亚洲av成人无遮挡网站在线观看,少妇性bbb搡bbb爽爽爽,亚洲av日韩精品久久久久久,兔费看少妇性l交大片免费,无码少妇一区二区三区

  免費(fèi)注冊(cè) 查看新帖 |

Chinaunix

  平臺(tái) 論壇 博客 文庫(kù)
最近訪問板塊 發(fā)新帖
查看: 4064 | 回復(fù): 7
打印 上一主題 下一主題

cisco防火墻問題, [復(fù)制鏈接]

論壇徽章:
0
跳轉(zhuǎn)到指定樓層
1 [收藏(0)] [報(bào)告]
發(fā)表于 2008-09-25 15:16 |只看該作者 |倒序?yàn)g覽
15可用積分
兩臺(tái)unix設(shè)備不同網(wǎng)段,中間有一臺(tái)cisco防火墻,兩臺(tái)設(shè)備可相互ping通。當(dāng)防火墻上設(shè)置策略為只開放部分端口時(shí),如5510到5519,5510、5514能通,但是5512、5513等其它端口都不通。但是如果將策略改為兩個(gè)ip地址間所有端口都放開,則所有端口就都正常了。
此問題如何解決?如何定位?以下為策略配置:
access-list out-in extended permit tcp host 134.32.32.93 any eq ftp
access-list out-in extended permit tcp host 134.32.32.94 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
access-list out-in extended permit tcp host 134.32.32.95 any eq 5511
access-list out-in extended permit tcp host 134.32.32.95 any eq 5512
access-list out-in extended permit tcp host 134.32.32.95 any eq 5513
access-list out-in extended permit tcp host 134.32.32.95 any eq 5514
access-list out-in extended permit tcp host 134.32.32.95 any eq 5515
access-list out-in extended permit tcp host 134.32.32.95 any eq 5516
access-list out-in extended permit tcp host 134.32.32.95 any eq 5517
access-list out-in extended permit tcp host 134.32.32.95 any eq 5518
access-list out-in extended permit tcp host 134.32.32.95 any eq 5519
access-list out-in extended permit tcp host 134.32.32.95 any eq 5520
access-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519
access-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

論壇徽章:
0
2 [報(bào)告]
發(fā)表于 2008-09-25 15:46 |只看該作者
但是如果將策略改為兩個(gè)ip地址間所有端口都放開,則所有端口就都正常了。

從這點(diǎn)來說應(yīng)該就是ACL的問題。

開房了對(duì)端的port,本端的開放了嗎?
如果要寫的話ACL應(yīng)該寫兩個(gè)吧,兩端端口各一個(gè)。

論壇徽章:
0
3 [報(bào)告]
發(fā)表于 2008-09-25 16:16 |只看該作者

回復(fù) #2 hjp0021 的帖子

具體現(xiàn)象是這樣的,cisco防火墻內(nèi)外分別做客戶端和服務(wù)端,使用固定ip和固定端口連接,內(nèi)網(wǎng)為134.32.32.95,端口5510到5519;外網(wǎng)為134.33.201.90,端口為10003。當(dāng)防火墻針對(duì)134.32.32.95只放開5510到5519端口時(shí),5510端口可以與134.33.201網(wǎng)段的設(shè)備建立正常連接,5512、5513等端口無法與134.33.201.90的10003端口建立連接。134.33.201.90的10003端口作為服務(wù)端,已經(jīng)有其它設(shè)備正常連接了。如果將策略改為針對(duì)134.32.32.95放開全部端口,則可以與134.33.201.90的10003端口建立正常連接。配置如下:
access-list out-in extended permit tcp host 134.32.32.93 any eq ftp
access-list out-in extended permit tcp host 134.32.32.94 any eq ftp
access-list out-in extended permit tcp host 134.32.32.95 any eq ftp
access-list out-in extended permit tcp host 134.32.32.93 any range 5550 5559
access-list out-in extended permit tcp host 134.32.32.94 any range 5550 5559
access-list out-in extended permit tcp host 134.32.32.95 any eq 5550
access-list out-in extended permit tcp host 134.32.32.95 any eq 5551
access-list out-in extended permit tcp host 134.32.32.95 any eq 5552
access-list out-in extended permit tcp host 134.32.32.95 any eq 5553
access-list out-in extended permit tcp host 134.32.32.95 any eq 5554
access-list out-in extended permit tcp host 134.32.32.95 any eq 5555
access-list out-in extended permit tcp host 134.32.32.95 any eq 5556
access-list out-in extended permit tcp host 134.32.32.95 any eq 5557
access-list out-in extended permit tcp host 134.32.32.95 any eq 5558
access-list out-in extended permit tcp host 134.32.32.95 any eq 5559
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
access-list out-in extended permit tcp host 134.32.32.95 any eq 5511
access-list out-in extended permit tcp host 134.32.32.95 any eq 5512
access-list out-in extended permit tcp host 134.32.32.95 any eq 5513
access-list out-in extended permit tcp host 134.32.32.95 any eq 5514
access-list out-in extended permit tcp host 134.32.32.95 any eq 5515
access-list out-in extended permit tcp host 134.32.32.95 any eq 5516
access-list out-in extended permit tcp host 134.32.32.95 any eq 5517
access-list out-in extended permit tcp host 134.32.32.95 any eq 5518
access-list out-in extended permit tcp host 134.32.32.95 any eq 5519
access-list out-in extended permit tcp host 134.32.32.95 any eq 5520
access-list out-in extended permit tcp host 134.32.32.95 any eq 50010
access-list out-in extended permit tcp host 134.32.32.95 any eq 50011
access-list out-in extended permit tcp host 134.32.32.95 any eq 50012
access-list out-in extended permit tcp host 134.32.32.95 any eq 50013
access-list out-in extended permit tcp host 134.32.32.95 any eq 50014
access-list out-in extended permit tcp host 134.32.32.95 any eq 50015
access-list out-in extended permit tcp host 134.32.32.95 any eq 50016
access-list out-in extended permit tcp host 134.32.32.95 any eq 50017
access-list out-in extended permit tcp host 134.32.32.95 any eq 50018
access-list out-in extended permit tcp host 134.32.32.95 any eq 50019
access-list out-in extended permit tcp host 134.32.32.95 any eq 50020
access-list out-in extended permit tcp host 134.32.32.96 any eq 1099
access-list out-in extended permit tcp host 134.32.32.96 any eq 1199
access-list out-in extended permit tcp host 134.32.32.96 any eq telnet
access-list out-in extended permit tcp host 134.32.32.96 any eq ftp
access-list out-in extended permit tcp host 134.32.32.96 any eq 8080
access-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519
access-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

