标签:auto client ext firewall span crt tor title 高级
实验
思路与配置
1.配置g0
interface g0
no shutdown
nameif inside
ip address 192.168.1.254 255.255.255.0
security-level 100
配置g1
interface g1
no shutdown
nameif outside
ip address 192.168.8.254 255.255.255.0
security-level 0
配置g2
interface g2
no shutdown
nameif DMZ
ip address 192.168.3.254 255.255.255.0
security-level 50
2.配置AR1
配置0端口 ip 192.168.1.1 255.255.255.0
配置1端口 ip 10.1.1.254 255.255.255.0
配置2端口 ip 10.2.2.254 255.255.255.0
配置静态浮动路由
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
3.配置云
access-list out-to-in permit ip host 192.168.8.1 host 192.168.3.100
access-group out-to-in in interface outside
此时
DMZ发布Web服务器,client2可以访问server3
可以实现
配置 路由条目
route inside 10.1.1.0 255.255.255.0 192.168.1.1
route inside 10.2.2.0 255.255.255.0 192.168.1.1
使用命令show conn detail 查看conn
配置server2的FTP
配置server3的FTP
配置client1 FTP
配置client1 FTP
查看 show conn detail
分别查看ASA和AR的路由表
ASA:
AR1:
------------------------------------------------------------
配置云
access-list 111 deny tcp any host 192.168.3.1 eq 80
access-group 111 in interface DMZ
配置ACL禁止client3访问server2
=======================================================================================================================
实验:1
思路与配置:
1.
进入crt
connect进入 先清除以前配置:
clear configuration all
配置进口安全等级及ip
interface g0
nameif inside
no shutdown
ip address 192.168.1.254
securty-level 100
interface g1
nameif outside
no shutdown
ip address 192.168.8.254
securty-level 0
此时可以达到实验要求
如需要client2 访问server1 则可以配置ACL
access-list out-to-in permit ip host 192.168.8.1 host 192.168.1.100
仅为源ip
access-list out-to-in permit ip host 192.168.8.0 host 192.168.1.100
为一个网段
access-group out-to-in in interface outside
实验2
pc1ping通server 2/client 2
配置ACL
access-list ICMP permit icmp any any
access-group ICMP in interface outside
实验3 配置静态和默认路由
配置 R1
0端口:ip 192.168.1.1 24
1端口:ip 10.1.1.254 24
2端口:ip 10.2.2.254 24
配置云
route inside 10.1.1.0 255.255.255.0 192.168.1.1
route inside 20.1.1.0 255.255.255.0 192.168.1.1
R1配置静态路由
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
此时可以ping通
实验5 控制出站链接流量 禁止10.1.1.0/24 的流量出站
配置ACL
access-list in-to-out deny ip 10.1.1.0 255.255.55.0 any
access-list in-to-out permit ip any any
acess-group in-to-out in interface inside
此时10.1.1.0网段流量出不去
PC机可以访问服务机
先删除防火墙中的dhcp配置
no dhcp auto-config outside
no dhcp address 192.168.1.5-192.168.1.35 inside
no dhcp enable inside
no ip address dhcp
在vlan2 中配置ip 200.1.1.254 255.255.255.0
配置0端口为vlan1 1端口为vlan2
配置ACL
access-list 111 permit tcp any host 192.168.1.1 eq 80
access-group 111 in interface outside
实验 多区域防火墙
在实验1的配置基础上在进行配置
配置
interface g2
nameif DMZ
no shutdown
ip address 192.168.3.254 255.255.255.0
security-level 50
高级可以访问低级 低级不能访问高级
client1 可以访问 server2 server3
client3 可以访问 server3
标签:auto client ext firewall span crt tor title 高级
原文地址:http://blog.51cto.com/13555521/2068540
