已解决: firewall transparent question

CSCO11269440 · ‎08-17-2015

本帖最后由 CSCO11269440 于 2015-8-17 18:03 编辑
請問業界前輩，遇過ASA Ver 7.2.2 upgade 9.2.4 後，
原本設備的exchgne server 會不能使用嗎?
設定檔從7.2.2 -> 8.0 -> 8.2 -> 9.0 -> 9.2.4 一直升級上來，
設定值沒有改變，會到新設備ASA 5525 X 就有問題，
更換致原有的ASA 5510 exchgne server就正常。
firewall transparent
hostname ciscoasa
domain-name default.domain.invalid
names
name 10.102.0.15 wtctw-lums description Lumension DC server
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
bridge-group 1
security-level 0
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
bridge-group 1
security-level 100
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet0/6
description LAN Failover Interface
!
interface GigabitEthernet0/7
description STATE Failover Interface
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
!
interface BVI1
ip address 221.221.221.241 255.255.0.0 standby 221.221.221.242
!
boot system disk0:/asa924-smp-k8.bin
ftp mode passive
clock timezone UTC 8
dns server-group DefaultDNS
domain-name default.domain.invalid
object network wtctw-lums
host 10.102.0.15
description Lumension DC server
object-group service VOIP tcp-udp
port-object range sip sip
port-object range 10000 20000
object-group network WebPOSServerGroup
description WebPOS Servers
network-object host 221.221.221.16
network-object host 221.221.221.17
network-object host 221.221.221.81
network-object host 221.221.221.84
network-object host 221.221.221.90
network-object host 10.102.0.119
network-object host 10.102.0.73
network-object host 10.102.0.72
object-group service EService tcp
description EService
port-object range 81 81
port-object eq www
object-group service RSM_3000_3002 tcp
description RSIM Certificate request
port-object range 3000 3000
port-object range 3002 3002
object-group network WebPOS_Download
description WebPOS Download Servers
network-object host 221.221.221.48
network-object host 221.221.221.81
network-object host 221.221.221.82
object-group service FIN-WEBSVR tcp
description FOR DC WEB Service Maintain
port-object eq www
object-group service DataGaurd-TCP tcp
description Oracle DataGaurd TCP
port-object eq sqlnet
port-object eq sunrpc
object-group service Portal-HTTPS tcp
description Portal & HTTPS Service
port-object eq www
port-object eq https
object-group network RetelixServer
description Retelix AP Servers
network-object host 10.102.0.112
network-object host 10.102.0.111
network-object host 10.102.0.113
network-object host 10.102.0.114
network-object host 10.102.0.124
object-group network ExchangeServers
description Exchange Servers
network-object host 221.221.221.2
network-object host 221.221.221.6
object-group network HKIPGroup
description HK IP Group
network-object 10.32.0.0 255.254.0.0
network-object 172.28.0.0 255.255.0.0
network-object 172.40.0.0 255.255.0.0
network-object 10.39.0.0 255.255.0.0
object-group network TS_Group
description for terminal service
network-object host 10.102.8.2
network-object host 10.102.8.26
network-object host 10.102.10.99
network-object host 10.102.8.169
object-group network EServiceSrv
description E-Service Servers
network-object host 10.102.0.101
network-object host 10.102.0.102
network-object host 10.102.0.103
network-object host 10.102.0.110
object-group network RDSrv_EMIS
description Remote Desktiop for EMIS
network-object host 10.102.0.119
network-object 10.102.8.224 255.255.255.248
network-object host 221.221.221.47
network-object host 221.221.221.81
network-object host 221.221.221.91
network-object 10.102.8.220 255.255.255.252
object-group network all_store
network-object 10.200.0.0 255.248.0.0
network-object host 10.102.64.17
object-group network warehouse
network-object 10.102.64.0 255.255.254.0
object-group network allow_group
group-object all_store
group-object warehouse
object-group network RDSrv_FUJITSU
description RDSrv for FUJITSU
network-object host 10.102.0.122
network-object host 221.221.221.47
network-object host 221.221.221.81
network-object host 10.102.0.114
network-object host 10.102.0.111
network-object host 10.102.0.112
network-object host 10.102.0.124
object-group network FTP_Server
description internal FTP Server
network-object host 10.102.0.12
network-object host 10.102.32.11
object-group service VoIP_Pharmacist tcp-udp
