minimax
20-07-2009, 11:11
السلام عليكم ورحمة الله,
خلينا نشوف التبولوجي هذه
https://img148.imageshack.us/img148/3443/cisco.jpg
في web server إسمه www.cisco.com (https://www.cisco.com) و IP تبعه 10.0.0.100
في عندنا inside users وبيستخدموا DNS server موجود على الإنترنت وهو 20.20.20.3
في موجود على الفايروال static translation عشان outside users يقدروا يتواصلوا مع web server
outside users بيدخلوا ل web server عن طريق public ip وهو 20.20.20.100
static (inside,outside) 20.20.20.100 10.0.0.100 netmask 255.255.255.255
outside users بيقدر يتواصل مع web server بدون أي مشاكل
outside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/45/136 ms
outside#
بس inside users ما بيقدروا لأنه بيجيهم IP 20.20.20.100 بدلا من 10.0.0.100
inside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
inside#
في pix واضح هذا الشئ أنه inside users بيحاولوا يوصلوا لي 20.20.20.100
%PIX-7-609001: Built local-host outside:20.20.20.100
%PIX-6-305011: Built dynamic ICMP translation from inside:10.0.0.2/3 to outside:20.20.20.1/1
%PIX-6-302020: Built outbound ICMP connection for faddr 20.20.20.100/0 gaddr 20.20.20.1/1 laddr 10.0.0.2/3
%PIX-6-302021: Teardown ICMP connection for faddr 20.20.20.100/0 gaddr 20.20.20.1/1 laddr 10.0.0.2/3
الحل هو بإضافة كلمة DNS ل static translation
static (inside,outside) 20.20.20.100 10.0.0.100 netmask 255.255.255.255 dns
ping نجح لأنه firewall صار يشوف request dns هي جايه من أي إتجاه وبيغيرها إذا كانت من inside ل 10.0.0.100
inside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/124 ms
inside#
ما في شئ يوضح انه inside users حاولوا يوصلوا ل 20.20.20.100
%PIX-7-609001: Built local-host inside:10.0.0.2
%PIX-7-609001: Built local-host outside:20.20.20.3
%PIX-6-305011: Built dynamic UDP translation from inside:10.0.0.2/62412 to outside:20.20.20.1/1028
%PIX-6-302015: Built outbound UDP connection 14 for outside:20.20.20.3/53 (20.20.20.3/53) to inside:10.0.0.2/62412 (20.20.20.1/1028)
%PIX-6-302016: Teardown UDP connection 14 for outside:20.20.20.3/53 to inside:10.0.0.2/62412 duration 0:00:00 bytes 78
%PIX-7-609002: Teardown local-host outside:20.20.20.3 duration 0:00:00
%PIX-6-305012: Teardown dynamic UDP translation from inside:10.0.0.2/62412 to outside:20.20.20.1/1028 duration 0:00:30
%PIX-7-609002: Teardown local-host inside:10.0.0.2 duration 0:00:30
خلينا نشوف التبولوجي هذه
https://img148.imageshack.us/img148/3443/cisco.jpg
في web server إسمه www.cisco.com (https://www.cisco.com) و IP تبعه 10.0.0.100
في عندنا inside users وبيستخدموا DNS server موجود على الإنترنت وهو 20.20.20.3
في موجود على الفايروال static translation عشان outside users يقدروا يتواصلوا مع web server
outside users بيدخلوا ل web server عن طريق public ip وهو 20.20.20.100
static (inside,outside) 20.20.20.100 10.0.0.100 netmask 255.255.255.255
outside users بيقدر يتواصل مع web server بدون أي مشاكل
outside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/45/136 ms
outside#
بس inside users ما بيقدروا لأنه بيجيهم IP 20.20.20.100 بدلا من 10.0.0.100
inside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
inside#
في pix واضح هذا الشئ أنه inside users بيحاولوا يوصلوا لي 20.20.20.100
%PIX-7-609001: Built local-host outside:20.20.20.100
%PIX-6-305011: Built dynamic ICMP translation from inside:10.0.0.2/3 to outside:20.20.20.1/1
%PIX-6-302020: Built outbound ICMP connection for faddr 20.20.20.100/0 gaddr 20.20.20.1/1 laddr 10.0.0.2/3
%PIX-6-302021: Teardown ICMP connection for faddr 20.20.20.100/0 gaddr 20.20.20.1/1 laddr 10.0.0.2/3
الحل هو بإضافة كلمة DNS ل static translation
static (inside,outside) 20.20.20.100 10.0.0.100 netmask 255.255.255.255 dns
ping نجح لأنه firewall صار يشوف request dns هي جايه من أي إتجاه وبيغيرها إذا كانت من inside ل 10.0.0.100
inside#ping www.cisco.com (https://www.cisco.com)
Translating "www.cisco.com"...domain server (20.20.20.3) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/36/124 ms
inside#
ما في شئ يوضح انه inside users حاولوا يوصلوا ل 20.20.20.100
%PIX-7-609001: Built local-host inside:10.0.0.2
%PIX-7-609001: Built local-host outside:20.20.20.3
%PIX-6-305011: Built dynamic UDP translation from inside:10.0.0.2/62412 to outside:20.20.20.1/1028
%PIX-6-302015: Built outbound UDP connection 14 for outside:20.20.20.3/53 (20.20.20.3/53) to inside:10.0.0.2/62412 (20.20.20.1/1028)
%PIX-6-302016: Teardown UDP connection 14 for outside:20.20.20.3/53 to inside:10.0.0.2/62412 duration 0:00:00 bytes 78
%PIX-7-609002: Teardown local-host outside:20.20.20.3 duration 0:00:00
%PIX-6-305012: Teardown dynamic UDP translation from inside:10.0.0.2/62412 to outside:20.20.20.1/1028 duration 0:00:30
%PIX-7-609002: Teardown local-host inside:10.0.0.2 duration 0:00:30