NAT后无法在内网通过外部IP访问内部服务的问题的详细说明(原创)

看了各位的帖子，感觉小弟的情况类似这样，可是我已经使用DMZ了，却也不好用，以前发过帖子，可没人回答大家帮忙再看看，谢谢了。

PIX防火墙中的WEB，外网可以访问，内网的反而不行，奇怪了。
小弟搞了好长时间，头都晕了，大家帮忙看看配置，谢谢。

网络情况是以下拓扑图所标示的，从外界访问网站没问题，内部机器上Internet也没问题，就是内部机器访问网站不行，直接输入服务器IP地址也不行，真是奇了怪了。

以下是PIX的配置，路由器没有作特别设置，只是作为联出去的设备，除了IP设置外，就是静态路由 ip route 0.0.0.0 0.0.0.0 10.255.64.125。

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security10

hostname Firewall
domain-name Pix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol skinny 2000
no names
name 192.168.0.6 inside
name 192.168.1.1 DMZ
name 221.13.19.114 outside
access-list 101 permit icmp any any
access-list 101 permit ip any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 221.13.19.114 255.255.255.240
ip address inside 192.168.0.6 255.255.255.0
ip address DMZ 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.1 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 DMZ
pdm location 192.168.0.6 255.255.255.255 inside
pdm location 221.13.19.114 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 221.13.19.119-221.13.19.126 netmask 255.255.255.240
global (outside) 1 221.13.19.117 netmask 255.255.255.240
global (DMZ) 1 192.168.1.4-192.168.1.24 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (DMZ) 1 192.168.1.0 255.255.255.0 0 0
static (DMZ,outside) 221.13.19.118 192.168.1.2 netmask 255.255.255.255 0 0
access-group 101 in interface DMZ
conduit permit tcp host 221.13.19.118 eq www any
conduit permit icmp host 221.13.19.118 any
conduit permit tcp host 221.13.19.118 eq pop3 any
conduit permit tcp host 221.13.19.118 eq smtp any
conduit permit tcp host 221.13.19.118 eq ftp any
conduit permit tcp host 221.13.19.118 eq 2005 any
conduit permit tcp host 221.13.19.118 eq 3000 any
conduit permit tcp host 221.13.19.118 eq 3389 any
conduit permit icmp 221.13.19.112 255.255.255.240 any
conduit permit tcp 192.168.0.0 255.255.255.0 range 6891 6900 any
conduit permit udp 192.168.0.0 255.255.255.0 range 5004 65535 any
route outside 0.0.0.0 0.0.0.0 221.13.19.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.220.52.16 255.255.255.240 outside
telnet 10.0.0.0 255.0.0.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.220.52.17 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.220.52.17 255.255.255.255 DMZ

telnet timeout 5
ssh timeout 5
terminal width 80

小弟已经看了若干遍了，很多可能性都考虑到了，还是不行，哪位老大辛苦看看配置，哪里有问题？谢谢了。

Tp1.jpg (21.43 KB, 下载次数: 79)