Новый участник
Сообщения: 10
Благодарности: 0
|
Профиль
|
Отправить PM
| Цитировать
Здравствуйте всем!
Имеется девайс, на нем хочу сделать ДМЗ.
От прова имеется диапазон адресов (32).
Хочу сделать статический НАТ, т.е. снаружи его достану по его публик адресу, и пакеты которые идут с него тож НАТнутся на публик.
Перед АСА только роутер прова. Проблема - на роутер прова пинги идут, дальше - нини.
Я вот думаю может он мне НАТ из ДМЗ не делает?
Что я сделал неправильно?
Помогите пжалста.
Конфиг:
hostname icpasa
domain-name ххххххх.sk
names
! Interface settings
interface ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.254 255.255.255.192
interface ethernet0/1
nameif dmz
vlan 40
security-level 50
interface ethernet0/2
nameif ins
security-level 100
! Dont setup ip address, because of using VLANs
interface ethernet0/2.100
nameif inside
description Inside VLAN
vlan 10
security-level 100
ip address 10.10.2.254 255.255.255.0
interface ethernet0/2.200
nameif vpn
description Inside VPN VLAN
vlan 20
security-level 75
! ip address from freeradius ??
interface ethernet0/2.300
nameif zakaznici
description Externe zakaznici Internetu VLAN
vlan 30
ip address 10.10.5.1 255.255.255.0
! Routing
route outside 0 0 xxx.xxx.xxx.193
! Konfiguracia NAT
static (inside,outside) xxx.xxx.xxx.194 10.10.2.194 netmask 255.255.255.255 tcp 0 300
static (inside,outside) xxx.xxx.xxx.202 10.10.2.202 netmask 255.255.255.255 tcp 0 1000
static (inside,outside) xxx.xxx.xxx.217 10.10.2.217 netmask 255.255.255.255 tcp 0 100
static (inside,outside) xxx.xxx.xxx.195 10.10.2.195 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.196 10.10.1.196 netmask 255.255.255.255 tcp 0 1000
static (dmz,outside) xxx.xxx.xxx.204 10.10.1.204 netmask 255.255.255.255 tcp 0 1000
static (dmz,outside) xxx.xxx.xxx.201 10.10.1.201 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.205 10.10.1.205 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.208 10.10.1.208 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.207 10.10.1.207 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.211 10.10.1.211 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.240 10.10.1.240 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.216 10.10.1.216 netmask 255.255.255.255 tcp 0 100
static (dmz,outside) xxx.xxx.xxx.223 10.10.1.223 netmask 255.255.255.255 tcp 0 100
! Protokols checking
! Divert traffic to CSC
! Default check
class-map inspection_default
match default-inspection-traffic
policy-map asa_global_fw_policy
class inspection_default
inspect dns maximum-length 512
inspect http
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy asa_global_fw_policy global
object-group network INSIDE_TRUSTED_HOSTS
description
network-object host 10.10.2.194
! Black list
object-group network OUTSIDE_BAD_GUYS
description Zoznam blokovanych IP
network-object 192.168.0.0 255.255.255.0
! ICMP group
object-group icmp-type ICMP_ALLOWED
description Povolene pingi
icmp-object echo
icmp-object echo-reply
! DNS public services
object-group service INSIDE_DNS_PUBLIC udp
description DNS public ports
port-object eq domain
! BASTION host warning
object-group service INSIDE_BASTION tcp
description BASTION ssh pristup
port-object eq 22
! EPI public tcp services
object-group service DMZ_EPI_PUBLIC tcp
description EPI public access
port-object eq www
port-object eq 443
! ADS tcp services
object-group service DMZ_ADS_PUBLIC tcp
description ADS server access
port-object eq 21
port-object eq 80
port-object eq 443
! ADS udp services
object-group service DMZ_ADS_PUBLIC_UDP udp
description ADS server access CS
port-object eq 1200
port-object range 2500 2600
port-object range 27010 27030
! Juven services
object-group service DMZ_JUVEN_TCP tcp
description EPI public access
port-object eq www
port-object eq 21
port-object range 60000 60100
!
! Campaign10 services
object-group service DMZ_CAMP_PUBLIC tcp
description Campaign public access
port-object eq 80
! Campaign10 admin access
object-group service DMZ_CAMP_ADMIN tcp
description Campaign public access
port-object eq 82
! OVSR public access
object-group service DMZ_OVSR_PUBLIC tcp
description OVSR public access
port-object eq 80
port-object eq 21
port-object range 1024 5000
! OVSR admin access
object-group service DMZ_OVSR_ADMIN tcp
description OVSR public access
port-object eq 3389
port-object range 137 139
! Maxo SP public access
object-group service DMZ_ICPSP_ADMIN tcp
description ICPSP public access
port-object eq 80
! DOM4NET public access
object-group service DMZ_DOM4NET_GIBON tcp
description DOM4NET access for GIBON
port-object eq 1352
!!!!!!!!!!!!!
