[求助] 请教一个PIX问题?

wangye288

学徒工

Rank: 1

帖子: 25
精华: 0
积分: 153
IP地址: 103 个

1^# 大中小发表于 2008-1-10 10:00 只看该作者

请教一个PIX问题?

PIX的DMX区中有两台WEB服务器,其中一台172.16.1.1是对外,一台172.16.1.150是对内,内部人员可以通过访问172.16.1.1看互联名网页,通过访问172.16.1.150访问内部网页,但在分公司通过专线与内部网相连,分公司网段可以PING通172.16.1.*网段,分公司人员可以web访问172.16.1.1,但不能web访问172.16.1.150,但又能FTP上172.16.1.150,不知是什么原因?请大家指点配置中存在什么问题?

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 ca security60
enable password 7Mi3RT/6zXBwJoCz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bwincfpix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
logging timestamp
no logging console
no logging monitor
no logging buffered
logging trap emergencies
logging facility 20
logging queue 512
logging host inside 192.168.1.98
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu ca 1500
ip address outside 61.43.23.189 255.255.255.240
ip address inside 192.168.2.129 255.255.255.128
ip address dmz 172.16.1.254 255.255.255.0
ip address ca 172.16.3.254 255.255.255.0
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address ca 0.0.0.0
arp timeout 14400
global (outside) 1 61.43.23.177 netmask 255.255.255.240
global (dmz) 1 172.16.1.200 netmask 255.255.255.0
global (ca) 1 172.16.3.200 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (ca) 1 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) 61.43.23.178 172.16.1.1 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.179 172.16.1.2 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.181 172.16.1.4 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.182 172.16.1.5 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.1.140 192.168.3.140 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.180 172.16.1.3 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.184 172.16.1.150 netmask 255.255.255.255 0 0
static (dmz,outside) 61.43.23.183 172.16.1.6 netmask 255.255.255.255 0 0
conduit permit tcp host 61.43.23.178 eq www any
conduit permit tcp host 61.43.23.179 eq ftp any
conduit permit tcp host 61.43.23.179 eq ftp-data any
conduit permit icmp host 61.43.23.178 any echo
conduit permit icmp host 61.43.23.178 any echo-reply
conduit permit icmp host 61.43.23.179 any echo
conduit permit icmp host 61.43.23.179 any echo-reply
conduit permit tcp host 61.43.23.181 eq domain any
conduit permit udp host 61.43.23.182 eq domain any
conduit permit tcp host 61.43.23.182 eq domain any
conduit permit udp host 61.43.23.181 eq domain any
conduit permit tcp host 61.43.23.181 eq 1433 any
conduit permit tcp host 61.43.23.180 eq smtp any
conduit permit tcp host 61.43.23.180 eq www any
conduit permit tcp host 61.43.23.178 eq ftp any
conduit permit tcp host 61.43.23.184 eq ftp any
conduit permit tcp host 61.43.23.184 eq ftp-data any
conduit permit tcp host 61.43.23.183 eq smtp any
conduit permit tcp host 172.16.1.140 eq 1352 host 172.16.1.6
conduit permit tcp host 172.16.1.140 eq 1352 host 172.16.1.3
conduit permit icmp any any
outbound 10 permit 192.168.1.5 255.255.255.255 0 tcp
outbound 10 permit 192.168.3.140 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.4 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.16 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.50 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.17 255.255.255.255 0 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 80 tcp
outbound 20 except 172.16.1.1 255.255.255.255 80 tcp
outbound 20 except 172.16.1.3 255.255.255.255 25 tcp
outbound 20 except 172.16.1.1 255.255.255.255 0 tcp
outbound 20 except 172.16.1.160 255.255.255.255 0 tcp
outbound 20 except 172.16.1.6 255.255.255.255 80 tcp
outbound 20 except 172.16.1.150 255.255.255.255 0 tcp
outbound 20 except 172.16.1.2 255.255.255.255 0 tcp
outbound 20 except 172.16.1.140 255.255.255.255 0 tcp
outbound 20 except 172.16.1.3 255.255.255.255 80 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 0 tcp
apply (inside) 20 outgoing_src
apply (inside) 10 outgoing_src
no rip outside passive
no rip outside default
rip inside passive
no rip inside default
no rip dmz passive
no rip dmz default
no rip ca passive
no rip ca default
route outside 0.0.0.0 0.0.0.0 61.43.23.190 1
route inside 10.10.0.0 255.255.0.0 192.168.2.254 1
route inside 192.168.0.0 255.255.0.0 192.168.2.254 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS protocol tacacs
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public

TOP

lht8109

学徒工

Rank: 1

帖子: 26
精华: 0
积分: 152
IP地址: 100 个

2^# 大中小发表于 2008-1-11 20:25 只看该作者

可能你的配置问题在这里:

outbound 10 permit 192.168.1.5 255.255.255.255 0 tcp
outbound 10 permit 192.168.3.140 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.4 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.16 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.50 255.255.255.255 0 tcp
outbound 10 permit 192.168.1.17 255.255.255.255 0 tcp
outbound 20 deny 0.0.0.0 0.0.0.0 80 tcp

但是我不清楚你的内部网络地址情况,可否给个图并表明内外网络地址.

希望可以帮到你.

TOP

english15

学徒工

Rank: 1

帖子: 24
精华: 0
积分: 147
IP地址: 99 个

3^# 大中小发表于 2008-1-16 15:31 只看该作者

conduit permit tcp host 61.43.23.184 eq www any

TOP

boychunhui

学徒工

Rank: 1

帖子: 19
精华: 0
积分: 112
IP地址: 74 个

4^# 大中小发表于 2008-1-16 16:09 只看该作者

access-list
conduit 问题出在这两个里面

TOP

‹‹ 上一主题 | 下一主题 ››