cisco防火墻問題，

yhy7786

兩臺(tái)unix設(shè)備不同網(wǎng)段，中間有一臺(tái)cisco防火墻，兩臺(tái)設(shè)備可相互ping通。當(dāng)防火墻上設(shè)置策略為只開放部分端口時(shí)，如5510到5519，5510、5514能通，但是5512、5513等其它端口都不通。但是如果將策略改為兩個(gè)ip地址間所有端口都放開，則所有端口就都正常了。\r\n此問題如何解決？如何定位？以下為策略配置：\r\naccess-list out-in extended permit tcp host 134.32.32.93 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.94 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5510\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5511\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5512\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5513\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5514\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5515\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5516\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5517\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5518\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5519\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5520\r\naccess-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519\r\naccess-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

hjp0021

但是如果將策略改為兩個(gè)ip地址間所有端口都放開，則所有端口就都正常了。

\r\n從這點(diǎn)來說應(yīng)該就是ACL的問題。\r\n\r\n開房了對(duì)端的port，本端的開放了嗎？\r\n如果要寫的話ACL應(yīng)該寫兩個(gè)吧，兩端端口各一個(gè)。

yhy7786

具體現(xiàn)象是這樣的，cisco防火墻內(nèi)外分別做客戶端和服務(wù)端，使用固定ip和固定端口連接，內(nèi)網(wǎng)為134.32.32.95，端口5510到5519；外網(wǎng)為134.33.201.90，端口為10003。當(dāng)防火墻針對(duì)134.32.32.95只放開5510到5519端口時(shí)，5510端口可以與134.33.201網(wǎng)段的設(shè)備建立正常連接，5512、5513等端口無法與134.33.201.90的10003端口建立連接。134.33.201.90的10003端口作為服務(wù)端，已經(jīng)有其它設(shè)備正常連接了。如果將策略改為針對(duì)134.32.32.95放開全部端口，則可以與134.33.201.90的10003端口建立正常連接。配置如下：\r\naccess-list out-in extended permit tcp host 134.32.32.93 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.94 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.93 any range 5550 5559\r\naccess-list out-in extended permit tcp host 134.32.32.94 any range 5550 5559\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5550\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5551\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5552\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5553\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5554\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5555\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5556\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5557\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5558\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5559\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5510\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5511\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5512\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5513\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5514\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5515\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5516\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5517\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5518\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5519\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5520\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50010\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50011\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50012\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50013\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50014\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50015\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50016\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50017\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50018\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50019\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 50020\r\naccess-list out-in extended permit tcp host 134.32.32.96 any eq 1099\r\naccess-list out-in extended permit tcp host 134.32.32.96 any eq 1199\r\naccess-list out-in extended permit tcp host 134.32.32.96 any eq telnet\r\naccess-list out-in extended permit tcp host 134.32.32.96 any eq ftp\r\naccess-list out-in extended permit tcp host 134.32.32.96 any eq 8080\r\naccess-list out-in extended permit tcp host 134.32.32.93 any range 5510 5519\r\naccess-list out-in extended permit tcp host 134.32.32.94 any range 5510 5519

hjp0021

那這一例來說，我的ACL思路是這樣的，如果134.32.32.95是源地址的話，那么目的就是134.33.201.90，并允許訪問目的端口10003。\r\n反之134.33.201.90是源的話，目的就是134.32.32.95，允許訪問目的端口5510－5519。\r\n最后將它用在正確的端口，正確的in（或OUT）方向。\r\n\r\n個(gè)人覺得您的ACL寫得有些亂。

0ZXCVBNM0

我贊成5樓的意見\r\n\r\nclient（134.32.32.95）---（inside）cisco（outside）---server（134.33.201.90）\r\n\r\n根據(jù)樓主的表述，你的需求是內(nèi)網(wǎng)client利用5510到5519端口去訪問外網(wǎng)server的10003端口\r\n要求源ip的特定端口訪問目的ip的特定端口\r\n\r\n那么按照這樣的思路，訪問列表應(yīng)該是\r\n\r\naccess-list 101 permit tcp host 134.32.32.95 range 5510 5519 host 134.33.201.90 eq 10003\r\n\r\n我不明白你這樣的訪問列表是什么意思\r\naccess-list out-in extended permit tcp host 134.32.32.95 any eq 5510\r\n這么寫的話，豈不是成了允許主機(jī)134.32.32.95訪問任何地址的tcp5510端口？\r\n似乎不大對(duì)啊\r\n\r\n另外：我對(duì)extended這個(gè)參數(shù)不是很理解，我在防火墻上打不了這個(gè)參數(shù)，但是按照字面意思，應(yīng)該也沒什么關(guān)系