最大活动VLAN接口在路由模式下，您可以根据许可证configuration以下VLAN：

基础许可证 – 3个活动VLAN。第三个VLAN只能configuration为发起到另一个VLAN的stream量。
Security Plus许可证 – 20个活动VLAN。

在透明防火墙模式下，您可以根据您的许可configuration以下VLAN： – 1个桥组中的基本许可证 – 2个活动VLAN。 – Security Plus许可证 – 3个活动VLAN：1个网桥组中的2个活动VLAN，以及1个故障切换链接的活动VLAN。

解：

获得可pipe理的networking交换机，可以执行静态路由并通过它们路由stream量;
获取ASA的安全加许可证，并将networking192.168.41.0连接到第三个VLAN，然后将所有stream量通过ASA。但是，ASA 5505具有100Mb接口，如果您需要移动大量数据，带可pipe理交换机的解决scheme1看起来更好。

您可以尝试在Eth 0/6上添加第三个VLAN接口。使用它作为192.168.41.2，然后允许在思科stream量。然后在Netgear上，使用ciscobuild立的192.168.41.2接口为192.168.21.x / 24添加一条静态路由。你还需要在cisco上使用新的VLAN接口作为网关的静态路由回到192.168.41.x / 24。