
环境: pix515e下接3560g下接29607 N5 ^2 f' L% x d) p3 G4 F
( i q# B5 r0 }; J" k
目前在3560上划分了一个vlan 172.16.1.1,但其下面的主机无法上网,希望大家帮助!!!9 x2 K6 k5 W2 E: u
3 m* a( r: l7 [- c' N5 f
目前网关路由在pix上作的,3560上没有起三层接口,就划分了一个vlan 172.16.1.1! w# N% L8 H/ B# r( ?
5 i& `; c; [0 o" f1 {
pix配置如下:PIX Version 7.2(2)6 Z9 H3 D/ o* b+ K4 [. S" s
!- ~' b9 T, J5 @
hostname pixfirewall( M; D4 m) v! |" a5 h
enable password PLBb27eKLE1o9FTB encrypted! U# y$ n, u8 v1 e I( K2 F# ?
names
& X/ f2 u( l4 k0 _!- d, a% p* O6 @' j2 V/ P3 k8 _
interface Ethernet0 v0 X8 n6 s" C& F& ~0 i
speed 10
2 M8 _, p3 e* j& G0 {6 zduplex full
( x p/ E% D7 b. v! {nameif outside/ `! @$ T) r( [8 k: h+ L+ J4 U
security-level 07 S+ _6 O4 F' ?5 J" E5 p
ip address 61.50.220.51 255.255.255.0+ L5 K7 Z2 g' Z5 C, c0 D
!# B: V0 I% T$ z5 s8 q- j m
interface Ethernet1
) S$ N6 e0 v: T% l/ i5 G x3 P; fnameif inside
' A7 w5 ~) ], Fsecurity-level 10
1 B1 Y7 T U; Z) Xip address 192.168.1.1 255.255.255.0
6 K6 t8 {% A5 Y5 P!- m6 _5 r" q+ e0 ^! z
passwd 2KFQnbNIdI.2KYOU encrypted: ]4 [8 Q! R6 x; W7 ]6 B) v
ftp mode passive! m7 w' ^6 A/ R& {9 s( w. g
access-list 101 extended permit tcp any host 123.124.10.33 eq smtp H0 S% o4 a) g$ ]% c( }' i1 N
access-list 101 extended permit tcp any host 123.124.10.33 eq pop3* v, Z' t3 U! I2 s& U. Y/ z: s
access-list 101 extended permit ip any host 123.124.10.33
5 ?7 V5 B$ W% P+ }$ j* ]access-list 101 extended permit icmp any any) [) S$ g! _2 s. p# |" v
access-list 101 extended permit tcp any host 61.50.220.50 eq telnet% N- V* h U* u6 x- l
access-list 102 extended permit ip any any' U% i3 S: W( w* G% ^, S N
pager lines 24. \7 W% S4 u+ g. q! [ p
mtu outside 1500& m P* b! ~$ B' q5 r5 v
mtu inside 1500
+ \4 e" C; ~; Q- B2 @no failover
5 r! n0 l: b+ `( Q' U5 ?icmp unreachable rate-limit 1 burst-size 1
' [ L8 r( l& C9 z" {asdm image flash:/asdm% g) f6 b) ^2 ]8 n
no asdm history enable
, B; a7 U5 I5 f' _arp timeout 14400
0 o( S! f( Q& X4 m( `global (outside) 10 interface
( ]& _5 V0 I# Vnat (inside) 10 172.16.1.0 255.255.255.0& q U8 |" B2 n% e
nat (inside) 10 192.168.1.0 255.255.255.02 X9 a @3 r3 q. p/ A" Q3 {$ Y
static (inside,outside) tcp interface telnet 192.168.1.2 telnet netmask 255.255.
