来源:蜘蛛抓取(WebSpider)
时间:2017-11-10 09:30
标签:
马云不懂技术
查看:8610|回复:49
需求是内网192.168.0.0网段的PC要能够访问Cisco防火墙5200右侧的20.0.0.0和172.168.1.0网段,右侧的设备是新上的,目前右侧设备到5200之间都可以PING通,但核心3700PING Cisco口10.0.0.1可以通,PING 0/2口20.0.0.1就是不通,我在3750上看到5200的路由是有的,但不知道为什么就是不通。
各位高手帮忙看看到底我的配置到底哪里错了,如果修改?
Cisco5200防火墙配置:
ciscoasa(config)# show run
ASA Version 8.0(3)
hostname ciscoasa
enable password /QEun7x4VZo9K.c4 encrypted
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 59.108.X.X 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 20.0.0.1 255.255.255.0
interface GigabitEthernet0/3
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
passwd /QEun7x4VZo9K.c4 encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_out extended permit icmp any any
access-list acl_out extended permit ip any host 59.108.32.196
access-list acl_out extended permit ip any host 59.108.32.198
access-list acl_out extended permit tcp any host 59.108.32.197
access-list acl_out extended permit tcp any host 59.108.32.195
access-list acl_out extended permit ip any host 59.108.32.201
access-list acl_out extended permit ip any host 59.108.32.200
access-list acl_out extended permit ip any host 59.108.32.202
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 59.108.32.195 netmask 255.255.255.255
global (outside) 2 59.108.32.196 netmask 255.255.255.255
global (outside) 2 59.108.32.198 netmask 255.255.255.255
global (outside) 2 59.108.32.201 netmask 255.255.255.255
global (outside) 2 59.108.32.202 netmask 255.255.255.255
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (dmz) 1 20.0.0.0 255.255.255.0
nat (dmz) 1 172.168.1.0 255.255.255.0
static (inside,outside) 59.108.32.198 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 59.108.32.195 192.168.1.129 netmask 255.255.255.255
static (inside,outside) 59.108.32.196 192.168.2.15 netmask 255.255.255.255
static (inside,outside) 59.108.32.201 192.168.2.10 netmask 255.255.255.255
static (dmz,outside) 59.108.32.202 20.0.0.2 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 59.108.32.193 1
route dmz 172.168.1.0 255.255.255.0 20.0.0.2 1
route inside 192.168.0.0 255.255.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
&&message-length maximum 512
policy-map global_policy
class inspection_default
&&inspect dns migrated_dns_map_1
&&inspect ftp
&&inspect rsh
&&inspect rtsp
&&inspect esmtp
&&inspect sqlnet
&&inspect skinny
&&inspect sunrpc
&&inspect xdmcp
&&inspect sip
&&inspect netbios
&&inspect tftp
&&inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b6bfe0149
ciscoasa(config)#
Cisco3750核心交换配置:
3750#show run
Building configuration...
