Доброго времени суток!
Действующая схема сети в данный момент такая:LAN -------> 192.168.10.254-ASA-xxx.xxx.xxx.114 -------> INET
Надо сделать следующую:
LAN -------> 192.168.10.254-|ASA|-xxx.xxx.xxx.114| -------> INET
DMZ -------> 192.168.0.1----|---|-xxx.xxx.xxx.115|
Смысл в том, чтобы посадить "железку" для видеоконференции (Tanberg E20) на отдельный внешний ip (провайдер выделил подсеть на 6 адресов).
В данный момент сделал проброс с ххх.ххх.ххх.115 на внутренний ip 192.168.10.31, звонок есть (в обе стороны), но не соединяется.
Хочу попробовать перенести железку из локальной сети (LAN) в отдельную (DMZ).
Или может быть кто-нибудь сталкивался с подобной проблемой и решил ее?
Конфиг АСЫ:
ASA Version 8.2(1)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ххх.ххх.ххх.114 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ELKABANK-NETS
network-object 192.168.10.0 255.255.255.0
object-group network ELKABANK-VPDN-NETS
network-object 192.168.11.0 255.255.255.0
access-list NONAT extended permit ip object-group ELKABANK-NETS object-group ELKABANK-VPDN-NETS
access-list NAT-LIST extended permit ip object-group ELKABANK-NETS any
access-list NAT-LIST extended permit icmp object-group ELKABANK-NETS any
access-list NAT-LIST extended permit gre object-group ELKABANK-NETS any
access-list VC extended permit ip any host ххх.ххх.ххх.115
access-list VC extended permit icmp any host ххх.ххх.ххх.115
access-list VC extended permit tcp any host ххх.ххх.ххх.115
access-list VC extended permit udp any host ххх.ххх.ххх.115
access-list VC extended permit gre any host ххх.ххх.ххх.115
access-list VC extended permit gre host 192.168.10.31 any
access-list VC extended permit ip host 192.168.10.31 any
access-list VC extended permit icmp host 192.168.10.31 any
access-list VC extended permit tcp host 192.168.10.31 any
access-list VC extended permit udp host 192.168.10.31 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging buffered warnings
logging history critical
mtu inside 1500
mtu outside 1500
ip local pool vpdn-pool 192.168.11.2-192.168.11.16
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 ххх.ххх.ххх.115
nat (inside) 0 access-list NONAT
nat (inside) 1 access-list NAT-LIST
nat (inside) 2 access-list VC
static (inside,outside) ххх.ххх.ххх.115 192.168.10.31 netmask 255.255.255.255
access-group VC in interface outside
route outside 0.0.0.0 0.0.0.0 ххх.ххх.ххх.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set elk-vpdn-trans esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vpdn-map 10 set transform-set elk-vpdn-trans
crypto map vpdn 10 ipsec-isakmp dynamic vpdn-map
crypto map vpdn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.11.0 255.255.255.0 inside
telnet 194.9.38.0 255.255.254.0 outside
telnet 192.168.11.0 255.255.255.0 outside
telnet timeout 60
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.11.0 255.255.255.0 inside
ssh 194.9.38.0 255.255.254.0 outside
ssh 192.168.11.0 255.255.255.0 outside
ssh timeout 60
console timeout 60
dhcpd dns 195.5.128.130 195.5.128.137
!
dhcpd address 192.168.10.1-192.168.10.239 inside
dhcpd lease 1048575 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 194.9.39.111
ntp server 194.9.38.111
group-policy VPDN internal
group-policy VPDN attributes
vpn-idle-timeout 60
vpn-session-timeout none
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NONAT
tunnel-group ELK-VPN type remote-access
tunnel-group ELK-VPN general-attributes
address-pool vpdn-pool
default-group-policy VPDN
tunnel-group ELK-VPN ipsec-attributes
pre-shared-key *
!
class-map inspection
!
!
policy-map dmz
class inspection
inspect sip
inspect h323 h225
inspect h323 ras
inspect icmp
inspect http
!
prompt hostname context
: end
Понятно, что надо настроить VlanХ (dmz)
один из портов Eth0/x switchport access Vlan2
а вот что дальше?
Версия для распечатки
Cisco ASA 5505 и видеоконференция Tandberg, 
timmer, 29-Ноя-10, 15:11 [смотреть все]