' C" P u' U% B5 C! G255.255
/ d7 @% s+ U0 K+ Y+ `2 Z6 tstatic (inside,outside) 123.124.10.33 192.168.1.13 netmask 255.255.255.255 dns' @& }8 E R% V, g% Z" A
access-group 101 in interface outside/ m- m. Z; l' \0 t
route outside 0.0.0.0 0.0.0.0 61.50.220.50 1
1 z$ [! r0 Y8 T& o* Z4 Htimeout xlate 3:00:00: J$ P' h- ?- |% E
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
' V% f/ m8 B2 V# y& M; R$ xtimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:008 Z" s* [: x# r# ~% g$ r
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
' ~! D2 w4 r/ H8 Q' P6 ]timeout uauth 0:05:00 absolute
9 V: a8 M1 O! _( X4 _( Busername cisco password 3USUcOPFUiMCO4Jk encrypted1 @& N1 ^8 l( t+ d) l; x2 I
aaa authentication ssh console LOCAL
. J: j6 e7 C; s$ u" J# Tno snmp-server location- ]( g. n! Y" \
no snmp-server contact1 } G2 O: d; U+ w6 U# \+ t- B
snmp-server enable traps snmp authentication linkup linkdown coldstart) y3 |* S# {$ z- w) L
telnet 0.0.0.0 0.0.0.0 inside9 ]" P2 h' D+ v# Q% k, T( B" m2 v% t
telnet timeout 5
3 m2 @# E# n7 i5 Z) j; K5 Z3 A6 U$ |ssh 0.0.0.0 0.0.0.0 outside
4 c: E( c: [% M- F. e$ k1 Issh timeout 5
7 |" D) v) |6 V6 b9 fconsole timeout 0; Z1 B+ ]: Q2 ~* h
!
6 \+ \* h! V! U) f; e1 rclass-map inspection_default/ Q, S* L* K- f8 a; Z
match default-inspection-traffic: N+ q: D! N2 @$ j6 T: R
!
k# d0 m+ ?7 N5 w9 P!% ?& Z+ ^1 u: ^1 `$ Z
policy-map type inspect dns preset_dns_map! D4 G$ J5 _6 ^+ t' h- i+ R1 w$ i' T
parameters
* {* c6 x8 ]! q3 l' L. e( U/ p7 w message-length maximum 512
- G) F. L, V2 Q- H& c3 p+ jpolicy-map global_policy
) \. w* D+ d: n* C2 Qclass inspection_default+ k" |( m. P0 O# n1 l# e
inspect dns preset_dns_map9 T; J6 S o3 Y, ?& s: u
inspect ftp5 t3 n- L1 }& z) z; H% V- w0 j
inspect h323 h225) X2 l9 N% {# I. i$ t. E2 E
inspect h323 ras2 f( `# }2 \; z$ S' C, {4 Y: o" _
inspect netbios
+ e4 [, \- S( G- {; l, b8 f. b# `& }( q inspect rsh4 l4 s3 Z6 Y3 m3 S0 K6 K0 z
inspect rtsp
' v- e) A M( |7 v/ \ inspect skinny% f2 a# S! M# E9 d' _
inspect esmtp
& u4 q* \# c" D" _1 K inspect sqlnet
, j5 N! k( C# E0 y3 [5 p inspect sunrpc
8 M$ ~' L0 e3 m inspect tftp
% q) r. ^! r' s. M9 Y, K1 y inspect sip
4 g' z: S# g7 p2 v. W* k inspect xdmcp8 `! F# V+ W, N6 I0 |# }- `
! [9 Q4 _) E# n. u" l+ v4 y
service-policy global_policy global
# W1 V3 v! }6 Z7 P3 gprompt hostname context/ I" G1 Z) l1 _! ]* A9 m Y
Cryptochecksum:8d068ef288ac87a931be0633f63c429c
/ D/ A! o5 x+ S- C& ~4 g* T: end
; ]8 e: h6 r/ T$ P' Q
0 p; P; f5 |/ M2 O* J& C7 t. \: m' ^; L& Z$ ]# `6 I
- k5 y7 j9 q% N% N
* c4 n% u2 h0 n! ]0 l" ]3 R) O3 k
# |* I) e1 R! r! U" X& i2 `( S8 H! [3 E3 G( }9 Y7 v( @9 H6 t4 q
2 c w+ B2 O6 i0 s3 ~% d; i
" N* t' _# n/ T6 m# \& E
, o( ?( c, o* R% o2 {5 \7 F, {交换机配置:
0 u( |/ \# f5 i k3 ^3 S- `5 k1 W. X6 j
version 12.2
5 w! @2 R, D1 o: \9 w: ]no service pad
4 Y# H' V2 F3 ~- u$ c& sservice timestamps debug uptime6 H- u n* W3 x& F
service timestamps log uptime, w* u$ b# [, _* ]" P
no service password-encryption
- ~' r! ~/ E$ V) e+ t!