論壇徽章:
0
4 [報(bào)告]
發(fā)表于 2008-09-25 17:01 |只看該作者
原帖由 yhy7786 于 2008-9-25 16:16 發(fā)表
具體現(xiàn)象是這樣的,cisco防火墻內(nèi)外分別做客戶端和服務(wù)端,使用固定ip和固定端口連接,內(nèi)網(wǎng)為134.32.32.95,端口5510到5519;外網(wǎng)為134.33.201.90,端口為10003。當(dāng)防火墻針對(duì)134.32.32.95只放開5510到5519端口 ...


sh run | i access-group

sh access-list

論壇徽章:
0
5 [報(bào)告]
發(fā)表于 2008-09-25 17:11 |只看該作者
那這一例來說,我的ACL思路是這樣的,如果134.32.32.95是源地址的話,那么目的就是134.33.201.90,并允許訪問目的端口10003。
反之134.33.201.90是源的話,目的就是134.32.32.95,允許訪問目的端口5510-5519。
最后將它用在正確的端口,正確的in(或OUT)方向。

個(gè)人覺得您的ACL寫得有些亂。

論壇徽章:
5
IT運(yùn)維版塊每日發(fā)帖之星 日期:2015-08-06 06:20:00IT運(yùn)維版塊每日發(fā)帖之星 日期:2015-08-10 06:20:00IT運(yùn)維版塊每日發(fā)帖之星 日期:2015-08-23 06:20:00IT運(yùn)維版塊每日發(fā)帖之星 日期:2015-08-24 06:20:00IT運(yùn)維版塊每日發(fā)帖之星 日期:2015-11-12 06:20:00
6 [報(bào)告]
發(fā)表于 2008-09-25 22:49 |只看該作者
你帖全部配置看看。

論壇徽章:
0
7 [報(bào)告]
發(fā)表于 2008-09-26 17:33 |只看該作者
我贊成5樓的意見

client(134.32.32.95)---(inside)cisco(outside)---server(134.33.201.90)

根據(jù)樓主的表述,你的需求是內(nèi)網(wǎng)client利用5510到5519端口去訪問外網(wǎng)server的10003端口
要求源ip的特定端口訪問目的ip的特定端口

那么按照這樣的思路,訪問列表應(yīng)該是

access-list 101 permit tcp host 134.32.32.95 range 5510 5519 host 134.33.201.90 eq 10003

我不明白你這樣的訪問列表是什么意思
access-list out-in extended permit tcp host 134.32.32.95 any eq 5510
這么寫的話,豈不是成了允許主機(jī)134.32.32.95訪問任何地址的tcp5510端口?
似乎不大對(duì)啊

另外:我對(duì)extended這個(gè)參數(shù)不是很理解,我在防火墻上打不了這個(gè)參數(shù),但是按照字面意思,應(yīng)該也沒什么關(guān)系

論壇徽章:
0
8 [報(bào)告]
發(fā)表于 2008-09-26 22:19 |只看該作者
學(xué)習(xí)啦
您需要登錄后才可以回帖 登錄 | 注冊(cè)

本版積分規(guī)則 發(fā)表回復(fù)

  

北京盛拓優(yōu)訊信息技術(shù)有限公司. 版權(quán)所有 京ICP備16024965號(hào)-6 北京市公安局海淀分局網(wǎng)監(jiān)中心備案編號(hào):11010802020122 niuxiaotong@pcpop.com 17352615567
未成年舉報(bào)專區(qū)
中國(guó)互聯(lián)網(wǎng)協(xié)會(huì)會(huì)員  聯(lián)系我們:huangweiwei@itpub.net
感謝所有關(guān)心和支持過ChinaUnix的朋友們 轉(zhuǎn)載本站內(nèi)容請(qǐng)注明原作者名及出處

清除 Cookies - ChinaUnix - Archiver - WAP - TOP