完成PIX525的NAT映射
2007-12-20 14:16
323 查看
完成PIX525的NAT映射 2007-12-19 14:56:22 标签:PIX525 NAT 映射 网络
| 版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://strugglu.blog.51cto.com/241957/55835 |
| 今天把配置贴出来大家帮忙看一下,丢包问题是否和规则的配置有关呢? 配置了NAT之后可以上外网,但是用PC ping外网全部不通(但不影响上网)! 其间有一段时间不能浏览网页,而且也ping不出去,导致我以外NAT上面的错误,但是后来发现是我机器上面没有配置DNS地址,导致我无法浏览网页,后来加上当地的DNS之后就OK了。可是ping不通的问题依旧没有解决。 我用FTP测试下载速度,接PIX525+3750与直接接入的下载速率几乎相同,判断不存在“严重的丢包问题”。 pixfirewall(config)# sh run : Saved : PIX Version 8.0(2) ! hostname pixfirewall domain-name xxxbank.com enable password PJlHc0RVFW2RrQAM encrypted names dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address 192.168.8.92 255.255.255.0 ! interface Ethernet1 no nameif no security-level no ip address ! interface GigabitEthernet0 nameif dmz1 security-level 50 ip address 10.10.11.1 255.255.255.0 ! interface GigabitEthernet1 nameif dmz2 security-level 50 no ip address ! passwd usNpRs8WOPDxIVKn encrypted boot system flash:/pix802.bin ftp mode passive clock timezone CST 8 dns server-group DefaultDNS domain-name chinabank.com access-list ADtrans_splitTunnelAcl standard permit any access-list outside_access_in extended permit tcp any host 60.195.251.38 eq www access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any host 60.195.251.38 eq https access-list outside_access_in extended permit tcp any host 60.195.251.25 eq www access-list outside_access_in extended permit tcp any host 60.195.251.25 eq https access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 5901 access-list outside_access_in extended permit tcp any host 60.195.251.29 eq 5901 access-list outside_access_in extended permit tcp any host 60.195.251.29 eq www access-list outside_access_in extended permit tcp any host 60.195.251.15 eq ssh access-list outside_access_in extended permit tcp any host 60.195.251.15 eq https access-list outside_access_in extended permit tcp any host 60.195.251.15 eq www access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9102 access-list outside_access_in extended permit tcp any host 60.195.251.14 eq https access-list outside_access_in extended permit tcp any host 60.195.251.14 eq ssh access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9103 access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9106 access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9107 access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.26 eq 9000 access-list outside_access_in extended permit tcp any host 60.195.251.19 eq https access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 5901 access-list outside_access_in extended permit tcp any host 60.195.251.19 eq www access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 16111 access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 16112 access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 9000 access-list outside_access_in extended permit tcp any host 60.195.251.34 eq https access-list outside_access_in extended permit tcp any host 60.195.251.34 eq www access-list outside_access_in extended permit tcp any host 60.195.251.21 eq www access-list outside_access_in extended permit tcp any host 60.195.251.21 eq pop3 access-list outside_access_in extended permit tcp any host 60.195.251.23 eq www access-list outside_access_in extended permit tcp any host 60.195.251.23 eq https access-list outside_access_in extended permit tcp any host 60.195.251.23 eq 9000 access-list outside_access_in extended permit tcp any host 60.195.251.24 eq www access-list outside_access_in extended permit tcp any host 60.195.251.24 eq https access-list outside_access_in extended permit tcp any host 60.195.251.30 eq www access-list outside_access_in extended permit tcp any host 60.195.251.30 eq https access-list outside_access_in extended permit tcp any host 60.195.251.31 eq https access-list outside_access_in extended permit tcp any host 60.195.251.32 eq www access-list outside_access_in extended permit tcp any host 60.195.251.32 eq https access-list outside_access_in extended permit tcp any host 60.195.251.33 eq 16338 access-list outside_access_in extended permit tcp any host 60.195.251.38 eq ssh access-list outside_access_in extended permit tcp any host 60.195.251.29 eq 1194 access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.23 eq 8000 access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.33 eq https access-list outside_access_in extended permit tcp any host 60.195.251.37 eq www access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.20 eq ssh access-list outside_access_in extended permit tcp any host 60.195.251.13 eq www access-list outside_access_in extended permit tcp any host 60.195.251.13 eq https access-list outside_access_in extended permit tcp any host 60.195.251.13 eq 20000 access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9102 access-list outside_access_in extended permit tcp any host 60.195.251.37 eq https access-list outside_access_in extended permit udp any host 60.195.251.10 eq