forum.opennet.ru

Составление сообщения

Исходное сообщение

"pix515e Проблема с доступом в DMZ"
Отправлено sam1, 22-Май-07 09:12

Доброе время суток уважаемые ГУРУ!
Настраиваю в первые PIX через ASDM 5.0
Подскажите в чем трабла?
Есть Cisco2651 и Cisco PIX515е.

Нет доступа к DMZ из инета
С локалки всё ок (инет, дмз.......)
Может я, что-то не доделал?
Спасибо.

PIX Version 7.0(4)
!
hostname xxxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.10.10.1 255.0.0.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.251 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 217.20.94.110 255.255.255.240
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxxxxxxxxxxxxxxxxxxxxx
ftp mode passive
clock timezone YEKST 5
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns name-server 212.96.192.1
dns name-server 212.96.195.1
object-group service www_smtp_pop3_ftp tcp
port-object eq www
port-object eq ftp-data
port-object eq pop3
port-object eq ftp
port-object eq smtp
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any object-group www_smtp_pop3_ftp
access-list dmz_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm
asdm location 217.20.94.100 255.255.255.254 dmz
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 10 interface
global (dmz) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxxx password xxxxxxxxxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 210.20.94.100
Cryptochecksum:dcbe9408b131ea8f8d695b3e72b2b8f9
: end

Cisco2651#show running-config
Building configuration...
Current configuration : 3628 bytes
!
! Last configuration change at 10:48:04 Russia Mon May 21 2007 by admin
! NVRAM config last updated at 10:47:15 Russia Mon May 21 2007 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco2651
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxx privilege 15 secret xxxxxxxxxxxxxxxxxxxxx
memory-size iomem 15
clock timezone Russia 5
clock summer-time Russia date Mar 30 2003 2:00 Oct 26 2003 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
!
no ip bootp server
ip name-server 212.96.192.1
ip name-server 212.96.195.1
no ftp-server write-enable
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$FW_OUTSIDE$
ip address 62.105.17.102 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 10.10.10.2 255.0.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
speed auto
half-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
ip http access-class 3
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.3
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq cmd
access-list 100 deny tcp any host 10.10.10.2 eq telnet
access-list 100 deny tcp any host 10.10.10.2 eq 22
access-list 100 deny tcp any host 10.10.10.2 eq www
access-list 100 deny tcp any host 10.10.10.2 eq 443
access-list 100 deny tcp any host 10.10.10.2 eq cmd
access-list 100 deny udp any host 10.10.10.2 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 101 in
password 7 xxxxxxxxxxxxxxxxxxxx
authorization exec local_author
login authentication local_authen
transport input telnet
!
scheduler allocate 4000 1000
scheduler interval 500
!
!
end

Исходное сообщение
"pix515e Проблема с доступом в DMZ" Отправлено sam1, 22-Май-07 09:12
Доброе время суток уважаемые ГУРУ! Настраиваю в первые PIX через ASDM 5.0 Подскажите в чем трабла? Есть Cisco2651 и Cisco PIX515е. Нет доступа к DMZ из инета С локалки всё ок (инет, дмз.......) Может я, что-то не доделал? Спасибо. PIX Version 7.0(4) ! hostname xxxxxxxx domain-name xxxxxxxxxx enable password xxxxxxxxxxxxxxxxxxxxxxx names ! interface Ethernet0 nameif outside security-level 0 ip address 10.10.10.1 255.0.0.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.251 255.255.255.0 ! interface Ethernet2 nameif dmz security-level 50 ip address 217.20.94.110 255.255.255.240 ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd xxxxxxxxxxxxxxxxxxxxxxxxxxx ftp mode passive clock timezone YEKST 5 clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns name-server 212.96.192.1 dns name-server 212.96.195.1 object-group service www_smtp_pop3_ftp tcp port-object eq www port-object eq ftp-data port-object eq pop3 port-object eq ftp port-object eq smtp access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any any object-group www_smtp_pop3_ftp access-list dmz_access_in extended permit icmp any any pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover monitor-interface outside monitor-interface inside monitor-interface dmz asdm image flash:/asdm asdm location 217.20.94.100 255.255.255.254 dmz no asdm history enable arp timeout 14400 global (outside) 10 interface global (inside) 10 interface global (dmz) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username xxxxx password xxxxxxxxxxxxxx encrypted privilege 15 aaa authentication telnet console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global smtp-server 210.20.94.100 Cryptochecksum:dcbe9408b131ea8f8d695b3e72b2b8f9 : end Cisco2651#show running-config Building configuration... Current configuration : 3628 bytes ! ! Last configuration change at 10:48:04 Russia Mon May 21 2007 by admin ! NVRAM config last updated at 10:47:15 Russia Mon May 21 2007 by admin ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco2651 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx ! username xxxxxxx privilege 15 secret xxxxxxxxxxxxxxxxxxxxx memory-size iomem 15 clock timezone Russia 5 clock summer-time Russia date Mar 30 2003 2:00 Oct 26 2003 3:00 no network-clock-participate slot 1 no network-clock-participate wic 0 aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local aaa session-id common ip subnet-zero no ip source-route ip cef ip tcp synwait-time 10 ! ! ! no ip bootp server ip name-server 212.96.192.1 ip name-server 212.96.195.1 no ftp-server write-enable ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-LAN$$FW_OUTSIDE$ ip address 62.105.17.102 255.255.255.252 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description $ETH-LAN$$FW_INSIDE$ ip address 10.10.10.2 255.0.0.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow speed auto half-duplex no mop enabled ! ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 ip http server ip http access-class 3 ! logging trap debugging access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.255.255.255 access-list 2 remark SDM_ACL Category=2 access-list 2 permit 10.10.10.0 0.0.0.3 access-list 3 remark Auto generated by SDM Management Access feature access-list 3 remark SDM_ACL Category=1 access-list 3 permit 10.10.10.0 0.0.0.255 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip 10.10.10.0 0.0.0.255 any no cdp run banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ^C ! line con 0 login authentication local_authen transport output telnet line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 101 in password 7 xxxxxxxxxxxxxxxxxxxx authorization exec local_author login authentication local_authen transport input telnet ! scheduler allocate 4000 1000 scheduler interval 500 ! ! end

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

На сайте действует частичное премодерирование - после публикации некоторые сообщения от анонимов могут автоматически скрываться ботом. После проверки модератором ошибочно скрытые сообщения раскрываются. Для ускорения раскрытия можно воспользоваться ссылкой "Сообщить модератору", указав в качестве причины обращения "скрыто по ошибке".

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру