不能RDP从里面到DMZ

• 我正在运行安全加ASA 5505
• 我从里面和dmz vlans互联网接入
• 我可以从里面远程桌面到另一台机器里面
• 我可以在互联网上的机器和机器内部进行ping操作
• 我正在使用ASDM来configuration路由器。

我怎样才能远程桌面到我的DMZ？

以下是我的configuration和数据包跟踪

Result of the command: "sh run" : Saved : ASA Version 8.2(5) ! hostname evo-fw-ext enable password *password* encrypted passwd *password* encrypted names name 10.10.1.200 buildserver name 192.168.1.2 evo-fw-int name 10.10.1.100 webserver name *myip* outside-buildserver name *myip* outside-webserver name 192.168.1.10 appserver name 192.168.1.250 vpn-host-1 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 switchport access vlan 5 ! interface Ethernet0/7 switchport access vlan 5 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 209.94.254.250 255.255.255.248 ! interface Vlan5 nameif dmz security-level 50 ip address 10.10.1.1 255.255.255.0 ! ftp mode passive object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service DM_INLINE_TCP_2 tcp port-object eq www port-object eq https access-list inside_nat0_outbound extended permit ip any 192.168.1.248 255.255.255.248 access-list outside_access_in extended permit tcp any host outside-webserver object-group DM_INLINE_TCP_1 access-list outside_access_in extended permit tcp any host outside-buildserver object-group DM_INLINE_TCP_2 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool VPN1 vpn-host-1-192.168.1.255 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz) 1 0.0.0.0 0.0.0.0 static (dmz,outside) tcp outside-webserver www webserver www netmask 255.255.255.255 static (dmz,outside) tcp outside-buildserver www buildserver www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 *gateway* 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd dns 8.8.8.8 8.8.4.4 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn anyconnect-essentials group-policy colo internal group-policy colo attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol IPSec username un password pw encrypted privilege 0 username un attributes vpn-group-policy colo tunnel-group colo type remote-access tunnel-group colo general-attributes address-pool VPN1 default-group-policy colo tunnel-group colo ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:*checksum* : end 

包跟踪

命令的结果是：“packet-tracer input tcp 192.168.1.5 12345 10.10.1.100 3389 xml”

• 多个子网中的多个DHCP服务器，一个DNS服务器
• ASA 5505阻止用户
• 思科ASAlogging缓冲垃圾邮件terminal和控制台线路
• 如何在思科ASA上使用前缀委派（PD）设置IPv6？
• 我如何通过思科ASA允许TCP上的IPSec？

 <Phase> <id>1</id> <type>ROUTE-LOOKUP</type> <subtype>input</subtype> <result>ALLOW</result> <config> </config> <extra> in 10.10.1.0 255.255.255.0 dmz </extra> </Phase> <Phase> <id>2</id> <type>IP-OPTIONS</type> <subtype></subtype> <result>ALLOW</result> <config> </config> <extra> </extra> </Phase> <Phase> <id>3</id> <type>NAT</type> <subtype></subtype> <result>DROP</result> <config> nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any dmz any dynamic translation to pool 1 (No matching global) translate_hits = 15, untranslate_hits = 0 </config> <extra> </extra> </Phase> <result> <input-interface>inside</input-interface> <input-status>up</input-status> <input-line-status>up</input-line-status> <output-interface>dmz</output-interface> <output-status>up</output-status> <output-line-status>up</output-line-status> <action>drop</action> <drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason> </result> 

 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0