配置ASA實現內網、Dmz和外網的訪問

需求描述

只能從PC1經過SSH訪問ASA

從PC1能夠訪問outside和dmz區的網站，從Out主機能夠訪問DMZ區的Web站點

從PC1能夠ping通Out主機

實現思路

在ASA上配置只容許PC1進行SSH接入 配置nat和global命令實現從PC1能夠訪問outside和 dmz區的網站，配置static和acl實現從Out主機能夠訪問DMZ區的Web站點 在ASA上配置容許ICMP應答報文穿越ASA防火牆

1. 配置R1

Router>en Router#conf t Router(config)#host R1 R1(config)#line 0 R1(config-line)#logg s R1(config-line)#exit R1(config)#int f0/0 R1(config-if)#ip add 200.20.20.254 255.255.255.0 R1(config-if)#no shut R1(config-if)#int f1/0 R1(config-if)#ip add 200.1.1.1 255.255.255.252 R1(config-if)#no shut R1(config-if)#exit ip route 200.10.10.248 255.255.255.248 200.1.1.2\\添加路由 R1(config)#do show ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 200.20.20.254 YES manual up up FastEthernet1/0 200.1.1.1 YES manual up up

2. 配置ASA的主機名、域名和密碼

ciscoasa> en Password: \\開始爲空，直接回車就Ok！ ciscoasa# conf t ciscoasa(config)# hostname ASA\\配置主機名 ASA(config)# domain-name benet.com\\配置域名 ASA(config)# enable password cisco\\配置特權（使能）密碼 ASA(config)# passwd cisco\\配置遠程登陸密碼

3. 配置ASA的接口

ASA(config)# int e0/0 ASA(config-if)# nameif inside\\定義接口名字 INFO: Security level for "inside" set to 100 by default. ASA(config-if)# security-level 100\\定義安全級別 ASA(config-if)# ip add 10.10.10.254 255.255.255.0 ASA(config-if)# no shut ASA(config-if)# int e0/1 ASA(config-if)# nameif dmz INFO: Security level for "dmz" set to 0 by default. ASA(config-if)# security-level 50 ASA(config-if)# ip add 10.20.20.254 255.255.255.0 ASA(config-if)# no shut ASA(config-if)# int e0/2 ASA(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA(config-if)# security-level 0 ASA(config-if)# ip add 200.1.1.2 255.255.255.252 ASA(config-if)# no shut ASA(config-if)# exit ASA(config)# show ip System IP Addresses: Interface Name IP address Subnet mask Method Ethernet0/0 inside 10.10.10.254 255.255.255.0 manual Ethernet0/1 dmz 10.20.20.254 255.255.255.0 manual Ethernet0/2 outside 200.1.1.2 255.255.255.252 manual Current IP Addresses: Interface Name IP address Subnet mask Method Ethernet0/0 inside 10.10.10.254 255.255.255.0 manual Ethernet0/1 dmz 10.20.20.254 255.255.255.0 manual Ethernet0/2 outside 200.1.1.2 255.255.255.252 manual

4. 驗證ASA是否能夠ping的通Route

ASA(config)# ping 200.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/70/310 ms

5. 配置ASA的默認路由

ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1 ASA(config)# show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 200.1.1.1 to network 0.0.0.0 C 200.1.1.0 255.255.255.252 is directly connected, outside C 10.20.20.0 255.255.255.0 is directly connected, dmz C 10.10.10.0 255.255.255.0 is directly connected, inside S* 0.0.0.0 0.0.0.0 [1/0] via 200.1.1.1, outside

6. 在ASA上配置只容許PC1進行SSH接入

ASA(config)# crypto key generate rsa modulus 1024 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... \\生成RSA密鑰對 ASA(config)# ssh 10.10.10.1 255.255.255.255 inside \\只容許PC1進行SSH接入

7. 驗證從PC1利用SSH能夠遠程登陸到ASA

8. 爲出站流量配置網絡地址轉換（NAT）,使用global命令定義一個全局地址池

ASA(config)# nat-control \\啓用NAT ASA(config)# nat (inside) 1 0 0\\爲內網全部地址實施NAT ASA(config)# global (outside) 1 int\\使outside接口地址做爲PAT轉換 INFO: outside interface address added to PAT pool ASA(config)# global (dmz) 1 200.10.10.249-200.10.10.254\\定義一個全局地址池

9. 在PC1上能夠訪問outside和dmz區的網站

10. 在ASA上使用命令「show xlate」能夠查看到兩條地址轉換條目

ASA(config)# show xlate 2 in use, 2 most used PAT Global 200.1.1.2(1024) Local 10.10.10.1(1163) Global 200.10.10.249 Local 10.10.10.1

11. 配置ACL使PC1能夠Ping同Out主機

ASA(config)# access-list 111 permit icmp any any echo-reply ASA(config)# access-list 111 permit icmp any any unreachable ASA(config)# access-list 111 permit icmp any any time-exceeded ASA(config)# access-group 111 in interface outside\\應用到接口

 

本文出自賈芸斐的博客，請務必保留此出處：http://jiayf.blog.51cto.com/