domain access-list outside_access_in extended permit tcp any host 60.195.251.10 eq domain access-list outside_access_in extended permit tcp any host 60.195.251.11 eq www access-list outside_access_in extended permit tcp any host 60.195.251.11 eq https access-list outside_access_in extended permit tcp any host 60.195.251.12 eq https access-list outside_access_in extended permit tcp any host 60.195.251.12 eq www access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 8080 access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 8079 access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 7079 access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 7080 access-list outside_access_in extended permit tcp any host 60.195.251.10 eq www access-list outside_access_in extended permit tcp any host 60.195.251.10 eq https access-list outside_access_in extended permit tcp any host 60.195.251.21 eq smtp access-list outside_access_in extended permit tcp any host 60.195.251.16 eq www access-list outside_access_in extended permit tcp any host 60.195.251.16 eq smtp access-list outside_access_in extended permit tcp any host 60.195.251.16 eq pop3 access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9101 access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9105 access-list outside_access_in extended permit tcp host 219.142.173.112 host 60.195.251.26 eq 9000 access-list outside_access_in extended permit tcp host 219.142.173.113 host 60.195.251.26 eq 9000 access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.26 eq 9000 access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.23 eq 8000 access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.33 eq https access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.20 eq ssh access-list Chinabank extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list Chinabank extended permit ip 10.10.9.0 255.255.255.0 192.168.0.0 255.255.255.0 pager lines 24 logging timestamp logging buffered notifications logging trap notifications logging asdm warnings logging facility 22 mtu outside 1500 mtu dmz1 1500 mtu dmz2 1500 ip audit name INFO info action alarm drop ip audit name ATTACK attack action alarm drop reset ip audit signature 2004 disable no failover icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-521.bin asdm history enable arp timeout 14400 global (outside) 1 interface //指定outside接口进行PAT转换 nat (dmz1) 0 access-list Chinabank nat (dmz1) 2 10.10.8.14 255.255.255.255 nat (dmz1) 1 10.10.8.0 255.255.255.0 nat (dmz1) 1 10.10.11.0 255.255.255.0 //对该网段地址进行转换 route outside 0.0.0.0 0.0.0.0 192.168.8.254 1 //默认路由 timeout xlate 1:00:00 timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.10.8.200 255.255.255.255 dmz1 snmp-server host dmz1 10.10.8.200 poll community Microcisco no snmp-server location snmp-server contact Microcisco snmp-server community Microcisco snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded crypto ipsec transform-set *** esp-3des esp-md5-hmac crypto map aaa 30 match address Chinabank crypto map aaa 30 set peer 220.bb.b.2 crypto map aaa 30 set transform-set *** crypto map aaa 30 set security-association lifetime seconds 7200 crypto isakmp identity address crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 7200 no crypto isakmp nat-traversal telnet 10.10.0.0 255.255.0.0 dmz1 telnet timeout 5 ssh 10.10.0.0 255.255.0.0 dmz1 ssh 10.10.8.200 255.255.255.255 dmz1 ssh timeout 20 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect rtsp inspect rsh inspect skinny inspect sqlnet inspect ftp inspect h323 h225 inspect tftp inspect xdmcp inspect netbios inspect sunrpc inspect h323 ras inspect dns migrated_dns_map_1 ! service-policy global_policy global ntp server 137.189.11.181 username ciscocisco password txHKylaC1k.z8b/4 encrypted tunnel-group 220.bb.b.2 type ipsec-l2l tunnel-group 220.bb.b.2 ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:b69116e40344208a286bb6a024cd53e0 : end 在PC上ping PIX的dmz1接口即 10.10.11.1 可以通,但是ping 所有外网地址、域名和公司的192.168.x.x网段就不能通了。在上面也没有找到禁止icmp的语句。应该不是规则的事,今天用clear config all把所有配置都干掉后又试了一次,问题依旧…… 中午吃饭的时候问了一下我们的PIX高手:) 没2分钟就给搞定了。 原来PIX默认是不允许ICMP的包进来的。加了一条ACL让它进来就搞定了。 access-list 100 per ip any any access-group 100 in interface outside 本文出自 “不奋斗,无颜以对江东父老!” 博客,请务必保留此出处http://strugglu.blog.51cto.com/241957/55835本文出自 51CTO.COM技术博客 |
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- vue cli引入微信sdk,完成微信接口调用——使用natapp配置本机ip映射(三)
- VirtualBox虚拟机网络环境解析和搭建-NAT、桥接、Host-Only、Internal、端口映射
- TCP/UDP端口NAT映射
- 使用natapp本地映射外网服务访问
- NAT ------ 为什么手动设置NAT端口映射(转发)不成功,导致访问不了局域网服务器
- 【有图有真相】静态NAT、动态NAT、PAT、端口映射的详细配置过程
- [XCode] 通过Assistant Editor完成拖拽映射UI元素和Action
- VirtualBox NAT网络模式 端口映射
- 深信服上网行为管理设备上实现点对点NAT映射『罗斌原创』
- pix525端口映射
- VirtualBox虚拟机网络环境解析和搭建-NAT、桥接、Host-Only、Internal、端口映射
- 路由器作NAT和端口映射
- Juniper(JUNOS)建立NAT端口映射
- Hibernate使用注解方式完成双向多对多映射
- NAT ip地址映射
- LVS集群DR、NAT模型配置, 及使用ldirectord完成LVS DR模型集群搭建
- Mac下NATAPP将内网映射到外网
- NAT外网访问内网方法,内网端口映射外网ip
- Vmplayer NAT模式下做端口映射