论坛徽章:: 0

发表于 2005-12-07 19:31 |显示全部楼层

我的防火墙有inside和outside两个端口，现在要实现的是外部主机能够访问内部ip为172.20.100.3和172.20.100.100的两台web服务器的80端口，已经进行了.3和.100的地址映射，也配置了ACL但还是不能访问。请问是什么原因造成的？

下面是配置文件：
＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname firewall
domain-name fstvdy.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.20.100.100 Webserver2
name 172.20.100.3 Webserver1
name 172.20.100.19 pixHost
access-list outside_access_in permit icmp any host 10.10.10.7
access-list outside_access_in permit icmp any host 10.10.10.9
access-list outside_access_in permit tcp any host 10.10.10.7 eq www
access-list outside_access_in permit tcp any host 10.10.10.9 eq www
access-list outside_access_in permit icmp any host 10.10.10.8
access-list outside_access_in permit tcp any host 10.10.10.8 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 10.10.10.254 255.0.0.0
ip address inside 172.20.100.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location pixHost 255.255.255.255 inside
pdm location Webserver1 255.255.255.255 inside
pdm location Webserver2 255.255.255.255 inside
pdm location 172.20.100.0 255.255.255.0 inside
pdm location 10.0.0.0 255.0.0.0 outside
pdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.7 Webserver1 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.10.9 Webserver2 netmask 255.255.255.255 0 0
static (inside,outside) 10.10.10.8 pixHost netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http pixHost 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:26be5f06ef6d93a679b7efd4d1a13e15
: end
[OK]

＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃＃

一共映射了3个端口，172.20.100.19（10.10.10.8）既可以被外网的主机ping通又可以ping外网的主机，172.20.100.3（10.10.10.7）和172.20.100.100（10.10.10.9）却不能。在内网，他们之间可以相互ping通，并且172.20.100.19可以访问172.20.100.3的80端口。
请高手指教！
拜谢！