Настройка Cisco PIX Firewall / ASA - [23] :: В помощь системному администратору

Всем привет, чесная гвардия!

Прошу помощи коллективного разума, ибо я уже сам не вижу, а интернеты мне тоже не особо помогли со своими советами (покапался, не помогло то, что нагуглил).

Есть конфига в которой работает пинг и лдап с хоста в ДМЗ на хост во внутренней сети:

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
names
name 10.1.0.53 Exchange
name 192.168.1.3 ExchangeDMZ
name 192.168.1.2 Relay
name 10.1.0.50 DC
!
interface Ethernet0/0
speed 100
nameif inside
security-level 100
ip address 10.1.0.1 255.255.252.0
!
interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address Х.Х.Х.Х 255.255.255.248
!
interface Ethernet0/2
speed 100
nameif dmz
security-level 99
ip address 192.168.1.20 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.0.1 255.255.255.0
management-only
!
passwd hDeOycCEFnED4dQT encrypted
ftp mode passive
clock timezone Mos 3
clock summer-time Mos recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name ngt-m.ru
object-group network banks
network-object host 212.154.181.74
network-object host 194.84.85.103
network-object host 194.84.85.102
network-object host 213.247.231.5
network-object host 64.12.24.190
network-object host 195.245.76.126
network-object host 81.176.69.62
network-object host 213.208.182.154
network-object host 213.208.182.155
network-object host 213.208.182.156
network-object host 10.21.132.104
network-object host 195.38.22.165
object-group network bank-clients
network-object host 10.1.1.3
network-object host 10.1.1.11
network-object host 10.1.1.8
network-object host 10.1.1.14
network-object host 10.1.1.10
network-object host 10.1.1.20
network-object host 10.1.1.4
object-group service banks-ports tcp
port-object eq ftp
port-object eq 1024
port-object eq 1400
port-object eq aol
port-object eq 1026
port-object eq 7050
port-object eq 2221
port-object eq ftp-data
access-list IN extended permit ip host 10.1.0.52 any
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq aol
access-list IN extended permit icmp any any
access-list IN extended permit tcp object-group bank-clients object-group banks
object-group banks-ports
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq https
access-list IN extended permit tcp host Relay host Exchange eq smtp
access-list IN extended permit tcp host Relay host Exchange eq 26
access-list IN extended permit tcp host Exchange host Relay eq smtp
access-list IN extended permit tcp host Exchange host Relay eq 26
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq isakmp
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq 10000
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq 10000
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq www
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq domain
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq domain
access-list IN extended permit tcp host Relay host 10.1.0.99 eq 3389
access-list IN extended permit tcp host DC any
access-list IN extended permit ip 10.1.244.0 255.255.255.0 any
access-list IN extended permit ip 10.1.243.0 255.255.255.0 any
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq 7777
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq 2106
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq 2107
access-list IN extended permit tcp 10.1.0.0 255.255.252.0 any eq 1777
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq 1777
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq 7777
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq 2106
access-list IN extended permit udp 10.1.0.0 255.255.252.0 any eq 2107
access-list IN extended permit ip 10.1.0.0 255.255.252.0 any
access-list DMZ extended permit tcp any any eq 26
access-list DMZ extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list DMZ extended permit tcp host Relay any eq https
access-list DMZ extended permit tcp any any eq smtp
access-list DMZ extended permit tcp host Exchange host Relay eq 26
access-list DMZ extended permit icmp any any
access-list DMZ extended permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list DMZ extended permit tcp host Exchange host Relay eq smtp
access-list DMZ extended permit tcp host Relay host Exchange eq smtp
access-list DMZ extended permit tcp host Relay any
access-list OUT extended permit icmp any any
access-list OUT extended permit tcp any any eq smtp
access-list OUT extended permit tcp any any eq https
access-list VPNnat extended permit ip 10.1.0.0 255.255.252.0 10.1.243.0 255.255.255.0
access-list VPNnat extended permit ip 10.1.0.0 255.255.252.0 10.1.244.0 255.255.255.0
access-list VPNnat extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.252.0
access-list VPNnat extended permit ip 10.1.0.0 255.255.252.0 10.1.5.0 255.255.255.0
access-list VPNnat extended permit ip host DC host Relay
access-list VPNacl extended permit ip 10.1.0.0 255.255.252.0 10.1.243.0 255.255.255.0
access-list 100 extended permit ip 10.1.0.0 255.255.252.0 10.1.4.0 255.255.252.0
access-list 100 extended permit ip 10.1.0.0 255.255.252.0 10.1.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 10.1.243.1-10.1.243.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list VPNnat
nat (inside) 1 10.1.0.0 255.255.252.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,dmz) tcp ExchangeDMZ smtp Exchange smtp netmask 255.255.255.255
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255
static (dmz,outside) tcp interface smtp Relay smtp netmask 255.255.255.255
static (dmz,inside) tcp Relay smtp Relay 26 netmask 255.255.255.255
access-group IN in interface inside
access-group OUT in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 93.191.17.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:02:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy ооо internal
group-policy ооо attributes
dns-server value 10.1.0.50
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNacl
username ххх password ххх.qXbY encrypted
username ххх attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
http server enable
http 10.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set VPN2SP esp-3des esp-sha-hmac
crypto map outside_map 3 match address 100
crypto map outside_map 3 set peer 89.222.215.188
crypto map outside_map 3 set transform-set VPN2SP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group vpnngt type ipsec-ra
tunnel-group vpnngt general-attributes
address-pool vpnpool
default-group-policy vpnngt
tunnel-group vpnngt ipsec-attributes
pre-shared-key *
tunnel-group 89.222.215.188 type ipsec-l2l
tunnel-group 89.222.215.188 ipsec-attributes
pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet 10.1.0.0 255.255.255.0 inside
telnet timeout 60
ssh 10.1.0.0 255.255.252.0 inside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect http
inspect h323 h225
inspect h323 ras
inspect esmtp
!
service-policy global_policy global
smtp-server 10.1.0.53
prompt hostname context
Cryptochecksum:586fb61b7174400d8a1b5a8f2daa4b86
: end

