就在我发布之前,我要感谢 – Shane Madden …推动我进一步挖掘北斗,find解决scheme。
今天,我的networking上运行了ASA 5520版本7。
我的问题是:一切正常,但最大的问题是这个。 来自Inside Zone的电脑无法访问我的DMZ服务器(www和电子邮件服务器),这意味着内部电脑无法浏览www,甚至无法从内部IP地址(如172.16.16.80)ping服务器www和邮件服务器的172.16.16.25。
请有人可以帮我弄清楚我的下面是什么错误,也可能是我也有一些错误的configuration混乱。
ASA Version 7.0(8) ! hostname ASA2 domain-name xxxxxx enable password xxxxxx passwd names dns-guard ! interface GigabitEthernet0/0 description "Link-To-GW-Router" nameif outside security-level 0 ip address 41.223.156.109 255.255.255.248 ! interface GigabitEthernet0/1 description Link To Local Lan nameif inside security-level 100 ip address 10.1.4.1 255.255.252.0 ! interface GigabitEthernet0/2 description "Link-To-DMZ" nameif dmz security-level 50 ip address 172.16.16.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive access-list INSIDE extended permit ip 10.1.4.0 255.255.252.0 any access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.107 eq smtp access-list OUT-TO-DMZ extended permit tcp any host 41.223.156.106 eq www access-list OUT-TO-DMZ extended permit icmp any any log access-list OUT-TO-DMZ extended deny ip any any access-list inside extended permit tcp any any eq pop3 access-list inside extended permit tcp any any eq smtp access-list inside extended permit tcp any any eq ssh access-list inside extended permit tcp any any eq telnet access-list inside extended permit tcp any any eq https access-list inside extended permit udp any any eq domain access-list inside extended permit tcp any any eq domain access-list inside extended permit tcp any any eq www access-list inside extended permit ip any any access-list inside extended permit icmp any any access-list dmz extended permit ip any any access-list dmz extended permit icmp any any access-list DMZ_IN extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list cap extended permit ip 172.16.16.0 255.255.255.0 10.1.4.0 255.255.25 2.0 access-list cap extended permit ip 10.1.4.0 255.255.252.0 172.16.16.0 255.255.25 5.0 pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.1.4.0 255.255.252.0 static (inside,dmz) 10.1.0.0 10.1.16.0 netmask 255.255.252.0 access-group OUT-TO-DMZ in interface outside access-group inside in interface inside access-group dmz in interface dmz route outside 0.0.0.0 0.0.0.0 41.223.156.108 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global Cryptochecksum:30d296dea4f5ffc1dd4560e075d47076 : end
另一方面,我应该向你们承认,我对ASA行业相当陌生,需要学习很多东西。
它在我看来是一个路由问题,你没有从DMZ发送stream量到你的LAN接口的路由,也没有从你的LAN发送stream量到你的DMZ接口的路由。
有些东西是:
route inside 172.16.16.0 255.255.255.0 172.16.16.1 1 route dmz 10.1.4.0 255.255.252.0 10.1.4.1 1