1 n# O6 j5 L% g* a* ahostname masterswitch" K$ I5 d7 O/ c9 v& P* v
!
c) D9 k! S( w3 c, S6 penable secret 5 $1$G4g3$e/d6Co33we5VtbUqKwQSo.
8 K. A3 U, e( n8 h- S( n!, Y9 E: e0 L, j# y- l4 c" {1 v# M) c
no aaa new-model
- M, \' D- x' B) }. _& usystem mtu routing 1500. j( U" k9 k9 E. P7 o
ip subnet-zero" K5 V& o8 R$ x2 i$ J4 C* L/ o
ip routing" ` z% U9 D9 h+ d
!
/ f: M- m- r) i. t3 [!2 A4 Q8 t8 ]2 v4 V! D7 b3 Q, e' b9 Y: g c
!2 t2 k/ Y. C( X5 v9 Q
!
' x! b, P" }$ ~no file verify auto
; o+ E0 e! P: Q, ospanning-tree mode pvst
& `0 ^8 c/ b' [2 d2 {! Lspanning-tree extend system-id
: _4 ?5 }% n- \( t* b) X) @!
/ A! c5 J; a* [% P6 P+ ovlan internal allocation policy ascending; o; t3 Q9 I' ]; c
!
" ^0 j }4 |% z/ ~0 a!) X C) L1 a. f$ c7 K
interface GigabitEthernet0/1
$ {! [. D4 m( `% P- t# |!
' I Z& g# K! Jinterface GigabitEthernet0/2
* g2 a0 D! j% i) f!# u9 @. h7 L, U& s: R& `
interface GigabitEthernet0/3
$ i! Y! I* W7 n3 I8 e* `3 W! T!* \7 k N9 H: b/ H
interface GigabitEthernet0/4
2 W: g- p5 E4 \$ U6 g! |!
' A% t- r+ f3 I7 r( M; \1 Kinterface GigabitEthernet0/5: l0 S4 c; J4 l- X1 P6 [7 }: j" N
!3 t$ f3 o Z2 m
interface GigabitEthernet0/6: j( \, Z. U: I4 [. c: q% l
!
3 M3 t1 r- @3 ?. g- E T4 k9 X; |interface GigabitEthernet0/7% p. C2 L) f9 x$ p0 H
!
- m0 ]. e) g5 w ?6 qinterface GigabitEthernet0/80 R7 d" h; a/ r$ ?
!% O/ b4 L3 o) q7 B+ _4 I9 c
interface GigabitEthernet0/9
8 G: c9 g* _) ]! O!3 J$ c% Y. M6 Y8 L
interface GigabitEthernet0/10
, W3 J8 Q( s, [& Z' H$ r; L!- I" v a8 Y" @- v7 `+ H
interface GigabitEthernet0/110 ], o" U, s% w" N7 O3 m. _$ h
switchport access vlan 2
1 x* F% H5 m* t* pswitchport mode access
+ s- B' S# K1 i) {1 h!- a- s6 S7 g8 w1 ~6 x+ h
interface GigabitEthernet0/12# e# h" w9 E9 n) `9 H! E
!0 u$ U C9 s7 T/ `. v5 p
interface GigabitEthernet0/13
% R! W* I( g5 j [!* X: v% T+ B6 }! f' Q+ |
interface GigabitEthernet0/14
/ m5 o6 }- d+ Z" u!
