由买买提看人间百态

boards

本页内容为未名空间相应帖子的节选和存档,一周内的贴子最多显示50字,超过一周显示500字 访问原贴
EmergingNetworking版 - 请教ASA5510 配置
相关主题
问一个ASA的问题。tracert timer out问题
哈哈,得意ing被client的一个项目经理骂了。
是不是这个意思?看看我新order的ccna书。
......两台电脑接上后就是访问不了对方问一下大家ping 和 traceroute
network xxxx这个是干嘛的?Fragment Traffic倒底有多普遍?
为啥6PE中PE之间要enable ipv4 和 ipv6 AF?怎么绕过proxy,看IP
NAT tranverse introduction 1现在virtulization似乎很火啊
请教一个静态路由设置问题第一次进到IPv6里,纪念一下!顺便问问地址中的%是什么意思?
相关话题的讨论汇总
话题: object话题: network话题: 00话题: host话题: ip
进入EmergingNetworking版参与讨论
1 (共1页)
d*****s
发帖数: 173
1
T1给了5个ip 50.20.38.106-50.20.38.110
asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
想要从外部通过50.20.38.106访问内部web server 192.168.1.110
我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
asa版本是8.3
附上我的配置
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password b4RZzua6LpNOeJCF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 50.20.38.110 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.0.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 66.180.96.12
domain-name default.domain.invalid
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network myWebServ
host 192.168.1.100
object network 192.168.1.105
host 192.168.1.105
object network 192.168.1.2
host 192.168.1.2
object network 192.168.1.242
host 192.168.1.242
object network 192.168.1.3
host 192.168.1.3
object network 192.168.1.4
host 192.168.1.4
object network 192.168.1.5
host 192.168.1.5
object network 192.168.1.6
host 192.168.1.6
object network 192.168.1.7
host 192.168.1.7
object network 192.168.1.8
host 192.168.1.8
object network 192.168.1.9
host 192.168.1.9
object-group network WebServer
network-object object 192.168.1.105
network-object object 192.168.1.110
network-object object 192.168.1.2
network-object object 192.168.1.3
network-object object 192.168.1.4
network-object object 192.168.1.5
network-object object 192.168.1.6
network-object object 192.168.1.7
network-object object 192.168.1.8
network-object object 192.168.1.9
access-list test_splitTunnelAcl standard permit any
access-list 100 extended permit ip any any
access-list 100 extended permit tcp host 50.20.38.106 object 192.168.1.100
eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool topshand 192.168.1.110-192.168.1.122 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (any,outside) dynamic interface
object network myWebServ
nat (inside,outside) static 50.20.38.106
route outside 0.0.0.0 0.0.0.0 50.20.38.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
以下省略
j*a
发帖数: 14423
2
access-group涅?
acl应该permit 那个106

【在 d*****s 的大作中提到】
: T1给了5个ip 50.20.38.106-50.20.38.110
: asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
: 想要从外部通过50.20.38.106访问内部web server 192.168.1.110
: 我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
: asa版本是8.3
: 附上我的配置
: ASA Version 8.3(1)
: !
: hostname ciscoasa

d*****s
发帖数: 173
3
能帮忙写个配置吗?我是新手,不太了解,只能照葫芦画瓢

【在 j*a 的大作中提到】
: access-group涅?
: acl应该permit 那个106

a***n
发帖数: 262
4
I did not see the static nat.
apply access-group 100 in outside
then try to use packet-tracer utility

T1给了5个ip 50.20.38.106-50.20.38.110
asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
想要从外部通过50.20.38.106访问内部web server 192.168.1.110
我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
asa版本是8.3
附上我的配置
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password b4RZzua6LpNOeJCF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 50.20.38.110 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.0.0
management-only
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 66.180.96.12
domain-name default.domain.invalid
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network myWebServ
host 192.168.1.100
object network 192.168.1.105
host 192.168.1.105
object network 192.168.1.2
host 192.168.1.2
object network 192.168.1.242
host 192.168.1.242
object network 192.168.1.3
host 192.168.1.3
object network 192.168.1.4
host 192.168.1.4
object network 192.168.1.5
host 192.168.1.5
object network 192.168.1.6
host 192.168.1.6
object network 192.168.1.7
host 192.168.1.7
object network 192.168.1.8
host 192.168.1.8
object network 192.168.1.9
host 192.168.1.9
object-group network WebServer
network-object object 192.168.1.105
network-object object 192.168.1.110
network-object object 192.168.1.2
network-object object 192.168.1.3
network-object object 192.168.1.4
network-object object 192.168.1.5
network-object object 192.168.1.6
network-object object 192.168.1.7
network-object object 192.168.1.8
network-object object 192.168.1.9
access-list test_splitTunnelAcl standard permit any
access-list 100 extended permit ip any any
access-list 100 extended permit tcp host 50.20.38.106 object 192.168.1.100
eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool topshand 192.168.1.110-192.168.1.122 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (any,outside) dynamic interface
object network myWebServ
nat (inside,outside) static 50.20.38.106
route outside 0.0.0.0 0.0.0.0 50.20.38.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:
00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
以下省略