Current configuration : 4913 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname 3750
enable password Xfkasa!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 192.168.2.2 192.168.2.30
ip dhcp excluded-address 192.168.3.2 192.168.3.30
ip dhcp excluded-address 192.168.4.2 192.168.4.30
ip dhcp excluded-address 192.168.5.2 192.168.5.30
ip dhcp pool vlan20-pool
& &network 192.168.2.0 255.255.255.0
& &default-router 192.168.2.1
& &dns-server 192.168.1.253 192.168.1.246
ip dhcp pool vlan30-pool
& &network 192.168.3.0 255.255.255.0
& &default-router 192.168.3.1
& &dns-server 192.168.1.253 192.168.1.246
ip dhcp pool vlan40-pool
& &network 192.168.4.0 255.255.255.0
& &default-router 192.168.4.1
& &dns-server 192.168.1.253 192.168.1.246
ip dhcp pool vlan50-pool
& &network 192.168.5.0 255.255.255.0
& &default-router 192.168.5.1
& &dns-server 192.168.1.253 192.168.1.246
ip dhcp-server 192.168.1.252
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.0.2 255.255.255.0
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
ip dhcp snooping limit rate 100
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
interface GigabitEthernet1/0/13
switchport access vlan 20
interface GigabitEthernet1/0/14
switchport access vlan 20
interface GigabitEthernet1/0/15
switchport access vlan 20
interface GigabitEthernet1/0/16
switchport access vlan 20
interface GigabitEthernet1/0/17
switchport access vlan 20
interface GigabitEthernet1/0/18
switchport access vlan 20
interface GigabitEthernet1/0/19
switchport access vlan 20
interface GigabitEthernet1/0/20
switchport access vlan 20
interface GigabitEthernet1/0/21
switchport access vlan 20
switchport mode access
interface GigabitEthernet1/0/22
switchport access vlan 20
interface GigabitEthernet1/0/23
switchport access vlan 20
interface GigabitEthernet1/0/24
switchport access vlan 20
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface Vlan1
ip address 192.168.0.1 255.255.255.0
interface Vlan10
ip address 192.168.1.1 255.255.255.0
interface Vlan20
ip address 192.168.2.1 255.255.255.0
ip access-group 102 out
interface Vlan30
ip address 192.168.3.1 255.255.255.0
ip access-group 103 out
interface Vlan40
ip address 192.168.4.1 255.255.255.0
ip access-group 104 out
interface Vlan50
ip address 192.168.5.1 255.255.255.0
ip access-group 105 out
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 20.0.0.0 255.255.255.0 10.0.0.1
ip route 192.168.1.4 255.255.255.255 192.168.1.3
ip route 192.168.1.5 255.255.255.255 192.168.1.3
ip http server
access-list 102 deny& &ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny& &ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny& &ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 deny& &ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny& &ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 deny& &ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ip any any
access-list 104 deny& &ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 deny& &ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 deny& &ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 permit ip any any
access-list 105 deny& &ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny& &ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny& &ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip any any
control-plane
line con 0
logging synchronous
line vty 0 4
password Xfkasa!
logging synchronous
line vty 5 15
password Xfk3750
还没人么?
初级工程师
你的图挂了,,,不要用外连的,,直接本地上传,,最好有完整的拓扑跟需求,,
已经更新拓扑图了,本地上传的,再看下
初级工程师
policy-map global_policy
class inspection_default
&&inspect icmp
你加上这句话再试试看,,注:这句命令是从,,policy-map global_policy
class inspection_default
&&inspect dns migrated_dns_map_1
&&inspect ftp
&&inspect rsh
&&inspect rtsp
&&inspect esmtp
&&inspect sqlnet
&&inspect skinny
&&inspect sunrpc
&&inspect xdmcp
&&inspect sip
&&inspect netbios
&&inspect tftp
&&inspect pptp
你这个配置里的前几行那直接拷过去的,,你加入的时候,,只需要拷前两行,最后一行的两个单词自己添加进去,,
提示: 作者被禁止或删除 内容自动屏蔽
提示: 作者被禁止或删除 内容自动屏蔽
引用:原帖由 yahooocomcn 于
12:35 发表
policy-map global_policy
class inspection_default
&&inspect icmp
你加上这句话再试试看,,注:这句命令是从,,policy-map global_policy
class inspection_default
&&inspect dns migrated_dns_map_1
&&inspect ftp
&&i ... inspect icmp是不是只是解决ping问题,如果192网段的机器还要访问172网段机器的其它服务还需要在单独开其它的端口?
初级工程师
引用:原帖由 love7yoyo 于
13:13 发表
inspect icmp是不是只是解决ping问题,如果192网段的机器还要访问172网段机器的其它服务还需要在单独开其它的端口? 当高安全级别往低安全级别走的时候,,数据包是可以过去的,,但是当数据包从低安全级别回来的时候就会被防火墙DENY掉,,所以这时需要人工手动放行,,有些协议可以像刚才上面那样放行,,有些你必需写 ACL,,然后在DMZ的进口来调用,,(例如放行TCP,可以这样写,,access-list tcp permit tcp any any& & ,&&access-group tcp in int dmz ),,这样就可以放行TCP了,,其他协议自己照这方法就行了,,如果你嫌这样麻烦,,也可以直接写一条,,access-list any permit ip any any ,,,放行所有流量,,然后在DMZ口调用,,
引用:原帖由 yahooocomcn 于
13:22 发表
当高安全级别往低安全级别走的时候,,数据包是可以过去的,,但是当数据包从低安全级别回来的时候就会被防火墙DENY掉,,所以这时需要人工手动放行,,有些协议可以像刚才上面那样放行,,有些你必需写 ACL,,然后在DMZ的进口来调用,,(例如放 ... 还是不通,我现在把能去的都去掉了,保留原始配置
要实现192.168.0.0网段对20.0.0.0和172.168.1.0网段的访问,全部访问不限制,应该如何加啊?
Cisco5520路由表:
ciscoasa(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
& && & D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
& && & N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
& && & E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
& && & i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
& && & * - candidate default, U - per-user static route, o - ODR
& && & P - periodic downloaded static route
Gateway of last resort is 59.108.32.193 to network 0.0.0.0
C& & 20.0.0.0 255.255.255.0 is directly connected, dmz
S& & 172.168.1.0 255.255.255.0 [1/0] via 20.0.0.2, dmz
C& & 59.108.32.192 255.255.255.240 is directly connected, outside
C& & 10.0.0.0 255.255.255.0 is directly connected, inside
S*& &0.0.0.0 0.0.0.0 [1/0] via 59.108.32.193, outside
S& & 192.168.0.0 255.255.0.0 [1/0] via 10.0.0.2, inside
Cisco5520原始配置:
ciscoasa(config)# show run
ASA Version 8.0(3)
hostname ciscoasa
enable password /QEun7x4VZo9K.c4 encrypted
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 59.108.32.194 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 20.0.0.1 255.255.255.0
interface GigabitEthernet0/3
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
passwd /QEun7x4VZo9K.c4 encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
access-list acl_out extended permit ip any host 59.108.32.196
access-list acl_out extended permit ip any host 59.108.32.198
access-list acl_out extended permit tcp any host 59.108.32.197
access-list acl_out extended permit tcp any host 59.108.32.195
access-list acl_out extended permit ip any host 59.108.32.201
access-list acl_out extended permit ip any host 59.108.32.200
access-list acl_out extended permit ip any host 59.108.32.202
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 59.108.32.195 netmask 255.255.255.255
global (outside) 2 59.108.32.196 netmask 255.255.255.255
global (outside) 2 59.108.32.198 netmask 255.255.255.255
global (outside) 2 59.108.32.201 netmask 255.255.255.255
global (outside) 2 59.108.32.202 netmask 255.255.255.255
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0
static (inside,outside) 59.108.32.198 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 59.108.32.195 192.168.1.129 netmask 255.255.255.255
static (inside,outside) 59.108.32.196 192.168.2.15 netmask 255.255.255.255
static (inside,outside) 59.108.32.201 192.168.2.10 netmask 255.255.255.255
static (dmz,outside) 59.108.32.202 20.0.0.2 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 59.108.32.193 1
route dmz 172.168.1.0 255.255.255.0 20.0.0.2 1
route inside 192.168.0.0 255.255.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
&&message-length maximum 512
policy-map global_policy
class inspection_default
&&inspect dns migrated_dns_map_1
&&inspect ftp
&&inspect rsh
&&inspect rtsp
&&inspect esmtp
&&inspect sqlnet
&&inspect skinny
&&inspect sunrpc
&&inspect xdmcp
&&inspect sip
&&inspect netbios
&&inspect tftp
&&inspect pptp
&&inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5de0aa2baa1c908dbafe19
ciscoasa(config)#
引用:原帖由 141920 于
13:07 发表
还有为什么要用nat 免除,这是因为,inside和dmz的接口你都挂了nat,当数据到接口的时候,都会按照nat进行处理,虽然asa上有路由,但是你没有做关于inside和dmz之间的nat,所以inside和dmz之间是不能通讯的。所以inside和dmz可以做 ... 我把DMZ区的NAT去掉了,还原原始配置,就11楼配置,现在就想内网192网段的机器能访问20.0.0.0和172.168.1.1网段的服务器,应该加哪些命令啊?