" T3 D' X3 i& `9 Yinterface GigabitEthernet0/15* A9 A* i. {& A, o6 C1 \) s
!
7 \+ {. }! p/ _: n' {+ yinterface GigabitEthernet0/16
1 U9 U' J" t, F. j0 B* m7 [!
- Y& F* N3 T6 {) b* B6 e) Ninterface GigabitEthernet0/17
" x( }3 x& o# |! q/ p# S!" G8 e* Q' j( p7 n) v# R
interface GigabitEthernet0/18
5 H6 V# O+ ^2 Y: Q$ e!
7 p* C5 S/ _9 l" o) ?* A( minterface GigabitEthernet0/19
& k9 A1 h8 a5 z+ W; g!; M7 b5 W. f& I* d3 z* u+ @; E
interface GigabitEthernet0/20
/ O6 n, O9 `. L0 w. ~0 \: _ c!
$ ?# }6 k0 Y4 _# X! E1 z7 N. k+ a Pinterface GigabitEthernet0/21
" ~1 o& K7 R; G; w8 V( [!
# v: t1 U* q/ l+ y' K5 s% D1 Xinterface GigabitEthernet0/22
; ?7 c; l* s6 y; g' V0 e!
4 |, _9 b9 _2 @0 A7 |! einterface GigabitEthernet0/235 E8 `+ t+ w8 D( o1 p9 w
!6 V6 r3 }3 J4 y" B
interface GigabitEthernet0/24
2 _' [1 ~9 [: q& g!
: i& u, H' k3 binterface GigabitEthernet0/256 C" k0 s- `# X4 Q' \1 _! Z) ~
! l" \' n% H; g8 E
interface GigabitEthernet0/269 E1 U6 J9 e4 |; h* U7 @% N7 U
!
]4 i- g; w$ }9 T' Yinterface GigabitEthernet0/27
# p6 ~; _7 e7 T2 s# E!
/ C) d* G+ t% K5 `interface GigabitEthernet0/28$ H; s) R2 p5 j. k, @
!; }4 m1 L% \7 x) v4 T
interface Vlan1
% D3 J: z; d7 @! Jip address 192.168.1.2 255.255.255.0& T$ M# n8 S! U$ @& b, o M; H" C* b
!& q8 w9 c' x( h, H5 {; i
interface Vlan20
+ \, g" z0 ?1 {, g: Y. yip address 172.16.1.1 255.255.255.0
6 T- X. q2 ?7 m; M!( I& U2 S# R+ i( R$ x7 h! p
ip classless' c2 s4 G+ @" G d, q2 w
ip http server
, O& k4 c5 y. }: X!8 p/ ]0 \. F/ d4 n; [7 I
!9 ]1 u' x7 R5 R' |+ D
!" E7 m7 T! J, m) W
control-plane
9 N5 _5 f! r# q3 |" X' s1 T!+ A6 C$ M6 K0 d
!5 f" w5 C$ ~' O8 s4 j
line con 0
3 I7 G7 N$ J( K/ L# Ppassword 123- g( p! g% o6 p8 F; r$ k9 ~' i
login
7 I" I$ P! o1 h+ U8 `line vty 0 4
* H& ~; o8 L7 M1 \' N+ E: wpassword 1234560 h$ H) L$ {8 O: P9 V
login. t# p: x! D0 ?
line vty 5 15; ?: p1 B6 q0 `2 h, D
login
' k& n( \( \4 Z- \$ w( w: x' C4 W!- a9 s& I2 {6 W8 @2 _" g: x/ l
end |
|