【在 d*****s 的大作中提到】
: T1给了5个ip 50.20.38.106-50.20.38.110
: asa5510 0/0口绑定了地址50.20.38.110,0/1接内部网络
: 想要从外部通过50.20.38.106访问内部web server 192.168.1.110
: 我参考cisco文档配置了static nat,但是还是无法访问,请问哪里出了问题,谢谢!
: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1119793
: asa版本是8.3
: 附上我的配置
: ASA Version 8.3(1)
: !
: hostname ciscoasa

l*********r
发帖数: 215
5
试试:access-group 100 in interface outside
l*********r
发帖数: 215
6
再试:packet-tracer input outside tcp 50.20.38.106 1024 192.168.1.100 www
看看Result:里的Action:
l*********r
发帖数: 215
7
还有,把这条no掉:
no access-list 100 extended permit ip any any
d*****s
发帖数: 173
8

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
我加了access-group 100 in interface outside
然后no access-list 100 extended permit ip any any
还是无法访问

【在 l*********r 的大作中提到】
: 再试:packet-tracer input outside tcp 50.20.38.106 1024 192.168.1.100 www
: 看看Result:里的Action:

s*****g
发帖数: 1055
9
For testing purpose, keep "access-list 100 extended permit ip any any" and
try packet tracer again. Your packet tracer should look like this
packet-tracer input outside tcp 1024 50.20.38.
106 www
a***n
发帖数: 262
10
Usually for testing pupose, I always have
logging enable
logging timestamp
logging buffered debugging
Then you can see show log to see the log information.

38.

【在 s*****g 的大作中提到】
: For testing purpose, keep "access-list 100 extended permit ip any any" and
: try packet tracer again. Your packet tracer should look like this
: packet-tracer input outside tcp 1024 50.20.38.
: 106 www

a***n
发帖数: 262
11
static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
Static NAT entry needed. I copied from FWSM should be the same with ASA.
show nat ?

【在 d*****s 的大作中提到】
:
: Result:
: input-interface: outside
: input-status: up
: input-line-status: up
: output-interface: inside
: output-status: up
: output-line-status: up
: Action: drop
: Drop-reason: (acl-drop) Flow is denied by configured rule

a***n
发帖数: 262
12
http://www.cisco.com/en/US/products/ps6120/products_configurati

【在 a***n 的大作中提到】
: static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
: Static NAT entry needed. I copied from FWSM should be the same with ASA.
: show nat ?

s*****g
发帖数: 1055
13
That was old style configuration of static NAT, the new style SUCKS.

【在 a***n 的大作中提到】
: static (inside, outside) 54.x.y.106 192.168.1.100 netmask 255.255.255.255
: Static NAT entry needed. I copied from FWSM should be the same with ASA.
: show nat ?

1 (共1页)
进入EmergingNetworking版参与讨论
相关主题
第一次进到IPv6里,纪念一下!顺便问问地址中的%是什么意思?network xxxx这个是干嘛的?
请教一个问题, 兄弟是新手为啥6PE中PE之间要enable ipv4 和 ipv6 AF?
dhcp mtu issue with comcast cableNAT tranverse introduction 1
The next broadband killer: advanced operating systems?请教一个静态路由设置问题
问一个ASA的问题。tracert timer out问题
哈哈,得意ing被client的一个项目经理骂了。
是不是这个意思?看看我新order的ccna书。
......两台电脑接上后就是访问不了对方问一下大家ping 和 traceroute
相关话题的讨论汇总
话题: object话题: network话题: 00话题: host话题: ip