cisco防火墙问题，

yhy7786

两台unix设备不同网段，中间有一台cisco防火墙，两台设备可相互ping通。当防火墙上设置策略为只开放部分端口时，如5510到5519，5510、5514能通，但是5512、5513等其它端口都不通。但是如果将策略改为两个ip地址间所有端口都放开，则所有端口就都正常了。
此问题如何解决？如何定位？以下为策略配置：
access-list out-in extended permit tcp host 134.32.32.93 any eq ftp
access-list out-in extended permit tcp host 134.32.32.94 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
access-list out-in extended permit tcp host 134.32.32.95 any eq 5511
access-list out-in extended permit tcp host 134.32.32.95 any eq 5512
access-list out-in extended permit tcp host 134.32.32.95 any eq 5513
access-list out-in extended permit tcp host 134.32.32.95 any eq 5514
access-list out-in extended permit tcp host 134.32.32.95 any eq 5515
access-list out-in extended permit tcp host 134.32.32.95 any eq 5516
access-list out-in extended permit tcp host 134.32.32.95 any eq 5517
access-list out-in extended permit tcp host 134.32.32.95 any eq 5518
access-list out-in extended permit tcp host 134.32.32.95 any eq 5519
access-list out-in extended permit tcp host 134.32.32.95 any eq 5520
access-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519
access-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

hjp0021

但是如果将策略改为两个ip地址间所有端口都放开，则所有端口就都正常了。

从这点来说应该就是ACL的问题。

开房了对端的port，本端的开放了吗？
如果要写的话ACL应该写两个吧，两端端口各一个。

yhy7786

具体现象是这样的，cisco防火墙内外分别做客户端和服务端，使用固定ip和固定端口连接，内网为134.32.32.95，端口5510到5519；外网为134.33.201.90，端口为10003。当防火墙针对134.32.32.95只放开5510到5519端口时，5510端口可以与134.33.201网段的设备建立正常连接，5512、5513等端口无法与134.33.201.90的10003端口建立连接。134.33.201.90的10003端口作为服务端，已经有其它设备正常连接了。如果将策略改为针对134.32.32.95放开全部端口，则可以与134.33.201.90的10003端口建立正常连接。配置如下：
access-list out-in extended permit tcp host 134.32.32.93 any eq ftp
access-list out-in extended permit tcp host 134.32.32.94 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq ftp
access-list out-in extended permit tcp host 134.32.32.93 any range 5550 5559
access-list out-in extended permit tcp host 134.32.32.94 any range 5550 5559
access-list out-in extended permit tcp host 134.32.32.95 any eq 5550
access-list out-in extended permit tcp host 134.32.32.95 any eq 5551
access-list out-in extended permit tcp host 134.32.32.95 any eq 5552
access-list out-in extended permit tcp host 134.32.32.95 any eq 5553
access-list out-in extended permit tcp host 134.32.32.95 any eq 5554
access-list out-in extended permit tcp host 134.32.32.95 any eq 5555
access-list out-in extended permit tcp host 134.32.32.95 any eq 5556
access-list out-in extended permit tcp host 134.32.32.95 any eq 5557
access-list out-in extended permit tcp host 134.32.32.95 any eq 5558
access-list out-in extended permit tcp host 134.32.32.95 any eq 5559
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
access-list out-in extended permit tcp host 134.32.32.95 any eq 5511
access-list out-in extended permit tcp host 134.32.32.95 any eq 5512
access-list out-in extended permit tcp host 134.32.32.95 any eq 5513
access-list out-in extended permit tcp host 134.32.32.95 any eq 5514
access-list out-in extended permit tcp host 134.32.32.95 any eq 5515
access-list out-in extended permit tcp host 134.32.32.95 any eq 5516
access-list out-in extended permit tcp host 134.32.32.95 any eq 5517
access-list out-in extended permit tcp host 134.32.32.95 any eq 5518
access-list out-in extended permit tcp host 134.32.32.95 any eq 5519
access-list out-in extended permit tcp host 134.32.32.95 any eq 5520
access-list out-in extended permit tcp host 134.32.32.95 any eq 50010
access-list out-in extended permit tcp host 134.32.32.95 any eq 50011
access-list out-in extended permit tcp host 134.32.32.95 any eq 50012
access-list out-in extended permit tcp host 134.32.32.95 any eq 50013
access-list out-in extended permit tcp host 134.32.32.95 any eq 50014
access-list out-in extended permit tcp host 134.32.32.95 any eq 50015
access-list out-in extended permit tcp host 134.32.32.95 any eq 50016
access-list out-in extended permit tcp host 134.32.32.95 any eq 50017
access-list out-in extended permit tcp host 134.32.32.95 any eq 50018
access-list out-in extended permit tcp host 134.32.32.95 any eq 50019
access-list out-in extended permit tcp host 134.32.32.95 any eq 50020
access-list out-in extended permit tcp host 134.32.32.96 any eq 1099
access-list out-in extended permit tcp host 134.32.32.96 any eq 1199
access-list out-in extended permit tcp host 134.32.32.96 any eq telnet
access-list out-in extended permit tcp host 134.32.32.96 any eq ftp
access-list out-in extended permit tcp host 134.32.32.96 any eq 8080
access-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519
access-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

cnadl

原帖由 yhy7786 于 2008-9-25 16:16 发表
具体现象是这样的，cisco防火墙内外分别做客户端和服务端，使用固定ip和固定端口连接，内网为134.32.32.95，端口5510到5519；外网为134.33.201.90，端口为10003。当防火墙针对134.32.32.95只放开5510到5519端口 ...

sh run | i access-group

sh access-list

hjp0021

那这一例来说，我的ACL思路是这样的，如果134.32.32.95是源地址的话，那么目的就是134.33.201.90，并允许访问目的端口10003。
反之134.33.201.90是源的话，目的就是134.32.32.95，允许访问目的端口5510－5519。
最后将它用在正确的端口，正确的in（或OUT）方向。

个人觉得您的ACL写得有些乱。

ssffzz1

你帖全部配置看看。

0ZXCVBNM0

我赞成5楼的意见

client（134.32.32.95）---（inside）cisco（outside）---server（134.33.201.90）

根据楼主的表述，你的需求是内网client利用5510到5519端口去访问外网server的10003端口
要求源ip的特定端口访问目的ip的特定端口

那么按照这样的思路，访问列表应该是

access-list 101 permit tcp host 134.32.32.95 range 5510 5519 host 134.33.201.90 eq 10003

我不明白你这样的访问列表是什么意思
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
这么写的话，岂不是成了允许主机134.32.32.95访问任何地址的tcp5510端口？
似乎不大对啊

另外：我对extended这个参数不是很理解，我在防火墙上打不了这个参数，但是按照字面意思，应该也没什么关系

yuanyuan025

学习啦