全部博文(1015)
分类: 系统运维
2012-08-27 11:51:57
http://blog.sina.com.cn/s/blog_697f4cc70100umrv.html
(1):全网互PING
DMZ区相关映射:
(1)access-list access extended permit tcp any interface outside eq 3389
static (dmz,outside) tcp interface 3389 10.0.0.100 3389 //访问外网的3389时映射为DMZ地址
(2):说明如果加了这个access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (dmz) 0 access-list nonat时,INSIDE 与DMZ能全部通信,无做转换。
如果需要只能让内网访问DMZ区,但DMZ区无法访问内网,仅让DMZ访问内网部分业务则:不做DMZ区的 NONAT时,但做了DMZ PAT
此时可用access-list ping extended permit tcp any interface dmz eq 3389
static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255 实现访问。
access-list ping extended permit tcp any interface dmz eq 3389
static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255
此时可以在DMZ区,远程(MST): 10.0.0.1 (DMZ网关地址),可以登录172.16.0.100的机子,按需求进行置。
(2)
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
domain-name cisco.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd QWpP64neo7pbRFKy encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
access-list access extended permit icmp any any
access-list access extended permit ip any any
access-list ping extended permit icmp any any //放行PING 从外网到外接口及其它接口。
access-list ping extended permit ip any any
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (dmz) 1 interface .//dmzPAT目的是让内网访问DMZ区。确DMZ区不能访问内网由于PAT 原因
global (outside) 1 interface //保证内网DMZ区全部可以上网。
nat (inside) 0 access-list nonat //意思是内网可访问DMZ区(由于做了PAT),但DMZ区无法访问内网,目的是让DMZ区也可以方问内网,(也可以做STATIC(INSDIE,DMZ)实现。
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-group ping in interface inside //全网互PING实现·
access-group ping in interface dmz
access-group access in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside //实现公网网页访问形式。
http 0.0.0.0 0.0.0.0 ouside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
Cryptochecksum:8f5eb9ca7ff876bd81891e71dd274342//外网可以访问通过公网地址SSH :user:pix password: cisco 7.0以上版本不存在这个问题可用本地用户即可。
: end
ciscoasa#
DMZ区相关映射:
DMZ区相关映射:
(1)access-list access extended permit tcp any interface outside eq 3389
static (dmz,outside) tcp interface 3389 10.0.0.100 3389 //访问外网的3389时映射为DMZ地址
(2):说明如果加了这个access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 nat (dmz) 0 access-list nonat时,INSIDE 与DMZ能全部通信,无做转换。
如果需要只能让内网访问DMZ区,但DMZ区无法访问内网,仅让DMZ访问内网部分业务则:不做DMZ区的 NONAT时,但做了DMZ PAT
此时可用access-list ping extended permit tcp any interface dmz eq 3389
static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255 实现访问。
access-list ping extended permit tcp any interface dmz eq 3389
static (inside,dmz) tcp interface 3389 172.16.0.100 3389 netmask 255.255.255.255
此时可以在DMZ区,远程(MST): 10.0.0.1 (DMZ网关地址),可以登录172.16.0.100的机子,按需求进行置。
END