2 Cisco ASA 5510，Exchange边缘服务器，DMZ和雷区。 [英] 2 Cisco ASA 5510's, an Exchange Edge Server, a DMZ, and a minefield.

问题描述

免责声明

在你问我为什么不把所有东西都放在192.168.1.0/24网络之前，让我说我这样做另一个人的遗嘱。


信息：

就本问题而言，我将提及内部网络。作为192.168.0.0/24位于内部ASA的内部接口上

域名和公共IP'已更改以保护客户端。

域名已更改域名，公共IP由xxx.xxx.xxx表示。###


目标：

设置Edge / Web可以通过2 ASA 5510与内部网络进行通信的服务。允许我在外围使用边缘服务器

能够从所有网络点上网。

能够从任何位置内部ping到任何位置但不是outside_in

能够维持对内部服务器的远程访问

不要因为没有将服务器放在外部ASA内而被嘲笑（呵呵）


从DMZ到内部网络 （主要挑战，不工作）

DNS

ICMP

tcp / 50389

upd / 50636

SMTP（到内部交换服务器）


从内部网络到DMZ（当前一切正常，但由于其他更改可能导致此关闭，我将需要以下内容）

ICMP

tcp / 50389

udp / 50636

HTTP

HTTPS

SMTP（来自内部交换服务器）


所有网络都应具有出站访问权限外部向世界


从外部进入内部网络

3389（工作但如果你让我改变别的东西来打破它，请修复它:)）


从外面到DMZ

SMTP

http

https

（也许更晚一些，但现在就是这样）


当前状态：

目前我可以ping到DMZ内部网络

从DMZ我可以ping到192.168.1.2

我可以在DMZ上看到来自内部网络的http

所有网络目前可以浏览互联网。

RDP一直到内部网络，有效。


我想指出我会把它做成一个一旦完成，指向后期工作配置。

我也很感激提供的任何帮助。



外部ASA

展开 | 选择 | Wrap | 行号

解决方案

出于好奇，您为什么要允许ICMP入站？这是一个你可能想要避免的安全问题......除非你为

做一些特定的事情，否则这通常不是一个好主意。 blockquote>我不是，它唯一的内部。不是来自外面。

嗯，也许我不是在读这个 - 你还需要什么帮助？什么不起作用？

Disclaimer
Before you ask why I don''t just put everything on the 192.168.1.0/24 network, let me just say I do this on another person''s will.

Info:
For purposes of this question I will refer to "Internal Network" as the 192.168.0.0/24 located on the inside interface of the internal ASA
Domain names and public Ip''s changed for protection of the client.
Domain names changed to domain, public IP''s represented by xxx.xxx.xxx.###


Objective:
To Setup Edge/Web Services that can communicate through 2 ASA 5510''s to the Internal network. Allowing me to use the Edge server on the perimeter
To be able to hit the internet from all network points.
To be able to ping internally from any location to any location but not outside_in
To be able to maintain remote access to the internal servers
To not be laughed at for not putting the servers on the inside of the external ASA (hehe)

From the DMZ to the "Internal Network" (the main challenge, not working)
DNS
ICMP
tcp/50389
upd/50636
SMTP (to the internal exchange server)

From the Internal Network to the DMZ (everything currently is working, but as other changes might cause this to close I will need the following)
ICMP
tcp/50389
udp/50636
HTTP
HTTPS
SMTP (from the internal exchange server)

All networks should have outbound access "outside" to the world

From the Outside in to the "internal network"
3389 (Working but if you have me change something elsewhere to break it, please fix it :))

From the outside to the DMZ
SMTP
http
https
(perhaps more later but for now this is it)

Current Status:
Currently I can ping into the DMZ from the Internal Network
From the DMZ I can ping to 192.168.1.2
I can see http from the internal network on the DMZ
All networks currently can browse the internet.
RDP all the way in to the Internal network, works.

I would like to point out that I will make it a point to post working configs once this is finished.
I also appreciate any help offered.


The External ASA

Expand|Select|Wrap|Line Numbers

解决方案

Just out of curiosity, why do you want to allow ICMP inbound? That''s a security issue that you''ll probably want to avoid... it''s generally not a good idea unless there''s something specific you''re doing that for

I don''t, its only internal. Not from the outside in.

Hmm, maybe I''m not reading this right - what do you still need help with? What''s not working?

这篇关于2 Cisco ASA 5510，Exchange边缘服务器，DMZ和雷区。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！