服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 外面或互联网用户无法达到我的dmz
Intereting Posts
在ESXi 5控制台中,如何在没有键盘数字部分的情况下按下屏幕上的<+>和< – >键? 如何configurationBIND服务器来捕获所有 Debian 8(Jessie)PHP不能在Apache虚拟站点上工作 如何创build一个预装的Windows 7 VHD 通过Zeus Load Balancer / Stingraystream量pipe理器上的运行状况监控,检查FTP服务器驱动器空间是否可用 DNSconfigurationWindows Server 2012 R2 猫pipe道mysql:停止。 什么停止了,我该如何解决? FORTIGATE 200A防火墙上的dynamicIP阻塞 多主文件复制 Ssh添加和联系服务器失败 ssh主机名返回“〜/ .ssh / config上的错误所有者或权限”(chmod 600不能与MingW一起使用) 当通过SFTP下载大文件时,sshd使用了100%(或略低于) 使用DFS-R复制的WDS的MDT DeploymentShare和REMINST不会从本地WDS读取WIM 在Windows Server 2016上激活Docker后,无法通过RDP访问 我怎么知道谁从公共份额中删除了一个文件夹?

外面或互联网用户无法达到我的dmz

大家好。

我已经configuration了我的5520 V7。 到目前为止,我面临着一个问题,因此我希望这里的某个人能够帮助我解决这个问题。

  1. 现在赖特内部networking可以访问互联网

什么不工作现在,我想现在的帮助是:

  1. 内部区域不与dmz通信,甚至不能ping通

  2. 外部或互联网用户无法通过ip(172.16.16.80 eq www和172.16.16.25 eq smtp)到达我的dmz服务器,

4:在dmz区域没有互联网。

所以波纹pipe是我的运行,所以你可以更好地了解我的configuration。

所以任何人都可以尝试仔细看看我的sh运行configuration,并试图找出为什么我的内部用户不能ping通我的dmz吗? 为什么不能在外面或互联网用户无法达到我的dmz? 为什么我没有互联网上的DMZ? 而我怎么让成功ping从内部区域的dmz? 

ciscoasa(config)# sh run : Saved : ASA Version 7.0(8) ! hostname ciscoasa domain-name xxxxxxxxxxx enable password xxxxxxxxxx encrypted passwd xxxxxxxxx encrypted names dns-guard ! interface GigabitEthernet0/0 description Link to Gateway nameif outside security-level 0 ip address 41.223.xx.xx 255.255.255.255 ! interface GigabitEthernet0/1 description Link to Local Lan nameif inside security-level 100 ip address 10.1.4.1 255.255.252.0 ! interface GigabitEthernet0/2 description Link to dmz nameif dmz security-level 50 ip address 172.16.16.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive access-list outside_in extended permit tcp any host 41.223.xx.xx eq smtp access-list outside_in extended permit tcp any host 41.223.xx.xx eq www access-list dmz_int extended permit tcp host 172.16.16.25 any eq smtp access-list dmz_int extended permit tcp host 172.16.16.80 any eq www access-list outside_int extended permit tcp any host 41.223.xx.xx eq smtp access-list outside_int extended permit icmp any any access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any access-list OUT-TO-DMZ extended permit icmp any any log access-list OUT-TO-DMZ extended deny ip any any access-list inside extended permit tcp any any eq pop3 access-list inside extended permit tcp any any eq smtp access-list inside extended permit tcp any any eq ssh access-list inside extended permit tcp any any eq https access-list inside extended permit udp any any eq domain access-list inside extended permit tcp any any eq domain access-list inside extended permit tcp any any eq www access-list inside extended permit ip any any access-list inside extended permit icmp any any access-list dmz extended permit ip any any access-list dmz extended permit icmp any any access-list DMZ_IN extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.252.0 access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (dmz) 1 interface nat (inside) 1 10.1.4.0 255.255.252.0 static (inside,dmz) 10.1.4.0 10.1.4.0 netmask 255.255.252.0 static (dmz,outside) 41.223.xx.xx 172.16.16.25 netmask 255.255.255.255 static (dmz,outside) 41.223.xx.xx 172.16.16.80 netmask 255.255.255.255 access-group dmz_int in interface dmz access-group inside in interface inside route outside 0.0.0.0 0.0.0.0 41.223.xx.xx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username tchipa password JUU.kVt2Und.Vd23 encrypted privilege 15 aaa authentication ssh console LOCAL http server enable http 10.1.4.x 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 10.1.4.x 255.255.255.255 inside ssh timeout 10 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global Cryptochecksum:48ba8cf4e31f2940e44293256d84ce38 : end

我会真正评价你的任何帮助,因为我是一个绝望的人,同时我提前感谢你的时间和合作。

BD 

 static (dmz,outside) 41.223.156.106 172.16.16.25 netmask 255.255.255.255 static (dmz,outside) 41.223.156.107 172.16.16.80 netmask 255.255.255.255

这非常非常糟糕 – 您从来没有从低安全性接口到高安全性接口的NAT通信。
你应该这样做: 

 static (outside,dmz) 172.16.16.25 41.223.156.106 netmask 255.255.255.255 static (outside,dmz) 172.16.16.80 41.223.156.107 netmask 255.255.255.255

除此之外,没有任何ACL适用于任何内容,除了dmz_int和内部。