Chinaunix首页 | 论坛 | 博客

qsh

  • 博客访问: 4055627
  • 博文数量: 1015
  • 博客积分: 15904
  • 博客等级: 上将
  • 技术积分: 8572
  • 用 户 组: 普通用户
  • 注册时间: 2008-07-04 19:16
文章分类

全部博文(1015)

文章存档

2019年(1)

2017年(1)

2016年(19)

2015年(27)

2014年(30)

2013年(95)

2012年(199)

2011年(72)

2010年(109)

2009年(166)

2008年(296)

分类: 系统运维

2012-08-23 11:35:36

http://blog.sina.com.cn/s/blog_697f4cc70100umrv.html

(1):全网互PING

DMZ区相关映射:

1access-list access extended permit tcp any interface outside eq 3389

static (dmz,outside) tcp interface 3389 10.0.0.100 3389 //访问外网的3389时映射为DMZ地址

2):说明如果加了这个access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (dmz) 0 access-list nonat时,INSIDE DMZ全部通信,无做转换。

如果需要只能让内网访问DMZ区,但DMZ区无法访问内网,仅让DMZ访问内网部分业务则:不做DMZ区的 NONAT时,但做了DMZ PAT

此时可用access-list ping extended permit tcp any interface dmz eq 3389

static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255 实现访问。

access-list ping extended permit tcp any interface dmz eq 3389

static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255

此时可以在DMZ区,远程(MST): 10.0.0.1 DMZ网关地址),可以登录172.16.0.100的机子,按需求进行置。

(2)

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

domain-name cisco.com

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd QWpP64neo7pbRFKy encrypted

boot config disk0:/.private/startup-config

ftp mode passive

dns server-group DefaultDNS

domain-name cisco.com

access-list access extended permit icmp any any

access-list access extended permit ip any any

access-list ping extended permit icmp any any //放行PING 从外网到外接口及其它接口。

access-list ping extended permit ip any any

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (dmz) 1 interface .//dmzPAT目的是让内网访问DMZ区。确DMZ区不能访问内网由于PAT 原因

global (outside) 1 interface //保证内网DMZ区全部可以上网。

nat (inside) 0 access-list nonat //意思是内网可访问DMZ区(由于做了PAT),但DMZ区无法访问内网,目的是让DMZ区也可以方问内网,(也可以做STATIC(INSDIE,DMZ)实现。

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

access-group ping in interface inside //全网互PING实现·

access-group ping in interface dmz

access-group access in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside //实现公网网页访问形式。

http 0.0.0.0 0.0.0.0 ouside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted

prompt hostname context

Cryptochecksum:8f5eb9ca7ff876bd81891e71dd274342//外网可以访问通过公网地址SSH user:pix password: cisco 7.0以上版本不存在这个问题可用本地用户即可。

: end

ciscoasa#

DMZ区相关映射:

DMZ区相关映射:

1access-list access extended permit tcp any interface outside eq 3389

static (dmz,outside) tcp interface 3389 10.0.0.100 3389 //访问外网的3389时映射为DMZ地址

2):说明如果加了这个access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (dmz) 0 access-list nonat时,INSIDE DMZ全部通信,无做转换。

如果需要只能让内网访问DMZ区,但DMZ区无法访问内网,仅让DMZ访问内网部分业务则:不做DMZ区的 NONAT时,但做了DMZ PAT

此时可用access-list ping extended permit tcp any interface dmz eq 3389

static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255 实现访问。

access-list ping extended permit tcp any interface dmz eq 3389

static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255

此时可以在DMZ区,远程(MST): 10.0.0.1 DMZ网关地址),可以登录172.16.0.100的机子,按需求进行置。

END

阅读(878) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~