小弟刚研究PIX不久。
我公司邮件服务器以前放在内网中,最近因为考虑到安全因素想把服务器放入DMZ区。
但是我在PIX中修改了几条命令后,邮件服务器在DMZ区可以上网,但是 内网ping不通邮件服务器,外网也访问不了服务器
PIX中配置如下
以前放在内网的配置是:
access-list mail permit tcp any host 218.x.x.1
access-list mail permit icmp any any
access-list mail permit tcp any host 218.x.x.2
access-list mail permit tcp any any
access-group mail in interface outside
conduit permit tcp host 218.x.x.1 any
alias (inside) 192.168.50.20 218.x.x.1 255.255.255.255
static (inside,outside) 218.x.x.1 192.168.50.20 netmask 255.255.255.255 0 0
我把服务器连如DMZ后的配置是:
alias (dmz) 172.16.1.10 218.x.x.1 255.255.255.255
static (dmz,outside) 218.x.x.1 172.16.1.10 netmask 255.255.255.255 0 0
以上是我做的修改,改动后就出现了上面描述的问题,我很好奇为什么内网访问DMZ也是不通的!
小弟是个新手,跪求各位大哥帮忙解决下啊。具体在移动中都需要改动那些地方!求指导。。。
在线等。。跪求。。跪求。。
------解决方案--------------------
都改哪些地方了?
------解决方案--------------------
------解决方案--------------------
先确定是路由模式还是防火墙模式.
------解决方案--------------------
VLAN interface正确?
------解决方案--------------------
其实你按向导做DMZ就行了,说明手册写的也比较清楚.
我复制一段:
DMZ Interface Configuration
in transparent mode, the security appliance supports up to two interfaces.Typically one interface connects to the outside Internet (known as an Internet zone), another connects to a home network (known as a home zone), and the third interface (known as a work interface), operates similarly to a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
The DMZ Interface Configuration screen displays the Back, Next, Finish, Cancel, and Help buttons, in addition to the following:
Select Work Interface area
Choose an interface—Choose an interface to configure from the drop-down list.
Create new VLAN interface—Check this box to create a new work interface.
Enable interface—Check this box to activate the interface in privileged mode.
Interface Name—Lets you specify a name for the interface.
Security Level—Lets you enter a security level range for the interface from 0 to 100, with 100 assigned to the inside interface and 0 assigned to the outside interface. Perimeter interfaces can use any number between 1 and 99. Security levels between 0 and 100 for perimeter interfaces are not set by default.
IP Address area
Use PPPoE—Check this box to obtain an IP address from a PPPoE server for a work interface.
Use DHCP—Check this box to obtain an IP address for a work interface from a DHCP server.
Note DCHP clients initially have no configured IP address, and must send a broadcast request to obtain an IP address from a DHCP server.
Obtain default route using DHCP—Check this box to obtain an IP address for the default gateway using DHCP.
Note DHCP is used by workstations (hosts) to get initial configuration information, such as an IP address, subnet mask, and default gateway upon bootup.
Use the following IP address—Lets you specify an IP address for a work interface rather than obtaining one from a PPPoE server or DHCP server:
IP Address—Lets you specify an IP address for a work interface.
Subnet Mask—Lets you specify a subnet mask for a work interface; use the drop-down list to select a subnet mask IP address.
------解决方案--------------------
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml