Нарисовалась проблема - внутри сетки стоит Exchange c внутренним ip 10.122.113.14, надо разрешить ему принимать почту из вне. Вроде все прописал, но почему-то выдает следующее:
ASAFirewall# packet-tracer input outside tcp 89.127.90.100 smtp 89.127.90.97 smtp detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp 89.127.90.97 smtp 10.122.113.14 smtp netmask 255.255.255.255
match tcp inside host 10.122.113.14 eq 25 outside any
static translation to 89.127.90.97/25
translate_hits = 0, untranslate_hits = 148
Additional Information:
NAT divert to egress interface inside
Untranslate 89.127.90.97/25 to 10.122.113.14/25 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 89.127.90.97 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x44eba60, priority=0, domain=permit, deny=true
hits=1412, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
вот ACL-ки
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.112.64 255.255.255.192
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.112.128 255.255.255.128
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.113.0 255.255.255.0
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.114.0 255.255.255.0
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.115.0 255.255.255.0
access-list HMCIS_GROUP_splitTunnelAcl standard permit 10.122.112.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.122.112.64 255.255.255.192 10.122.112.32 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.122.112.128 255.255.255.128 10.122.112.32 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.122.113.0 255.255.255.0 10.122.112.32 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.122.114.0 255.255.255.0 10.122.112.32 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.122.115.0 255.255.255.0 10.122.112.32 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.122.112.0 255.255.255.224 10.122.112.32 255.255.255.240
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list HKMC_nat0_outbound extended permit ip any 10.122.112.32 255.255.255.240
access-list HMCIS_splitTunnelAcl standard permit any
access-list outside_in extended permit tcp any host 89.127.90.97 eq smtp
access-list outside_in extended permit icmp any any
access-group outside_in in interface outside
вот NAT
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.122.112.64 255.255.255.192
nat (inside) 1 10.122.112.128 255.255.255.128
nat (inside) 1 10.122.113.0 255.255.255.0
nat (inside) 1 10.122.114.0 255.255.255.0
nat (inside) 1 10.122.115.0 255.255.255.0
static (inside,outside) tcp 89.127.90.97 smtp 10.122.113.14 smtp netmask 255.255.255.255
подскажите в чем может быть проблема? А то я что-то никак не соображу...
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 07-Май-08, 12:52 