最好详细点,谢谢!
你的图挂了,,,不要用外连的,,直接本地上传,,最好有完整的拓扑跟需求,,
提示: 作者被禁止或删除 内容自动屏蔽
提示: 作者被禁止或删除 内容自动屏蔽
引用:原帖由 141920 于
15:27 发表
这是inside访问dmz区域的
access-list acl_inside_dmz&&permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list acl_inside_dmz&&permit ip 192.168.0.0 255.255.0.0 20.1.1.0 255.255.255.0
... 这两条已经加了,但还是不行,从3750上PING 20.0.0.1和172.168.1.2都不通,好奇怪
当前的access-list
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
& && && && &alert-interval 300
access-list acl_ 9 elements
access-list acl_out line 1 extended permit icmp any any (hitcnt=x9d155
access-list acl_out line 2 extended permit ip any host 59.108.32.196 (hitcnt=405
access-list acl_out line 3 extended permit ip any host 59.108.32.198 (hitcnt=420
49) 0x38775fc7
access-list acl_out line 4 extended permit tcp any host 59.108.32.197 (hitcnt=20
246) 0x26a84180
access-list acl_out line 5 extended permit tcp any host 59.108.32.195 (hitcnt=74
access-list acl_out line 6 extended permit ip any host 59.108.32.201 (hitcnt=448
376) 0x5c9f6155
access-list acl_out line 7 extended permit ip any host 59.108.32.200 (hitcnt=800
0) 0x82c87b1d
access-list acl_out line 8 extended permit ip any host 59.108.32.202 (hitcnt=352
46) 0x976d6ed5
access-list acl_out line 9 extended permit udp any host 59.108.32.202 eq 1701 (h
itcnt=0) 0xee5803a6
access-list acl_inside_ 2 elements
access-list acl_inside_dmz line 1 extended permit ip 192.168.0.0 255.255.0.0 172
.16.1.0 255.255.255.0 (hitcnt=0) 0x5fd14364
access-list acl_inside_dmz line 2 extended permit ip 192.168.0.0 255.255.0.0 20.
1.1.0 255.255.255.0 (hitcnt=0) 0x08534be0
ciscoasa(config)#
提示: 作者被禁止或删除 内容自动屏蔽
引用:原帖由 141920 于
15:37 发表
一,如果只有dmz接口没有挂nat,你只需要以下配置
access-list acl_inside_dmz&&permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list acl_inside_dmz&&permit ip 192.168.0.0 255.255.0.0 20.1.1 ... 两种都试过了,还不通
ciscoasa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
& && && && &alert-interval 300
access-list acl_ 9 elements
access-list acl_out line 1 extended permit icmp any any (hitcnt=x9d155
access-list acl_out line 2 extended permit ip any host 59.108.32.196 (hitcnt=405
access-list acl_out line 3 extended permit ip any host 59.108.32.198 (hitcnt=420
54) 0x38775fc7
access-list acl_out line 4 extended permit tcp any host 59.108.32.197 (hitcnt=20
246) 0x26a84180
access-list acl_out line 5 extended permit tcp any host 59.108.32.195 (hitcnt=74
access-list acl_out line 6 extended permit ip any host 59.108.32.201 (hitcnt=448
380) 0x5c9f6155
access-list acl_out line 7 extended permit ip any host 59.108.32.200 (hitcnt=800
0) 0x82c87b1d
access-list acl_out line 8 extended permit ip any host 59.108.32.202 (hitcnt=352
52) 0x976d6ed5
access-list acl_out line 9 extended permit udp any host 59.108.32.202 eq 1701 (h
itcnt=0) 0xee5803a6
access-list acl_inside_ 2 elements
access-list acl_inside_dmz line 1 extended permit ip 192.168.0.0 255.255.0.0 20.