description For Pharmacist, Owner : Richard Xia
port-object range sip sip
port-object range 5070 5070
port-object range 8080 8081
object-group network BOService
description BO Service
network-object host 10.102.0.141
network-object host 10.102.0.212
network-object host 10.102.0.211
object-group network Infinity
description Infinity Project Access
network-object 10.97.221.160 255.255.255.224
network-object 10.98.32.0 255.255.254.0
network-object 10.98.34.0 255.255.255.0
network-object 10.99.14.0 255.255.255.0
object-group network EHR_Server
description EHR, EHR-TEST
network-object host 10.102.0.158
network-object host 221.221.221.44
object-group network httpsrv
description http service
network-object host 10.102.0.113
network-object host 10.102.0.126
object-group service HTTP-8080 tcp
port-object range 8080 8080
object-group service FTP_Group_Port tcp
description For wtctwisa01 FTP
port-object eq ftp
port-object range 5500 5600
object-group network TaiZhong-Office
description TaiZhone Security, IA
network-object 10.204.109.0 255.255.255.0
object-group network DNSSrv
description DNS Server
network-object host 10.102.0.77
network-object host 10.102.0.78
network-object host 221.221.221.26
object-group network DC-IT
description DC IT
network-object host 10.102.65.18
network-object host 10.102.65.19
network-object host 10.102.65.20
object-group service TFS tcp
description Team Fundition Server
port-object range 8080 8080
port-object eq www
port-object range 3389 3389
access-list 101 remark Ping All Servers Allow
access-list 101 extended permit icmp any any
access-list 101 remark Easy-Card For FTP
access-list 101 extended permit ip any host 172.16.14.1
access-list 101 remark TW to HK
access-list 101 extended permit ip any object-group HKIPGroup
access-list 101 remark HK to TW
access-list 101 extended permit ip object-group HKIPGroup any
access-list 101 remark Store DNS Service
access-list 101 extended permit udp object-group all_store object-group DNSSrv eq domain
access-list 101 remark RSIM Certificate Request
access-list 101 extended permit tcp object-group all_store host 221.221.221.47 object-group RSM_3000_3002
access-list 101 remark Refund, StoD server for Store's
access-list 101 extended permit tcp object-group all_store object-group httpsrv eq www
access-list 101 remark CRM Test
access-list 101 extended permit tcp object-group all_store host 10.102.8.137 eq 5555
access-list 101 remark Retelix AP Server
access-list 101 extended permit tcp object-group all_store object-group RetelixServer eq 5555
access-list 101 remark EService For Venny's System(HTTP,WebService)
access-list 101 extended permit tcp object-group allow_group object-group EServiceSrv object-group EService
access-list 101 remark Easy Flow
access-list 101 extended permit tcp object-group allow_group host 221.221.221.8 eq www
access-list 101 remark Portal & IISAdmin
access-list 101 extended permit tcp object-group allow_group host 221.221.221.32 object-group Portal-HTTPS
access-list 101 remark WebPOS Service
access-list 101 extended permit tcp object-group allow_group object-group WebPOSServerGroup eq www
access-list 101 remark For push mail, mobile.watsons.com.tw
access-list 101 extended permit tcp object-group all_store host 221.221.221.43 object-group Portal-HTTPS
access-list 101 remark SIP 070 to PBX
access-list 101 extended permit ip 61.56.196.128 255.255.255.224 host 10.102.15.201 inactive
access-list 101 remark Exchange 2003
access-list 101 extended permit ip object-group allow_group object-group ExchangeServers
access-list 101 remark SSL-VPN Service
access-list 101 extended permit tcp object-group allow_group host 10.102.0.7 eq https
access-list 101 remark Exchange OWA Service
access-list 101 extended permit tcp object-group allow_group host 221.221.221.4 eq https
access-list 101 remark EHR System
access-list 101 extended permit tcp object-group allow_group object-group EHR_Server eq www
access-list 101 remark Warehouse attendence data import to EHR
access-list 101 extended permit tcp host 10.102.64.10 host 221.221.221.45 eq 1433
access-list 101 remark EPM
access-list 101 extended permit tcp object-group allow_group host 10.102.0.151 eq www
access-list 101 remark Warehouse to WINS FTP Server
