我在我的DMZ中有一个Web服务器( 193.170.4.2 ),需要通过SMTP在内部与我们的Exchange服务器( 10.77.51.87 )进行通信。 我用access-list acl-dmz permit tcp host 193.170.4.2 host 10.77.51.87 eq smtp ,但是没有工作。
是因为acl-outbound或nat ACL中的拒绝ip线? 如果没有,任何人都可以看到可能是什么原因造成的? 我的configuration如下:
PIX_6.3(5)_515# access-group acl-inbound in interface outside access-group acl-outbound in interface inside access-group acl-dmz in interface dmz1 PIX_6.3(5)_515# PIX_6.3(5)_515# sh access-list acl-outbound | in deny access-list acl-outbound line 86 deny ip 10.0.0.0 255.0.0.0 193.170.4.0 255.255.255.0 (hitcnt=1209) access-list acl-outbound line 90 deny ip any any (hitcnt=1014022) PIX_6.3(5)_515# PIX_6.3(5)_515# PIX_6.3(5)_515# sh access-list acl-dmz access-list acl-dmz; 2 elements access-list acl-dmz line 1 permit udp host 193.170.4.2 host 198.6.1.4 eq domain (hitcnt=5625) access-list acl-dmz line 2 permit ip host 193.170.4.2 any (hitcnt=1089) PIX_6.3(5)_515# PIX_6.3(5)_515# PIX_6.3(5)_515# sh nat nat (inside) 0 access-list nonat nat (inside) 1 10.77.51.80 255.255.255.255 0 0 nat (inside) 1 10.77.51.81 255.255.255.255 0 0 nat (inside) 1 10.77.51.87 255.255.255.255 0 0 nat (inside) 2 10.76.0.0 255.255.0.0 0 0 PIX_6.3(5)_515# PIX_6.3(5)_515# sh run | in static static (inside,outside) tcp 195.99.136.85 smtp 10.77.51.87 smtp netmask 255.255.255.255 0 0 static (inside,outside) 195.99.136.81 10.77.51.58 netmask 255.255.255.255 0 0 static (inside,outside) 195.99.136.84 10.77.51.38 netmask 255.255.255.255 0 0 static (dmz1,outside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0 static (dmz1,inside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0 static (inside,dmz1) 10.76.0.0 10.76.0.0 netmask 255.255.0.0 0 0 PIX_6.3(5)_515# PIX_6.3(5)_515# PIX_6.3(5)_515# sh run | in global global (outside) 1 195.99.136.85 global (outside) 2 interface PIX_6.3(5)_515# PIX_6.3(5)_515#
我觉得DENY 是你的问题。
尝试:
access-list line 3 acl-dmz permit tcp host 193.170.4.2 host 10.77.51.87 eq smtp access-list line 88 acl-outbound permit tcp host 10.77.51.87 host 193.170.4.2