完成PIX525的NAT映射

今天把配置贴出来大家帮忙看一下，丢包问题是否和规则的配置有关呢？

 

配置了NAT之后可以上外网，但是用PC ping外网全部不通（但不影响上网）！

 

其间有一段时间不能浏览网页，而且也ping不出去，导致我以外NAT上面的错误，但是后来发现是我机器上面没有配置DNS地址，导致我无法浏览网页，后来加上当地的DNS之后就OK了。可是ping不通的问题依旧没有解决。

 

我用FTP测试下载速度，接PIX525+3750与直接接入的下载速率几乎相同，判断不存在“严重的丢包问题”。

 

 

pixfirewall(config)# sh run                                       
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
domain-name xxxbank.com
enable password PJlHc0RVFW2RrQAM encrypted
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.8.92 255.255.255.0
!
interface Ethernet1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0
 nameif dmz1
 security-level 50
 ip address 10.10.11.1 255.255.255.0
!
interface GigabitEthernet1
 nameif dmz2
 security-level 50
 no ip address
!
passwd usNpRs8WOPDxIVKn encrypted
boot system flash:/pix802.bin
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name chinabank.com
access-list ADtrans_splitTunnelAcl standard permit any
access-list outside_access_in extended permit tcp any host 60.195.251.38 eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 60.195.251.38 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 5901
access-list outside_access_in extended permit tcp any host 60.195.251.29 eq 5901
access-list outside_access_in extended permit tcp any host 60.195.251.29 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.15 eq ssh
access-list outside_access_in extended permit tcp any host 60.195.251.15 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.15 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9102
access-list outside_access_in extended permit tcp any host 60.195.251.14 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.14 eq ssh
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9103
access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9106
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9107
access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.26 eq 9000
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 5901
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 16111
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 16112
access-list outside_access_in extended permit tcp any host 60.195.251.19 eq 9000
access-list outside_access_in extended permit tcp any host 60.195.251.34 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.34 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.21 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.21 eq pop3
access-list outside_access_in extended permit tcp any host 60.195.251.23 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.23 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.23 eq 9000
access-list outside_access_in extended permit tcp any host 60.195.251.24 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.24 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.30 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.30 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.31 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.32 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.32 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.33 eq 16338
access-list outside_access_in extended permit tcp any host 60.195.251.38 eq ssh
access-list outside_access_in extended permit tcp any host 60.195.251.29 eq 1194
access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.23 eq 8000
access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.33 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.37 eq www
access-list outside_access_in extended permit tcp host 219.142.173.116 host 60.195.251.20 eq ssh
access-list outside_access_in extended permit tcp any host 60.195.251.13 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.13 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.13 eq 20000
access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9102
access-list outside_access_in extended permit tcp any host 60.195.251.37 eq https
access-list outside_access_in extended permit udp any host 60.195.251.10 eq domain
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq domain
access-list outside_access_in extended permit tcp any host 60.195.251.11 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.11 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.12 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.12 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 8080
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 8079
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 7079
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq 7080
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.10 eq https
access-list outside_access_in extended permit tcp any host 60.195.251.21 eq smtp
access-list outside_access_in extended permit tcp any host 60.195.251.16 eq www
access-list outside_access_in extended permit tcp any host 60.195.251.16 eq smtp
access-list outside_access_in extended permit tcp any host 60.195.251.16 eq pop3
access-list outside_access_in extended permit tcp any host 60.195.251.26 eq 9101
access-list outside_access_in extended permit tcp any host 60.195.251.25 eq 9105
access-list outside_access_in extended permit tcp host 219.142.173.112 host 60.195.251.26 eq 9000
access-list outside_access_in extended permit tcp host 219.142.173.113 host 60.195.251.26 eq 9000
access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.26 eq 9000
access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.23 eq 8000
access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.33 eq https
access-list outside_access_in extended permit tcp host 220.231.5.2 host 60.195.251.20 eq ssh
access-list Chinabank extended permit ip 10.10.8.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list Chinabank extended permit ip 10.10.9.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging timestamp
logging buffered notifications
logging trap notifications
logging asdm warnings
logging facility 22
mtu outside 1500
mtu dmz1 1500
mtu dmz2 1500
ip audit name INFO info action alarm drop
ip audit name ATTACK attack action alarm drop reset
ip audit signature 2004 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm p_w_picpath flash:/asdm-521.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface    //指定outside接口进行PAT转换
nat (dmz1) 0 access-list Chinabank
nat (dmz1) 2 10.10.8.14 255.255.255.255
nat (dmz1) 1 10.10.8.0 255.255.255.0
nat (dmz1) 1 10.10.11.0 255.255.255.0    //对该网段地址进行转换
route outside 0.0.0.0 0.0.0.0 192.168.8.254 1    //默认路由
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.8.200 255.255.255.255 dmz1
snmp-server host dmz1 10.10.8.200 poll community Microcisco
no snmp-server location
snmp-server contact Microcisco
snmp-server community Microcisco
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ××× esp-3des esp-md5-hmac
crypto map aaa 30 match address Chinabank
crypto map aaa 30 set peer 220.bb.b.2
crypto map aaa 30 set transform-set ×××
crypto map aaa 30 set security-association lifetime seconds 7200
crypto isakmp identity address
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 7200
no crypto isakmp nat-traversal
telnet 10.10.0.0 255.255.0.0 dmz1
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 dmz1
ssh 10.10.8.200 255.255.255.255 dmz1
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect rtsp
  inspect rsh
  inspect skinny 
  inspect sqlnet
  inspect ftp
  inspect h323 h225
  inspect tftp
  inspect xdmcp
  inspect netbios
  inspect sunrpc
  inspect h323 ras
  inspect dns migrated_dns_map_1
!
service-policy global_policy global
ntp server 137.189.11.181
username ciscocisco password txHKylaC1k.z8b/4 encrypted
tunnel-group 220.bb.b.2 type ipsec-l2l
tunnel-group 220.bb.b.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:b69116e40344208a286bb6a024cd53e0
: end

 

在PC上ping PIX的dmz1接口即 10.10.11.1 可以通，但是ping 所有外网地址、域名和公司的192.168.x.x网段就不能通了。在上面也没有找到禁止icmp的语句。

 

本文出自 “不奋斗，无颜以对江东父老！” 博客，请务必保留此出处[url]http://strugglu.blog.51cto.com/241957/55835[/url]