On 3/7/08, Paolo Bratti <[EMAIL PROTECTED]> wrote: > Hai controllato che la rete sorgente e la rete di > destinazione non coincidano?
le lan sorgente e destinazione sono diverse, 192.168.2.0/24 quella locale e 192.168.1.0/24 quella remota > Se così non risolvi mi puoi postare la configurazione? questa e' la configurazione dell'asa : Saved : ASA Version 7.2(2) ! hostname domain-asa domain-name domain.lan enable password names ! interface Vlan1 description Interfaccia LAN nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 ! interface Vlan2 description Interfaccia BAD nameif outside security-level 0 ip address 85.36.x.v 255.255.255.248 ! interface Vlan3 description Interfaccia DMZ nameif DMZ security-level 50 ip address 10.0.0.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ftp mode passive dns server-group DefaultDNS domain-name domain.lan same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside extended permit tcp any host 85.36.x.v eq smtp access-list outside extended permit tcp any host 85.36.x.v eq pop3 access-list outside extended permit icmp any host 85.36.x.v echo-reply access-list outside extended permit icmp any host 85.36.x.v source-quench access-list outside extended permit icmp any host 85.36.x.v time-exceeded access-list outside extended permit icmp any host 85.36.x.v unreachable access-list outside extended permit tcp any host 85.36.x.v eq 5500 access-list outside extended permit tcp any host 85.36.x.x eq 5500 access-list outside extended permit tcp any host 85.36.x.y eq 5500 access-list outside extended permit tcp any host 85.36.x.w eq 5500 access-list outside extended permit tcp any host 85.36.x.z eq www access-list outside extended permit tcp any host 85.36.x.z eq ftp-data access-list outside extended permit tcp any host 85.36.x.z eq ftp access-list outside extended permit tcp any host 85.36.x.z eq https access-list outside extended permit tcp any host 85.36.x.z eq 8080 access-list outside extended permit tcp any host 85.36.x.z eq 8989 access-list outside extended permit tcp any host 85.36.x.z eq 8999 access-list outside extended permit tcp any host 85.36.x.z eq 12173 access-list outside extended permit tcp any host 85.36.x.z eq 12174 access-list outside extended permit tcp any host 85.36.x.z eq 12175 access-list outside extended permit tcp any host 85.36.x.z eq 1533 access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 172.16.21.0 255.255.255.248 access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list inside_access_out extended permit ip any any access-list dmz_int extended permit tcp host 10.0.0.2 eq smtp host 192.168.2.50 eq smtp log debugging access-list dmz_int extended permit tcp host 10.0.0.2 eq lotusnotes host 192.168.2.50 eq lotusnotes access-list dmz_int extended permit tcp host 10.0.0.2 eq telnet host 192.168.2.60 eq telnet access-list dmz_int extended permit tcp host 10.0.0.2 eq telnet host 192.168.2.70 eq telnet access-list dmz_int extended permit tcp host 10.0.0.2 eq telnet host 192.168.2.80 eq telnet access-list dmz_int extended permit ip 10.0.0.0 255.255.255.0 any access-list dmz_access_out extended permit icmp any any access-list dmz_access_out extended permit ip any any access-list dmz_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list user-vpn_splitTunnelAcl standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 ip local pool vpn-pool 172.16.21.1-172.16.21.6 mask 255.255.255.248 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control global (inside) 1 interface global (outside) 1 interface global (DMZ) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.2.0 255.255.255.0 nat (DMZ) 0 access-list dmz_nat0_outbound nat (DMZ) 1 10.0.0.0 255.255.255.0 static (inside,outside) tcp interface smtp 192.168.2.50 smtp netmask 255.255.255.255 dns tcp 0 120 static (DMZ,inside) tcp interface smtp 192.168.2.50 smtp netmask 255.255.255.255 dns tcp 0 120 static (inside,outside) tcp interface 5500 192.168.2.34 5500 netmask 255.255.255.255 dns tcp 0 120 static (inside,outside) tcp 85.36.x.x 5500 192.168.2.35 5500 netmask 255.255.255.255 dns tcp 0 120 static (inside,outside) tcp 85.36.x.y 5500 192.168.2.36 5500 netmask 255.255.255.255 dns tcp 0 120 static (inside,outside) tcp 85.36.x.w 5500 192.168.2.33 5500 netmask 255.255.255.255 dns tcp 0 120 static (DMZ,outside) tcp 85.36.x.z www 10.0.0.2 www netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z ftp-data 10.0.0.2 ftp-data netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z ftp 10.0.0.2 ftp netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z https 10.0.0.2 https netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 8080 10.0.0.2 8080 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 8989 10.0.0.2 8989 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 8999 10.0.0.2 8999 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 12173 10.0.0.2 12173 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 12174 10.0.0.2 12174 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 12175 10.0.0.2 12175 netmask 255.255.255.255 static (DMZ,outside) tcp 85.36.x.z 1533 10.0.0.2 1533 netmask 255.255.255.255 access-group inside_access_out out interface inside access-group outside in interface outside access-group dmz_int in interface DMZ access-group dmz_access_out out interface DMZ route outside 0.0.0.0 0.0.0.0 85.36.x.a 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy user-vpn internal group-policy user-vpn attributes wins-server value 192.168.2.50 dns-server value 192.168.2.50 192.168.2.51 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value user-vpn_splitTunnelAcl default-domain value domain.lan username user1 username user2 password username user2 attributes vpn-group-policy user-vpn username user3 password username user3 attributes vpn-group-policy user-vpn aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp nat-traversal 20 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group user-vpn type ipsec-ra tunnel-group user-vpn general-attributes address-pool vpn-pool default-group-policy user-vpn tunnel-group user-vpn ipsec-attributes pre-shared-key * telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh 81.208.a.a 255.255.255.248 outside ssh timeout 60 ssh version 2 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ipsec-pass-thru ! service-policy global_policy global prompt hostname context Cryptochecksum: : end Se servono altre informazioni fatemi sapere Ciao -- bizza http://www.rm-rf.eu/ _______________________________________________ Cug mailing list http://www.areanetworking.it/index_docs.php [email protected] http://ml.areanetworking.it/mailman/listinfo/cug
