Всем доброго времени суток. Есть асашка, в ней задействованы 3 порта: интернет, локалка и дмз. проблема в том, что я из локалки не могу пропинговать дмз-шные компы, соответственно и работать с ними (ну и наооборот из дмз в локалку, соответственно тоже). адрес компа из дмз для примера 192.168.0.113 из локалки 172.16.23.58 маска 128 везде. вот конфиг, помогите кто чем может, заранее спасибо...ASA Version 8.3(1) ! hostname asa domain-name vstcb.ru enable password vOzFfYR7MmgU/zWh encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 description internet nameif outside security-level 0 ip address 1xx.xxx.xx.xx8 255.255.255.248 ! interface Ethernet0/1 description local speed 100 duplex full nameif inside security-level 100 ip address 172.16.0.209 255.255.128.0 ! interface Ethernet0/2 description dmz speed 100 duplex full nameif dmz security-level 100 ip address 192.168.0.202 255.255.128.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone IRK/MDD 3 clock summer-time IRK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS name-server 1xx.xxx.xx.xx7 domain-name vstcb.ru object network inside-net subnet 172.16.0.0 255.255.0.0 object network dmz subnet 192.168.0.0 255.255.0.0 access-list acl_out_inside extended permit tcp 172.16.0.0 255.255.0.0 any access-list acl_out_inside extended permit ip 172.16.0.0 255.255.0.0 any access-list acl_out_inside extended permit icmp 172.16.0.0 255.255.0.0 any access-list acl_out_dmz extended permit ip 192.168.0.0 255.255.0.0 any access-list acl_out_dmz extended permit icmp 192.168.0.0 255.255.0.0 any access-list acl_out_dmz extended permit tcp 192.168.0.0 255.255.0.0 any access-list acl_in_dmz extended permit ip any 192.168.0.0 255.255.0.0 access-list acl_in_dmz extended permit tcp any 192.168.0.0 255.255.0.0 access-list acl_in_dmz extended permit icmp any 192.168.0.0 255.255.0.0 pager lines 24 logging enable logging timestamp logging trap notifications logging asdm informational logging host inside 172.16.220.23 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit 172.16.0.0 255.255.0.0 inside icmp permit 192.168.0.0 255.255.0.0 inside no asdm history enable arp timeout 14400 ! object network inside-net nat (inside,outside) dynamic interface object network dmz nat (dmz,outside) dynamic interface access-group acl_in_dmz in interface outside access-group acl_out_inside in interface inside access-group acl_out_dmz in interface dmz route outside 0.0.0.0 0.0.0.0 1xx.xxx.xx.xx7 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 172.16.0.0 255.255.0.0 inside http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 172.0.0.0 255.0.0.0 inside telnet 192.0.0.0 255.0.0.0 inside telnet timeout 40 ssh 172.0.0.0 255.0.0.0 inside ssh 192.0.0.0 255.0.0.0 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn anyconnect-essentials ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:274199567af5b8f2a3b6ecb2e069bbdd
|