学员提问:
网络拓扑: internet---pix----routeA---routeB--webserver
需要把webserver 映射成公网地址 210.xxx.xxx.225
但是配了之后缺不起作用
以下是pix的部分配置,请各位看看是什么问题?
PIX Version 7.2(1)
!
hostname xxx-idc-fw02
enable password wwYwMtZqfCxvZ3xc encrypted
names
name 210.xxx.xxx.225 file.ecc.com.cn
name 172.16.1.216 bej-cc-serve03
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 210.xxx.xxx.220 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.243.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd shhTBGZAEknTJdS6 encrypted
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group icmp-type ping
icmp-object echo
icmp-object echo-reply
access-list out-in extended permit icmp any any object-group ping
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host file.ecc.com.cn eq www
access-list out-in extended permit tcp any host 210.xxx.xxx.222
access-list in-out extended permit icmp any any object-group ping
access-list in-out extended permit ip object-group office-net any
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 172.18.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging trap debugging
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 210.xxx.xxx.224
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0
static (inside,outside) tcp file.ecc.com.cn www bej-cc-serve03 www netmask 255.255.255.255
access-group out-in in interface outside
access-group in-out in interface inside
route outside 0.0.0.0 0.0.0.0 210.xxx.xxx.1 1
route inside 10.0.0.0 255.255.255.0 10.0.243.2 1
route inside 10.0.2.0 255.255.255.0 10.0.243.2 1
route inside 172.16.16.0 255.255.255.0 10.0.243.2 1
route inside 172.16.0.0 255.255.0.0 10.0.243.2 1
route inside 172.17.0.0 255.255.0.0 10.0.243.2 1
route inside 172.16.1.0 255.255.255.0 10.0.243.2 1
!
router ospf 1
network 10.0.243.0 255.255.255.0 area 10.0.243.0
area 10.0.243.0 nssa default-information-originate
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 0:05:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
需要把webserver 映射成公网地址 210.xxx.xxx.225
但是配了之后缺不起作用
以下是pix的部分配置,请各位看看是什么问题?
PIX Version 7.2(1)
!
hostname xxx-idc-fw02
enable password wwYwMtZqfCxvZ3xc encrypted
names
name 210.xxx.xxx.225 file.ecc.com.cn
name 172.16.1.216 bej-cc-serve03
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 210.xxx.xxx.220 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.243.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd shhTBGZAEknTJdS6 encrypted
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group icmp-type ping
icmp-object echo
icmp-object echo-reply
access-list out-in extended permit icmp any any object-group ping
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host file.ecc.com.cn eq www
access-list out-in extended permit tcp any host 210.xxx.xxx.222
access-list in-out extended permit icmp any any object-group ping
access-list in-out extended permit ip object-group office-net any
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 172.18.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging trap debugging
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.254
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 210.xxx.xxx.224
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0
static (inside,outside) tcp file.ecc.com.cn www bej-cc-serve03 www netmask 255.255.255.255
access-group out-in in interface outside
access-group in-out in interface inside
route outside 0.0.0.0 0.0.0.0 210.xxx.xxx.1 1
route inside 10.0.0.0 255.255.255.0 10.0.243.2 1
route inside 10.0.2.0 255.255.255.0 10.0.243.2 1
route inside 172.16.16.0 255.255.255.0 10.0.243.2 1
route inside 172.16.0.0 255.255.0.0 10.0.243.2 1
route inside 172.17.0.0 255.255.0.0 10.0.243.2 1
route inside 172.16.1.0 255.255.255.0 10.0.243.2 1
!
router ospf 1
network 10.0.243.0 255.255.255.0 area 10.0.243.0
area 10.0.243.0 nssa default-information-originate
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 0:05:00 half-closed 0:05:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
捷盈讲师及学员解答:
应该是网络条件不允许直接做映射。