|
2011年10月10日
10:52
Conf t
Int eth0
Nameif
outside
Security-level
0
Ip
address 202.100.10.1 255.255.255.0
No shut
Int eth1
Nameif
inside
Security-level
100
Ip
address 192.168.1.1255.255.255.0
No shut
Int eth2
Nameif
dmz
Security-level
50
Ip
address 172.16.1.1 255.255.255.0
No shut
路由配置
Route
outside 0.0.0.0 0.0.0.0 202.100.10.2 1
Route inside 10.0.0.0 255.0.0.0 192.168.1.2 1(?web server为什么接在这里?)
地址转换
静态NAT
静态PAT(可以看成静态NAT的端口模式)
Static
(inside, outside) 202.100.10.1 10.0.0.1 netmast 255.255.255.255
Static(inside,outside)
tcp 202.100.10.1 www 10.0.0.1 www netmask 255.255.255.255
Static(dmz,outside)tcp
202.100.10.1 pop3 172.16.1.2 pop3 netmask 255.255.255.255
动态NAT
动态PAT(可以看成动态NAT的端口模式)
动态NAT先要配置全局地址池
eg: global(outside) 1
202.100.10.2-202.100.10.10 netmask 255.255.255.0
Nat(inside) 1 192.168.1.0 255.255.255.0
Global(dmz) 1 interface
策略NAT(PAT)
带ACL的NAT
定义高安全接口区域需要进行抵制转换的范围
Nat(inside)
1
定义ACL
Access-list
100 extended permit ip any any
Access-list
100 extended icmp any any
Access-list
101 extended permit tcp any host 10.1.1.1 eq www
Access-list
102 extended permit tcp any host 172.16.1.2eq pop3
在端口上应用ACL
Access-group
100 in int outside
Access-group
101in int inside
Access-group
102interface dmz | 
免费注册
发表于 2011-12-23 02:08