0.0.0 255.255.255.0 (hitcnt=0) 0x0ef50074
access-list acl_inside_dmz line 2 extended permit ip 192.168.0.0 255.255.0.0 172
.168.1.0 255.255.255.0 (hitcnt=0) 0x48b4f47a
access-list acl_dmz_ 2 elements
access-list acl_dmz_inside line 1 extended permit ip 20.0.0.0 255.255.255.0 192.
168.0.0 255.255.0.0 (hitcnt=0) 0x64ffa76e
access-list acl_dmz_inside line 2 extended permit ip 172.168.1.0 255.255.255.0 1
92.168.0.0 255.255.0.0 (hitcnt=0) 0xe4046fb9
ciscoasa(config)#
ciscoasa(config)# show run
ASA Version 8.0(3)
hostname ciscoasa
enable password /QEun7x4VZo9K.c4 encrypted
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 59.108.32.194 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 20.0.0.1 255.255.255.0
interface GigabitEthernet0/3
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
passwd /QEun7x4VZo9K.c4 encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
access-list acl_out extended permit ip any host 59.108.32.196
access-list acl_out extended permit ip any host 59.108.32.198
access-list acl_out extended permit tcp any host 59.108.32.197
access-list acl_out extended permit tcp any host 59.108.32.195
access-list acl_out extended permit ip any host 59.108.32.201
access-list acl_out extended permit ip any host 59.108.32.200
access-list acl_out extended permit ip any host 59.108.32.202
access-list acl_out extended permit udp any host 59.108.32.202 eq 1701
access-list acl_inside_dmz extended permit ip 192.168.0.0 255.255.0.0 20.0.0.0
55.255.255.0
access-list acl_inside_dmz extended permit ip 192.168.0.0 255.255.0.0 172.168.1
0 255.255.255.0
access-list acl_dmz_inside extended permit ip 20.0.0.0 255.255.255.0 192.168.0.
255.255.0.0
access-list acl_dmz_inside extended permit ip 172.168.1.0 255.255.255.0 192.168
0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 59.108.32.195 netmask 255.255.255.255
global (outside) 2 59.108.32.196 netmask 255.255.255.255
global (outside) 2 59.108.32.198 netmask 255.255.255.255
global (outside) 2 59.108.32.201 netmask 255.255.255.255
global (outside) 2 59.108.32.202 netmask 255.255.255.255
nat (inside) 0 access-list acl_inside_dmz
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (dmz) 0 access-list acl_dmz_inside
static (dmz,outside) udp interface .32.202 1701 netmask 255.255.255.
static (inside,outside) 59.108.32.198 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 59.108.32.195 192.168.1.129 netmask 255.255.255.255
static (inside,outside) 59.108.32.196 192.168.2.15 netmask 255.255.255.255
static (inside,outside) 59.108.32.201 192.168.2.10 netmask 255.255.255.255
static (dmz,outside) 59.108.32.202 20.0.0.2 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 59.108.32.193 1
route dmz 172.168.1.0 255.255.255.0 20.0.0.2 1
route inside 192.168.0.0 255.255.0.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
&&message-length maximum 512
policy-map global_policy
class inspection_default
&&inspect dns migrated_dns_map_1
&&inspect ftp
&&inspect rsh
&&inspect rtsp
&&inspect esmtp
&&inspect sqlnet
&&inspect skinny
&&inspect sunrpc
&&inspect xdmcp
&&inspect sip
&&inspect netbios
&&inspect tftp
&&inspect pptp
&&inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:c841b5fafbfb
ciscoasa(config)#
提示: 作者被禁止或删除 内容自动屏蔽
引用:原帖由 141920 于
15:40 发表
你为什么要把dmz的security -level怎么也是100呢? 默认是50的,我一个朋友过来看说两边都是内网,级别应该一样,就改成100了
引用:原帖由 141920 于
15:48 发表
你给我看看show run&&nat 吧 ciscoasa(config)# show run nat
nat (inside) 0 access-list acl_inside_dmz
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (dmz) 0 access-list acl_dmz_inside
