- 论坛徽章:
- 0
|
CISCO asa 5550防火墙内部端口相互不能访问,配置如下,请各位指教
inter5550-1# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.51.249 255.255.255.0 CONFIG
GigabitEthernet0/2 hlrinside 172.16.10.248 255.255.255.0 CONFIG
GigabitEthernet0/3 hlroutside 10.16.10.1 255.255.255.0 CONFIG
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet1/0 msceinside 172.17.20.248 255.255.255.0 CONFIG
GigabitEthernet1/1 msceoutside 10.17.20.1 255.255.255.0 CONFIG
GigabitEthernet1/2 bossinside 172.30.1.253 255.255.255.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 inside 192.168.51.249 255.255.255.0 CONFIG
GigabitEthernet0/1 outside 210.5.238.130 255.255.255.240 CONFIG
GigabitEthernet0/2 hlrinside 172.16.10.248 255.255.255.0 CONFIG
GigabitEthernet0/3 hlroutside 10.16.10.1 255.255.255.0 CONFIG
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet1/0 msceinside 172.17.20.248 255.255.255.0 CONFIG
GigabitEthernet1/1 msceoutside 10.17.20.1 255.255.255.0 CONFIG
GigabitEthernet1/2 bossinside 172.30.1.253 255.255.255.0 manual
inter5550-1# show run
inter5550-1# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname inter5550-1
domain-name default.domain.invalid
enable password gsOM4N1QSZhrQN6x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
speed 100
nameif inside
security-level 100
ip address 192.168.51.249 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
nameif outside
security-level 100
ip address *.*.*.* 255.255.255.240
!
interface GigabitEthernet0/2
speed 100
nameif hlrinside
security-level 100
ip address 172.16.10.248 255.255.255.0
!
interface GigabitEthernet0/3
speed 100
nameif hlroutside
security-level 0
ip address 10.16.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
speed 100
nameif msceinside
security-level 100
ip address 172.17.20.248 255.255.255.0
!
interface GigabitEthernet1/1
speed 100
nameif msceoutside
security-level 0
ip address 10.17.20.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif bossinside
security-level 100
ip address 172.30.1.253 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit tcp any any
access-list inside_acl extended permit udp any any
access-list inside_acl extended permit icmp any any
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit tcp any any
access-list outside_acl extended permit udp any any
access-list hlrinside_acl extended permit ip any any
access-list hlrinside_acl extended permit tcp any any
access-list hlrinside_acl extended permit udp any any
access-list hlrinside_acl extended permit icmp any any
access-list hlroutside_acl extended permit icmp any any
access-list hlroutside_acl extended permit esp any any
access-list hlroutside_acl extended permit ip any any
access-list hlroutside_acl extended permit tcp any any
access-list hlroutside_acl extended permit udp any any
access-list msceinside_acl extended permit ip any any
access-list msceinside_acl extended permit tcp any any
access-list msceinside_acl extended permit udp any any
access-list msceinside_acl extended permit icmp any any
access-list msceinside_acl extended permit tcp any any eq ftp
access-list msceoutside_acl extended permit icmp any any
access-list msceoutside_acl extended permit esp any any
access-list msceoutside_acl extended permit ip any any
access-list msceoutside_acl extended permit tcp any any
access-list msceoutside_acl extended permit udp any any
access-list msceoutside_acl extended permit tcp any any eq ftp
access-list boosoutside extended permit ip any any
access-list boosoutside extended permit tcp any any
access-list boosoutside extended permit udp any any
access-list boosoutside extended permit icmp any any
access-list nonat extended permit ip 192.168.51.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list nonat extended permit ip 172.17.20.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.17.20.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu hlrinside 1500
mtu hlroutside 1500
mtu management 1500
mtu msceinside 1500
mtu msceoutside 1500
mtu bossinside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 210.5.*.*
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.51.224 255.255.255.248
nat (inside) 1 10.1.0.0 255.255.128.0
nat (hlrinside) 0 access-list nonat
nat (msceinside) 0 access-list nonat
static (hlrinside,hlroutside) 10.16.10.129 172.16.10.129 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.134 172.16.10.134 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.150 172.16.10.150 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.215 172.16.10.215 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.217 172.16.10.217 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.177 172.16.10.177 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.171 172.16.10.171 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.172 172.16.10.172 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.129 172.17.20.129 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.149 172.17.20.249 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.171 172.17.20.171 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.177 172.17.20.177 netmask 255.255.255.255
access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group hlrinside_acl in interface hlrinside
access-group hlroutside_acl in interface hlroutside
access-group msceinside_acl in interface msceinside
access-group msceoutside_acl in interface msceoutside
route inside 10.1.0.0 255.255.128.0 192.168.51.11 1
route outside 0.0.0.0 0.0.0.0 210.5.238.129 1
route hlrinside 172.29.1.0 255.255.255.0 172.16.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
username ommserver password 0DhPfWYXWOLCLLew encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d5c8a897d2ad588cde2b106928aa4ce
: end
单独在防火墙能PING任意端口,但是防火墙端口之间就不通为什么? 我做了安全级别相同能访问的策略。
inter5550-1# ping 172.16.10.248
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.248, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inter5550-1# ping 192.168.51.249
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.51.249, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inter5550-1# ping in
inter5550-1# ping inside 172.16.10.248
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.248, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
inter5550-1#
inter5550-1# |
|