access-list 101 extended permit tcp object-group warehouse object-group FTP_Server eq ftp
access-list 101 remark Connect to HO from DC via RD
access-list 101 extended permit tcp object-group warehouse object-group TS_Group eq 3389
access-list 101 remark SQL Connect(CRM)
access-list 101 extended permit tcp 139.175.66.0 255.255.255.224 host 10.102.0.131 eq 1433
access-list 101 remark FUJITZU - Remote Desktop
access-list 101 extended permit tcp 10.200.0.192 255.255.255.240 object-group RDSrv_FUJITSU eq 3389
access-list 101 remark EMIS - Refund BIT
access-list 101 extended permit tcp 10.200.0.224 255.255.255.248 host 10.102.0.127 eq www
access-list 101 remark EMIS - Remote Desktop
access-list 101 extended permit tcp 10.200.0.224 255.255.255.248 object-group RDSrv_EMIS eq 3389
access-list 101 remark For Warehouse SMS - DC IT
access-list 101 extended permit tcp object-group all_store object-group BOService eq 8080
access-list 101 remark imanage(Malaysia 10.98.32.0/23, 10.98.34.0/24, 10.99.14.0/24)
access-list 101 extended permit tcp object-group Infinity host 10.102.0.119 eq www
access-list 101 remark 2014/5/29 Mark Yeh appied for oracle client query
access-list 101 extended permit tcp object-group all_store host 221.221.221.17 eq 8080
access-list 101 extended permit tcp object-group all_store host 10.102.0.51 eq 8080
access-list 101 remark FTP Service
access-list 101 extended permit tcp object-group TaiZhong-Office host 10.102.0.51 object-group FTP_Group_Port
access-list 101 remark Websense WSG connect to HQ
access-list 101 extended permit ip 10.102.64.48 255.255.255.252 host 10.102.0.56
access-list 101 remark For mlearning.watsons.com.tw
access-list 101 extended permit tcp object-group all_store host 10.102.0.149 eq www
access-list 101 remark KC IDC VM to WTCTW VC
access-list 101 extended permit ip host 10.102.139.101 host 10.102.0.191
access-list 101 remark remark ALL_Store and WareHouse to Lumesion DC server, it is for USB device control
access-list 101 extended permit tcp object-group allow_group object wtctw-lums object-group Portal-HTTPS
access-list 101 remark 10.102.93.0 goto internet
access-list 101 extended permit ip 10.102.93.0 255.255.255.0 any
access-list 101 remark TFS Connect
access-list 101 extended permit tcp object-group DC-IT 10.102.0.46 255.255.255.254 object-group TFS
pager lines 24
logging enable
logging asdm informational
logging host inside 10.102.8.12
logging flash-bufferwrap
logging permit-hostdown
mtu outside 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/6
failover key *****
failover replication http
failover mac address BVI1 94de.8067.0fbc 94de.8067.0fbd
failover link state GigabitEthernet0/7
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip state 192.168.1.5 255.255.255.252 standby 192.168.1.6
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 221.221.221.249 1
route inside 10.102.0.0 255.255.240.0 221.221.221.254 1
route inside 221.221.0.0 255.255.0.0 221.221.221.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 221.221.0.0 255.255.0.0 inside
http 10.102.0.0 255.255.248.0 inside
http 10.102.8.0 255.255.248.0 inside
snmp-server host inside 221.221.221.19 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
sysopt connection tcpmss 0
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=221.221.221.241,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 220.130.158.52
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname priority state
no call-home reporting anonymous
Cryptochecksum:36fb01739f4cbceed2a1f867bf4f7ee2
: end

yanzha4 · ‎08-17-2015

CSCO11269440 发表于 2015-10-16 16:47
已經找到解法了就一行指令可以適用，arp permit-nonconnected

arp permit-nonconnected
必须配置，默认转换后是 no arp permit-nonconnected

在原帖中查看解决方案

yanzha4 · ‎08-17-2015

CSCO11269440 发表于 2015-10-16 16:47
已經找到解法了就一行指令可以適用，arp permit-nonconnected

arp permit-nonconnected
必须配置，默认转换后是 no arp permit-nonconnected

weizh4 · ‎10-09-2015

version 8.3之后的配置模板跟之前的有所改变。提问时请将你的问题具体提出，比如，如何不能使用，跟之前的状态变化等。直接说不好用难以回答，因为没人知道你的现场环境。
请参照配置模板更变后的配置对照之前的配置进行更改。

CSCO11269440 · ‎10-16-2015

weizh4 发表于 2015-10-9 15:43
version 8.3之后的配置模板跟之前的有所改变。提问时请将你的问题具体提出，比如，如何不能使用，跟之前的 ...

已經找到解法了就一行指令可以適用，arp permit-nonconnected

pebao · ‎10-16-2015

如果您已经找到解法了请将帖子置为解决状态:)