! OUTSIDE INBOUND ACL
!!!!!!!!!!!!!
! Black list blocking
access-list OUTSIDE_IN extended deny ip object-group OUTSIDE_BAD_GUYS any
! IPSec access
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.254 eq 10000
! DNS access list
access-list OUTSIDE_IN extended permit udp any host xxx.xxx.xxx.194 object-group INSIDE_DNS_PUBLIC
access-list OUTSIDE_IN extended permit tcp host 195.146.132.59 host xxx.xxx.xxx.194 eq domain
! EPI access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.196 object-group DMZ_EPI_PUBLIC
access-list OUTSIDE_IN extended permit tcp host ууу.ууу.ууу.46 host xxx.xxx.xxx.196 eq 1344
access-list OUTSIDE_IN extended permit tcp host ууу.ууу.ууу.46 host xxx.xxx.xxx.196 eq 3389
access-list OUTSIDE_IN extended permit udp host ууу.ууу.ууу.46 host xxx.xxx.xxx.196 eq 123
! ADS access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.204 object-group DMZ_ADS_PUBLIC
! access-list OUTSIDE_IN extended permit udp any host xxx.xxx.xxx.204 object-group DMZ_ADS_PUBLIC_UDP
! MAIL access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.201 eq smtp
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.201 eq pop3
! Juven access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.205 object-group DMZ_JUVEN_TCP
! OVSR access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.207 object-group DMZ_OVSR_PUBLIC
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.211 object-group DMZ_OVSR_PUBLIC
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.216 object-group DMZ_OVSR_PUBLIC
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.233 object-group DMZ_OVSR_PUBLIC
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.240 object-group DMZ_OVSR_PUBLIC
! DOM4NET pristup pre replikacie s GIBONu
access-list OUTSIDE_IN extended permit tcp host 62.168.70.27 host xxx.xxx.xxx.195 object-group DMZ_DOM4NET_GIBON
! Campaign access list
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.200 object-group DMZ_CAMP_PUBLIC
access-list OUTSIDE_IN extended permit tcp any host xxx.xxx.xxx.200 object-group DMZ_CAMP_ADMIN
! Povolime pingi
access-list OUTSIDE_IN extended permit icmp any xxx.xxx.xxx.192 255.255.255.192 object-group ICMP_ALLOWED
!!!!!!!
!OUTSIDE OUTBOUND ACL
!!!!!!!
! Zatial povolime vsetko
access-list OUTSIDE_OUT extended permit ip any any
!!!!!!!
!DMZ INBOUND ACL
!!!!!!!
! Komunikacia s vnutornou sietou
access-list DMZ_IN extended permit tcp host 10.10.1.200 host 204.146.80.26 eq 1433
access-list DMZ_IN extended deny ip 10.10.1.0 255.255.255.0 204.146.80.0 255.255.255.0
access-list DMZ_IN extended deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
! Komunikacia s vonkajsim svetom
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 22
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 80
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 443
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 21
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 25
access-list DMZ_IN extended permit tcp 10.10.1.0 255.255.255.0 any eq 110
access-list DMZ_IN extended permit icmp 10.10.1.0 255.255.255.0 any
!!!!!!!
!DMZ OUTBOUND ACL
!!!!!!!
access-list DMZ_OUT extended permit ip any any
access-list DMZ_OUT extended permit icmp any 10.10.1.0 255.255.255.0 object-group ICMP_ALLOWED
!!!!!!!
!INSIDE INBOUND ACL - pozor, pre nasu siet je to OUTBOUND!!!!
!!!!!!!
access-list INSIDE_IN extended permit ip 10.10.2.0 255.255.255.0 any
access-list INSIDE_IN extended permit icmp any any object-group ICMP_ALLOWED
!!!!!!!
!INSIDE OUTBOUND ACL - pozor, pre nasu siet je to INBOUND!!!!
!!!!!!!
access-list INSIDE_OUT extended permit ip any any
access-group INSIDE_IN in interface inside
access-group INSIDE_OUT out interface inside
access-group DMZ_IN in interface dmz
access-group DMZ_OUT out interface dmz
access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_OUT out interface outside
|