一.测试拓扑
R1---Outside----ASA842----Inside-----R2
|
DMZ
|
R3
二.测试思路
利用ASA的twice nat实现访问DMZ的公网地址时转向DMZ的真实地址。
三.基本配置
A.R1:
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
B.R2:
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
C.R3:
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.10
line vty 0 4
password cisco
login
D.ASA842:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
no shut
interface GigabitEthernet2
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
四.ASA静态NAT,twice-NAT和策略配置
A.定义对象:
object network R3-dmz
host 192.168.1.1
object network R3-outside
host 202.100.1.8
object network Inside-net
subnet 10.1.1.0 255.255.255.0
B.配置DMZ到Outside的静态NAT:
object network R3-dmz
nat (DMZ,Outside) static R3-outside
C.配置inside到DMZ的的twice-nat:
nat (Inside,DMZ) source static Inside-net Inside-net destination static R3-outside R3-dmz
D.配置并应用outside接口策略:
-----Inside访问DMZ默认放行
access-list Outside extended permit ip any object R3-dmz
access-group Outside in interface Outside
五.验证:
A.从Ouside访问DMZ的公网地址:
R1#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:14:22
* 2 vty 0 idle 00:00:00 202.100.1.1
Interface User Mode Idle Peer Address
R3>
B.从Inside访问DMZ的公网地址:
R2#telnet 202.100.1.8
Trying 202.100.1.8 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:16:37
* 2 vty 0 idle 00:00:00 10.1.1.1
Interface User Mode Idle Peer Address
R3>
C.从Inside访问DMZ真实地址:
R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
R3>show users
Line User Host(s) Idle Location
0 con 0 idle 00:17:03
* 2 vty 0 idle 00:00:00 10.1.1.1
Interface User Mode Idle Peer Address
R3>
本文出自 “httpyuntianjxxll.spac..” 博客,请务必保留此出处http://333234.blog.51cto.com/323234/1604895
ASA8.4的Inside区域同时访问DMZ公网地址和真实地址测试
原文地址:http://333234.blog.51cto.com/323234/1604895