Chinaunix
标题:
关于ASA 的一个配置请教
[打印本页]
作者:
bijian998
时间:
2011-08-01 20:30
标题:
关于ASA 的一个配置请教
如题,小弟有以下应用需求:
1. 一台WEB发布服务器,ip 假定设置为 10.13.113.11/24
2. 有一台ASA K8,目前想实现
内网端口 10.13.113.254/24
对外的发布的访问端口 172.25.192.80/24 gateway :172.25.192.1
理论上是想实现任一可达 172.25.192.80端口的IP地址都可以访问到 10.13.113.11 服务器上的指定服务(如www,ftp,指定端口)
因此,有下列配置,藐视不成功,请教各位给予修正。
interface Ethernet 0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
no shutdown
interface Ethernet 0/1
nameif inside
security-level 100
ip address 10.13.113.254 255.255.255.0
no shutdown
interface managerment 0/0
nameif managerment
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
managerment-only
http server enable
http 192.168.1.184 255.255.255.0 managerment
access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any host 10.13.113.11 eq www
access-list in-server extended permit tcp any host 10.13.113.11 eq ftp
access-list in-server extended permit tcp any host 10.13.113.11 eq 3031
access-list in-server extended permit tcp any host 10.13.113.11 eq 4041
global (outside) 1 interface
nat (inside) 1 10.13.113.0 255.255.255.0
static (inside,outside) 172.25.192.80 10.13.113.254 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1
作者:
bijian998
时间:
2011-08-02 09:19
没有人拉一把?
作者:
wastebaby
时间:
2011-08-02 09:37
本帖最后由 wastebaby 于 2011-08-02 09:46 编辑
改成如下试试:
static (inside,outside) 172.25.192.
81
10.13.113.
11
netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1
作者:
bijian998
时间:
2011-08-02 12:20
楼上的是改为:
static (inside,outside) 172.25.192.80 10.13.113.11 netmask 255.255.255.255
吗??
作者:
cnadl
时间:
2011-08-02 12:44
清掉配置,然后最后一段如下。
access-list in-server extended permit icmp any host 172.25.192.80
access-list in-server extended permit tcp any host 172.25.192.80 eq www
access-list in-server extended permit tcp any host 172.25.192.80 eq ftp
access-list in-server extended permit tcp any host 172.25.192.80 eq 3031
access-list in-server extended permit tcp any host 172.25.192.80 eq 4041
static (inside,outside) 172.25.192.80 10.13.113.11 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1
作者:
bijian998
时间:
2011-09-14 18:41
ciscoasa(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any interface outside eq www
access-list in-server extended permit tcp any interface outside eq ftp
access-list in-server extended permit tcp any interface outside eq 55001
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
ciscoasa(config)# int
ciscoasa(config)# interface Ma
ciscoasa(config)# interface Management 0/0
ciscoasa(config)# interface Management 0/0
ciscoasa(config-if)# shutdow
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any interface outside eq www
access-list in-server extended permit tcp any interface outside eq ftp
access-list in-server extended permit tcp any interface outside eq 55001
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 172.25.192.80 192.168.3.73 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:716e096075a7e095ddab091fcee774e0
: end
-----------------------------
以上配置还是无法通过outside端口的IP访问到内网的 192.168.3.73 服务器。
作者:
bijian998
时间:
2011-09-14 18:42
按理说也建了静态路由,理应在 172.25.192.xx 网段的IP主机可以访问
http://192.168.3.73
,但是仍然不行,不知道问题出在那里了,请各位帮个忙。
欢迎光临 Chinaunix (http://bbs.chinaunix.net/)
Powered by Discuz! X3.2