Не считая мусора тут все норм. ВНИМАНИЕ ВОПРОС! Что не так с НИЖЕ приведенной конфигой, т.к. в совершенно похожем офисе до лдапа во внутренней сети я добраться не могу

Лог пишет "No translation group found for tcp src .."
Не рабочая конфа:

ASA Version 7.0(7)
!
names
name 192.168.1.2 Relay
name 192.168.1.3 ExchangeDMZ
name 10.1.4.53 Exchange
name 10.1.4.56 Proxy
dns-guard
!
interface Ethernet0/0
nameif INSIDE
security-level 100
ip address 10.1.4.1 255.255.252.0
!
interface Ethernet0/1
nameif OUTSIDE
security-level 0
ip address Х.Х.Х.Х 255.255.255.248
!
interface Ethernet0/2
nameif DMZ
security-level 99
ip address 192.168.1.20 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.0.1 255.255.0.0
management-only
!
passwd iRoRTstHM4j7ihQZ encrypted
ftp mode passive
object-group network banks
network-object host 194.84.85.102
network-object host 194.84.85.103
network-object host 195.161.113.85
network-object host 81.177.14.202
network-object host 195.38.22.165
object-group network bank-clients
network-object host 10.1.5.13
network-object host 10.1.5.16
network-object host 10.1.4.44
object-group service bank-ports tcp
port-object eq ftp
port-object eq 1024
port-object eq 1400
port-object eq pop3
port-object eq smtp
object-group network PchSrv
network-object host 10.1.0.50
network-object host 10.1.0.52
network-object host 10.1.0.46
network-object host 10.1.0.53
network-object host 10.1.1.19
object-group network SpSrv
network-object host Exchange
network-object host 10.1.4.52
network-object host 10.1.4.46
network-object host 10.1.4.55
access-list IN extended permit tcp host Relay host Exchange eq 26
access-list IN extended permit tcp host Exchange host Relay eq smtp
access-list IN extended permit tcp host Relay host Exchange eq smtp
access-list IN extended permit icmp any any
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq domain
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq domain
access-list IN extended permit tcp object-group bank-clients object-group banks object-group bank-ports
access-list IN extended permit ip 10.1.244.0 255.255.255.0 10.1.4.0 255.255.252.0
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq aol
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq https
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq 10000
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 host Relay
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq ftp
access-list IN extended permit ip object-group SpSrv object-group PchSrv
access-list IN extended permit ip object-group SpSrv any
access-list IN extended permit tcp host 10.1.5.4 any
access-list IN extended permit ip host 10.1.5.4 any
access-list IN extended permit udp host 10.1.5.4 any
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq ntp
access-list IN extended permit tcp host Proxy any
access-list IN extended permit ip host Proxy any
access-list IN extended permit udp host Proxy any
access-list IN extended permit ip 10.1.4.0 255.255.252.0 object-group PchSrv
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq isakmp
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 10000
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq 7777
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 7777
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq 1777
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 1777
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq 2107
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 2107
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq 2106
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 2106
access-list IN extended permit udp 10.1.4.0 255.255.252.0 any eq 389
access-list IN extended permit tcp 10.1.4.0 255.255.252.0 any eq ldap
access-list IN extended permit ip 10.1.4.0 255.255.252.0 any
access-list IN extended permit tcp host 10.1.4.52 any
access-list OUT extended permit icmp any any
access-list OUT extended permit tcp any any eq smtp
access-list OUT extended permit tcp any any eq https
access-list OUT extended permit tcp any any eq imap4
access-list OUT extended permit tcp any any eq 993
access-list DMZ extended permit icmp any any
access-list DMZ extended permit tcp any any eq 26
