我对 ASA 世界还很陌生。基本上我已经用尽了我所有的搜索选项,并在这里向专家寻求帮助。我有一个带有 4 个接口的 ASA 5506-X。ASA 正在运行 OS 9.4(2),我正在使用 ASDM 配置所有内容。ASDM 是 7.6 版
接口 1:外部网络 1 Verizon
接口 2:内部网络
接口 3:外部网络 Comcast
接口 4:DMZ 192.168.1.0/24
有两个外部网络,如果一个网络出现故障,它会故障转移到第二个网络。
除了这些接口之外,ASA 还用于 VPN 连接。
我的问题:我有一个 Skype for Business 边缘服务器,我希望人们从外部访问它。服务器连接到 DMZ 并有 3 个私有 IP,这些 IP 与公共 IP 关联。我已经创建了 NAT 规则并且服务器已连接到互联网(这意味着我可以在服务器上上网)。由于某种原因,我无法使用 3 个公共 IP 中的任何一个 ping 服务器或从外部连接到它。我已经使用 ACL 打开了必要的端口,但仍然没有运气。关于如何启动并运行它的任何想法?我真的很感激任何帮助。就像我说的,我对此进行了很多研究,但找不到任何解决方案。如果已经问过这个问题,我深表歉意。
配置如下:
Result of the command: "show running-config"
: Saved
: Serial Number: XXXXXXXXX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
ASA Version 9.4(2)
!
hostname ASA-5506-ASA
domain-name xxxx
enable password xxxxx encrypted
names
ip local pool VPN_Pool 172.xx.xx.1-172.xx.xx.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Verizon
nameif outside
security-level 0
ip address 207.xx.xx.xx 255.255.255.224
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.xx.xx.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif COMCAST
security-level 0
ip address 23.xx.xx.xx 255.255.255.248
!
interface GigabitEthernet1/4
description DMZ Interface
nameif DMZ
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa942-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup COMCAST
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 172.xx.xx.x6
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.xx.xx.0_24
subnet 172.xx.xx.0 255.255.255.0
object network CUCM-6970
host 172.xx.xx.10
object network CUCM-69
host 172.xx.xx.10
object service RDP
service tcp source eq 3389 destination eq 3389
description Remote Desktop
object service RDP_UDP
service udp source eq 3389 destination eq 3389
description Remote Desktop UDP
object network RDP-Access
host 17x.xx.xx.xx
description RDP Access
object network Public_Pool
range 23.xx.xx.xx 23.xx.xx.xx
object network DMZ-Subnet
subnet 192.168.1.0 255.255.255.0
object network DMZ-Edge-Access-EXT
host 23.xx.xx.xx
object network DMZ-Edge-Access-INT
host 192.168.1.xx
object network DMZ-Edge-Web-Conf-EXT
host 23.xx.xx.xx
object network DMZ-Edge-Web-Conf-INT
host 192.168.1.xx
object network DMZ-Edge-Audio-Video-EXT
host 23.xx.xx.xx
object network DMZ-Edge-Audio-Video-INT
host 192.168.1.xx
object service Access-Edge-Federation
service tcp source eq 5061 destination eq 5061
description Port used for Access Edge Federation
object service AV-Edge-UDP-3478
service udp source eq 3478 destination eq 3478
description AV-Edge-UDP-3478
object service DNS
service tcp source eq domain destination eq domain
description DNS
object service DNSU
service udp source eq domain destination eq domain
description DNSU
object-group network DM_INLINE_NETWORK_1
network-object object CUCM-69
network-object object CUCM-6970
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 6970
service-object udp destination eq tftp
object-group service AV-Edge-TCP-50-59 tcp
description Allowing TCP Ports 50000 to 59999
port-object range 50000 59999
object-group service AV-Edge-UDP-50-59 udp
description Allowed UDP Ports 50000 to 59999
port-object range 50000 59999
access-list SplitTunnel standard permit 172.xx.63.0 255.255.255.0
access-list SplitTunnel standard permit 172.xx.63.0 255.255.255.0
access-list SplitTunnel standard permit 172.xx.60.0 255.255.254.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_1
access-list COMCAST_access_in extended permit tcp any object RDP-ACCESS eq 3389
access-list DMZ_access_in remark Allowed Port 443 for Access Edge
access-list DMZ_access_in extended permit tcp any object DMZ-Edge-Access-EXT eq https inactive
access-list DMZ_access_in remark Allowed port 5061 for access edge federation
access-list DMZ_access_in extended permit object Access-Edge-Federation any object DMZ-Edge-Access-EXT inactive
access-list DMZ_access_in remark Allowed TCP 443 for Web Conferencing
access-list DMZ_access_in extended permit tcp any object DMZ-Edge-Web-Conf-EXT eq https inactive
access-list DMZ_access_in remark Allowed TCP 443 for Audio/Video access
access-list DMZ_access_in extended permit tcp any object DMZ-Edge-Audio-Video-EXT eq https inactive
access-list DMZ_access_in remark Allowed UDP 3478 for Audio/Video
access-list DMZ_access_in extended permit object AV-Edge-UDP-3478 any object DMZ-Edge-Audio-Video-EXT inactive
access-list DMZ_access_in remark Allowed TCP Ports 50000 to 59999
access-list DMZ_access_in extended permit tcp any object DMZ-Edge-Audio-Video-EXT object-group AV-Edge-TCP-50-59 inactive
access-list DMZ_access_in remark Allowed UDP Ports 50000 to 59999
access-list DMZ_access_in extended permit udp any object DMZ-Edge-Audio-Video-EXT object-group AV-Edge-UDP-50-59 inactive
access-list DMZ_access_in extended permit ip object DMZ-Subnet any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu COMCAST 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.xx.63.0_24 NETWORK_OBJ_172.xx.63.0_24 no-proxy-arp route-lookup
!
object network CUCM-6970
nat (inside,outside) static interface service tcp 6970 6970
object network CUCM-69
nat (inside,outside) static interface service udp tftp tftp
object network RDP-ACCESS
nat (inside,COMCAST) static interface no-proxy-arp service tcp 3389 3389
object network DMZ-Subnet
nat (DMZ,COMCAST) dynamic interface
object network DMZ-Edge-Access-INT
nat (DMZ,COMCAST) static DMZ-Edge-Access-EXT
object network DMZ-Edge-Web-Conf-INT
nat (DMZ,COMCAST) static DMZ-Edge-Web-Conf-EXT
object network DMZ-Edge-Audio-Video-INT
nat (DMZ,COMCAST) static DMZ-Edge-Web-Conf-EXT
!
nat (inside,COMCAST) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group COMCAST_access_in in interface COMCAST
access-group DMZ_access_in in interface DMZ
route COMCAST 0.0.0.0 0.0.0.0 23.xx.xx.xx 1
route outside 0.0.0.0 0.0.0.0 207.xx.xx.xx 50
route inside 172.xx.60.0 255.255.254.0 172.xx.63.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ee5c940e2787f16d3e83ef7eedf943a4
: end