Добрый день. Помогите. Не могу пустить трафик из outside в inside. ASA Version 7.2(1)
!
hostname ciscoasa
domain-name xxx.ru
enable password J3QefryiQ9zlWmPY encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.12.162 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.1.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif dmz
security-level 50
no ip address
!
interface GigabitEthernet0/3
shutdown
nameif backup
security-level 0
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk1:/asa721-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.ru
object-group network local-net
network-object 10.2.3.0 255.255.255.0
network-object 10.2.6.0 255.255.255.0
network-object 10.2.7.0 255.255.255.0
network-object 10.2.12.0 255.255.255.0
object-group service web tcp
port-object eq aol
port-object eq www
port-object eq https
port-object eq ftp
access-list ins extended permit tcp object-group local-net any object-group web
access-list ins extended permit tcp host 10.2.1.100 any eq smtp
access-list out extended permit tcp any object-group local-net object-group web
access-list out extended permit tcp any host 10.2.1.100 eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu backup 1500
no failover
asdm image disk1:/ASDM521.BIN
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.12.163 netmask 255.255.255.255
global (outside) 2 x.x.12.164 netmask 255.255.255.255
global (outside) 3 x.x.12.165 netmask 255.255.255.255
nat (inside) 3 10.2.3.0 255.255.255.0
nat (inside) 3 10.2.6.0 255.255.255.0
nat (inside) 3 10.2.7.0 255.255.255.0
nat (inside) 3 10.2.12.0 255.255.255.0
static (inside,outside) tcp x.x.12.164 smtp 10.2.1.100 smtp netmask 255.255.255.255
access-group out in interface outside
access-group ins in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.12.161 1
route inside 198.168.4.0 255.255.255.0 192.168.1.1 1
route inside 10.2.12.0 255.255.255.0 10.2.1.1 1
route inside 10.2.6.0 255.255.255.0 10.2.1.1 1
route inside 10.2.3.0 255.255.255.0 10.2.1.1 1
route inside 10.2.7.0 255.255.255.0 10.2.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username user password mbO2jYs13AXlIAGa encrypted privilege 15
username ciscoasa password nFYoTYjH1qQYUU1g encrypted privilege 15
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.2.7.202 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.2.7.202 255.255.255.255 inside
telnet 10.2.7.225 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:64d2f478fae45adca9a236b63f5fb5da
: end
packet-tracer input outside tcp 12.12.12.12 http 10.2.7.202 http
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.2.7.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out in interface outside
access-list out extended permit tcp any object-group local-net object-group web
object-group network local-net
network-object 10.2.3.0 255.255.255.0
network-object 10.2.6.0 255.255.255.0
network-object 10.2.7.0 255.255.255.0
network-object 10.2.12.0 255.255.255.0
object-group service web tcp
port-object eq aol
port-object eq www
port-object eq https
port-object eq ftp
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 3 10.2.7.0 255.255.255.0
nat-control
match ip inside 10.2.7.0 255.255.255.0 outside any
dynamic translation to pool 3 (x.x.12.165)
translate_hits = 25937, untranslate_hits = 0
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
on 11-Янв-09, 10:45 