access-list DMZ extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list DMZ extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list DMZ extended permit tcp host Relay any eq https
access-list DMZ extended permit tcp any any eq smtp
access-list DMZ extended permit tcp host Exchange host Relay eq 26
access-list DMZ extended permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list DMZ extended permit tcp host Exchange host Relay eq smtp
access-list DMZ extended permit tcp host Relay host ExchangeDMZ eq smtp
access-list DMZ extended permit tcp host Relay any
access-list DMZ extended permit tcp 192.168.1.0 255.255.255.0 any eq ldap
access-list DMZ extended permit tcp host Relay host Exchange eq smtp
access-list VPNnat extended permit ip 10.1.4.0 255.255.252.0 10.1.244.0 255.255.255.0
access-list VPNnat extended permit ip 10.1.4.0 255.255.252.0 10.1.0.0 255.255.252.0
access-list VPNnat extended permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list 100 extended permit ip 10.1.4.0 255.255.252.0 10.1.0.0 255.255.252.0
access-list 100 extended permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.252.0
access-list VPNacl extended permit ip 10.1.4.0 255.255.252.0 10.1.244.0 255.255.255.0
pager lines 24
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNpool 10.1.244.1-10.1.244.50 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
global (DMZ) 1 interface
nat (INSIDE) 0 access-list VPNnat
nat (INSIDE) 1 10.1.4.0 255.255.252.0
nat (INSIDE) 1 10.1.0.0 255.255.0.0
nat (DMZ) 1 192.168.1.0 255.255.255.0
static (INSIDE,OUTSIDE) tcp interface 3389 10.1.4.50 3389 netmask 255.255.255.255
static (INSIDE,DMZ) tcp ExchangeDMZ smtp Exchange smtp netmask 255.255.255.255
static (DMZ,OUTSIDE) tcp interface smtp Relay smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface https Exchange https netmask 255.255.255.255
static (DMZ,INSIDE) tcp Relay smtp Relay 26 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface imap4 Exchange imap4 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 993 Exchange 993 netmask 255.255.255.255
access-group IN in interface INSIDE
access-group OUT in interface OUTSIDE
access-group DMZ in interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 89.222.215.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ооо internal
group-policy ооо attributes
dns-server value 10.1.4.52
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNacl
webvpn
username ххх password ххх.qXbY encrypted
username ххх attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec
webvpn
http server enable
http 10.1.4.0 255.255.252.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNtoFilials esp-3des esp-md5-hmac
crypto ipsec transform-set VPNtoOffice esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2ZNAM esp-3des esp-sha-hmac
crypto dynamic-map vpn-client 6 set transform-set VPNtoOffice
crypto map map2 3 match address 100
crypto map map2 3 set peer 93.191.17.162
crypto map map2 3 set transform-set VPN2ZNAM
crypto map map2 65535 ipsec-isakmp dynamic vpn-client
crypto map map2 interface OUTSIDE
isakmp identity address
isakmp enable OUTSIDE
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption 3des
isakmp policy 4 hash sha
isakmp policy 4 group 2
isakmp policy 4 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp ipsec-over-tcp port 10000
tunnel-group 93.191.17.162 type ipsec-l2l
tunnel-group 93.191.17.162 ipsec-attributes
pre-shared-key *
tunnel-group vpnmechanicus type ipsec-ra
tunnel-group vpnmechanicus general-attributes
address-pool VPNpool
default-group-policy vpnmechanicus
tunnel-group vpnmechanicus ipsec-attributes
pre-shared-key *
telnet timeout 60
ssh 10.1.4.0 255.255.252.0 INSIDE
ssh 93.191.17.160 255.255.255.248 OUTSIDE
ssh 93.191.17.0 255.255.255.0 OUTSIDE
ssh timeout 60
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect esmtp
!
service-policy global_policy global
smtp-server 10.1.4.53
Cryptochecksum:4e4e704e48b63f24e1362684d879e47b
: end

Я прошу прощения за длинный конфиг, просто не знаю как тут в сворачивающийся блок вставлять текст.
Заранее благодарен за помощь.

Модерирует : lynx, Crash_Master, dg, emx, ShriEkeR
Версия для печати • Подписаться • Добавить в закладки
Страницы: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41