学员提问:
内网有一个病毒服务器,希望将dmz区的服务器(web服务器)也被病毒服务器管理起来,安装防病毒软件,并且由内网的病毒服务器升级。
不知道这样做是不是合理,如果合理,请大家继续看下我的配置,这样的配置 dmz区的服务器还是无法ping通内网。
恳请大家解决dmz访问inside的问题,
PS:acl在outside inside dmz 均没有deny
dmz安全级别50 inside安全级别100 我特意添加了acl_dmz允许低-》高
access-list acl_dmz permit ip host xxxxx host xxxxx
相关配置:
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 123.127.6.x 255.255.255.240
ip address inside 192.168.102.y 255.255.255.0
ip address dmz 192.168.101.z 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 123.127.6.x1 (广播地址)
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 172.31.16.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 123.127.6.x2(dmz区服务器1的外网地址) 192.168.101.y1 netmask 255.255.255.255 0 0
static (dmz,outside) 123.127.6.x3(dmz区服务器2的外网地址) 192.168.101.y2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.4(我打算将inside内的病毒服务区映射到dmz区的地址) 192.168.52.z(内网病毒服务器的ip) netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz in interface dmz
不知道这样做是不是合理,如果合理,请大家继续看下我的配置,这样的配置 dmz区的服务器还是无法ping通内网。
恳请大家解决dmz访问inside的问题,
PS:acl在outside inside dmz 均没有deny
dmz安全级别50 inside安全级别100 我特意添加了acl_dmz允许低-》高
access-list acl_dmz permit ip host xxxxx host xxxxx
相关配置:
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 123.127.6.x 255.255.255.240
ip address inside 192.168.102.y 255.255.255.0
ip address dmz 192.168.101.z 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 123.127.6.x1 (广播地址)
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 172.31.16.0 255.255.255.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 123.127.6.x2(dmz区服务器1的外网地址) 192.168.101.y1 netmask 255.255.255.255 0 0
static (dmz,outside) 123.127.6.x3(dmz区服务器2的外网地址) 192.168.101.y2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.101.4(我打算将inside内的病毒服务区映射到dmz区的地址) 192.168.52.z(内网病毒服务器的ip) netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
access-group acl_dmz in interface dmz
捷盈讲师及学员解答:
dmz不能ping通内网是什么意思? 你只可能ping 192.168.101.4这个IP,无论如何你都不会ping通内网机器的真实IP。
access-list acl_dmz permit ip host xxxxx host xxxxx
你这几个xxx表示什么IP?
改成下面试试。
access-list acl_dmz permit ip any host 192.168.101.4
这样dmz的所有机器就都可以访问192.168.101.4这个ip,pix再将发往这个ip的包转发给病毒服务器的内网地址。