免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 关于ASA 的一个配置请教
最近访问板块 发新帖
查看: 4784 | 回复: 7
打印 上一主题 下一主题

关于ASA 的一个配置请教 [复制链接]

bijian998

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2011-08-01 20:30 |只看该作者 |倒序浏览
如题,小弟有以下应用需求:
1. 一台WEB发布服务器,ip 假定设置为  10.13.113.11/24
2. 有一台ASA K8,目前想实现
   内网端口 10.13.113.254/24
    对外的发布的访问端口 172.25.192.80/24  gateway :172.25.192.1

理论上是想实现任一可达 172.25.192.80端口的IP地址都可以访问到 10.13.113.11 服务器上的指定服务(如www,ftp,指定端口)

因此,有下列配置,藐视不成功,请教各位给予修正。


interface Ethernet 0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
no shutdown

interface Ethernet 0/1
nameif inside
security-level 100
ip address 10.13.113.254 255.255.255.0
no shutdown

interface  managerment 0/0   
nameif managerment
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
managerment-only


http server enable
http 192.168.1.184 255.255.255.0 managerment


access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any host 10.13.113.11 eq www
access-list in-server extended permit tcp any host 10.13.113.11 eq ftp
access-list in-server extended permit tcp any host 10.13.113.11 eq 3031
access-list in-server extended permit tcp any host 10.13.113.11 eq 4041


global (outside) 1 interface
nat (inside) 1 10.13.113.0 255.255.255.0
static (inside,outside) 172.25.192.80 10.13.113.254 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1
bijian998

论坛徽章:
0
2 [报告]
发表于 2011-08-02 09:19 |只看该作者

   没有人拉一把?
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
wastebaby

论坛徽章:
1
IT运维版块每日发帖之星 日期:2015-10-20 06:20:00
3 [报告]
发表于 2011-08-02 09:37 |只看该作者
本帖最后由 wastebaby 于 2011-08-02 09:46 编辑

改成如下试试:
static (inside,outside) 172.25.192.81 10.13.113.11 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
bijian998

论坛徽章:
0
4 [报告]
发表于 2011-08-02 12:20 |只看该作者
楼上的是改为:
   static (inside,outside) 172.25.192.80 10.13.113.11 netmask 255.255.255.255
    吗??
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
cnadl

论坛徽章:
0
5 [报告]
发表于 2011-08-02 12:44 |只看该作者
清掉配置,然后最后一段如下。

access-list in-server extended permit icmp any host 172.25.192.80
access-list in-server extended permit tcp any host 172.25.192.80 eq www
access-list in-server extended permit tcp any host 172.25.192.80 eq ftp
access-list in-server extended permit tcp any host 172.25.192.80 eq 3031
access-list in-server extended permit tcp any host 172.25.192.80 eq 4041

static (inside,outside) 172.25.192.80 10.13.113.11 netmask 255.255.255.255
access-group in-server in interface outside

route outside 0.0.0.0 0.0.0.0 172.25.192.1
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
czekan

论坛徽章:
0
6
发表于 2011-08-04 22:06
{:3_193:}


学习学习!



潮州医康医院免费咨询电话:0768-2205889,咨询QQ:139435889,网址:www.2205889.com,院址:潮州市春荣路南侧(金山大桥附近)
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
bijian998

论坛徽章:
0
7 [报告]
发表于 2011-09-14 18:41 |只看该作者
ciscoasa(config)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown     
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any interface outside eq www
access-list in-server extended permit tcp any interface outside eq ftp
access-list in-server extended permit tcp any interface outside eq 55001
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
ciscoasa(config)# int
ciscoasa(config)# interface Ma
ciscoasa(config)# interface Management 0/0
ciscoasa(config)# interface Management 0/0
ciscoasa(config-if)# shutdow
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.25.192.80 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown     
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list in-server extended permit icmp any any
access-list in-server extended permit ip any interface outside
access-list in-server extended permit tcp any interface outside eq www
access-list in-server extended permit tcp any interface outside eq ftp
access-list in-server extended permit tcp any interface outside eq 55001
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 172.25.192.80 192.168.3.73 netmask 255.255.255.255
access-group in-server in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.192.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:716e096075a7e095ddab091fcee774e0
: end

-----------------------------
以上配置还是无法通过outside端口的IP访问到内网的 192.168.3.73 服务器。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
bijian998

论坛徽章:
0
8 [报告]
发表于 2011-09-14 18:42 |只看该作者
按理说也建了静态路由,理应在 172.25.192.xx 网段的IP主机可以访问 http://192.168.3.73 ,但是仍然不行,不知道问题出在那里了,请各位帮个忙。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP