ASA5505 NAT配置探讨

NAT问题探讨

针对ASA5505 做以下配置，用PING工具，测试结果单方向（深圳---》香港）ping正常，却(香港--》深圳) 无法ping，配置如下, 还烦请高手指点！

 

香港IP: 192.168.130.0/24

       192.168.131.0/24

       192.168.127.0/24

深圳：192.168.132.0/24

 

深圳ADSL 外网IP：10.10.0.0

 

User Access Verification

 

Password:

Type help or '?' for a list of available commands.

ciscoasa> enable

Password:

Invalid password

Password:

Invalid password

Password:

Invalid password

Access denied.

ciscoasa> enable

Password: *********

ciscoasa# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name cisco.com

enable password r0ejP/h/1olf5rAO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 description Backup Interface in case of emergency

 nameif Backup

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 description ChinaTelecom ISP

 nameif outside

 security-level 0

 ip address 10.10.0.2 255.255.255.0

!            

interface Vlan12

 no forward interface Vlan1

 nameif SZside

 security-level 100

 ip address 192.168.132.3 255.255.255.0

!            

interface Ethernet0/0

 switchport access vlan 2

!            

interface Ethernet0/1

 switchport access vlan 12

!            

interface Ethernet0/2

 switchport access vlan 12

!            

interface Ethernet0/3

 switchport access vlan 12

!            

interface Ethernet0/4

 switchport access vlan 12

!            

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

ftp mode passive

dns domain-lookup SZside

dns server-group DefaultDNS

 domain-name cisco.com

dns server-group defaultDns

 name-server 192.168.132.250

 domain-name cisco.com

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object tcp

access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.131.0 255.255.255.0

access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.127.0 255.255.255.0

access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.130.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu Backup 1500

mtu outside 1500

mtu SZside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm p_w_picpath disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 2 10.10.0.4

global (SZside) 5 interface

nat (SZside) 5 access-list PNat

nat (SZside) 2 192.168.132.0 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.0.1 2

route SZside 192.168.127.0 255.255.255.0 192.168.132.88 1

route SZside 192.168.130.0 255.255.255.0 192.168.132.88 1

route SZside 192.168.131.0 255.255.255.0 192.168.132.88 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http PatrickAu 255.255.255.255 SZside

http 192.168.132.0 255.255.255.0 Backup

http 192.168.131.0 255.255.255.0 Backup

http 192.168.130.0 255.255.255.0 Backup

http 218.213.12.130 255.255.255.255 outside

http 192.168.132.0 255.255.255.0 SZside

http 192.168.3.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.132.0 255.255.255.0 SZside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.132.250 interface SZside

!            

             

username jakksadmin password qW2ZzDxwL/dmdfak encrypted privilege 15

!            

class-map inspection_default

 match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

 parameters  

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!            

service-policy global_policy global

prompt hostname context

Cryptochecksum:ce682cbd916c3319bb54ad48dff96bd5

: end        

ciscoasa#

 

转载于:https://blog.51cto.com/hedon/398062