asa防火墙基本上网综合实验

实验要求：

分别划分inside（内网），outside（外网），dmz（服务器区）三个区

配置PAT，直接使用outside接口的ip地址进行转换

配置静态NAT，发布内网服务器

启用NAT控制，配置NAT豁免，内网访问dmz区中的主机时，不做NAT转换

R1配置：

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#host outsite

outsite(config)#int f0/0

outsite(config-if)#ip add 12.0.0.2 255.255.255.0

outsite(config-if)#no shut

outsite(config-if)#int f0

00:21:15: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

00:21:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

outsite(config-if)#int f0/1

outsite(config-if)#ip add 13.0.0.1 255.255.255.0

outsite(config-if)#no shut

outsite(config-if)#

00:21:33: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

00:21:34: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

outsite(config-if)#exit

outsite(config)#ip route 0.0.0.0 0.0.0.0 f0/0

outsite(config)#end

ASA配置：

ciscoasa# conf t

ciscoasa(config)# hostname asa

asa(config)# int e0/0

asa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

asa(config-if)# ip add 192.168.1.1 255.255.255.0

asa(config-if)# no shut

asa(config-if)# int e0/2

asa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

asa(config-if)# ip add 12.0.0.1 255.255.255.0

asa(config-if)# no shut

asa(config-if)# int e0/1

asa(config-if)# ip add 192.168.10.1 255.255.255.0

asa(config-if)# no shut

asa(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

asa(config-if)# sec

asa(config-if)# security-level 50

asa(config-if)# no shut

asa(config-if)# exit

asa(config)# route outside 0 0 12.0.0.2

ciscoasa# conf t

ciscoasa(config)# nat-control

ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0

ciscoasa(config)# gl

ciscoasa(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

ciscoasa(config)# end

ciscoasa# show xlate

0 in use, 1 most used

ciscoasa# show xlate

1 in use, 1 most used

PAT Global 12.0.0.1(1) Local 192.168.1.2 ICMP id 1

很明显的看出来已经把内网地址转换成外网地址，从而可以让内网用户上网了

Ping不通是因为防火墙的原因，这里需要些acl放行

ciscoasa(config)# access-list 111 permit icmp any any

ciscoasa(config)# acc

ciscoasa(config)# access-g

ciscoasa(config)# access-group 111 in int

ciscoasa(config)# access-group 111 in interface outside

ciscoasa(config)# access-list nonat permit ip host 192.168.1.2 host 192.168.10.10  //豁免nat，也就是说从内网访问到dmz区域的流量不走nat，直接走内网。

ciscoasa(config)# nat (inside) 0 access-list nonat

再次测试就ok了

因为默认高到低是可以通的，所以内网访问dmz区无需配置，测试如下：

静态NAT（发布DMZ区的服务器）一对一的固定转换：

ciscoasa(config)#  static (dmz,outside) 12.0.0.3 192.168.10.10

ciscoasa(config)# access-list out_to_dmz permit tcp any host 12.0.0.3 eq www

ciscoasa(config)# access-group out_to_dmz in int outside

ciscoasa(config)# exit

外网验证如下：

本文转自    探花无情   51CTO博客，原文链接:http://blog.51cto.com/983865387/1858570