防火墙Firewalls ASA

发布时间：2020-07-17 20:55:24 来源：网络阅读：505 作者：TMAC严敏栏目：系统运维

防火墙Firewalls ASA

实验：

1.思路：数据包的走向

2.要求：vlan互通，VRRP 内网pat访问外网，发布web服务器供外网访问，

防火墙Firewalls ASA

让sw1作根交换机

1.配置sw10 创建vlan10 20 100

1端口加入vlan10 2和3端口为trunk模式

防火墙Firewalls ASA

2.配置sw20 创建vlan10 20 40 100

1端口加入vlan100 3端口加入vlan40 2和4端口为trunk模式

防火墙Firewalls ASA

配置vlanif 10 ip：192.168.10.254 24

vlanif20 ip：192.168.20.254 24

vlanif40 ip：192.168.40.1 24

vlanif100 ip：192.168.100.254 24

防火墙Firewalls ASA

3.配置sw30 创建vlan10 20 50 100

1端口加入vlan20 3端口加入vlan50 2和4端口为trunk模式

防火墙Firewalls ASA

配置vlanif 10 ip：192.168.10.253 24

vlanif20 ip：192.168.20.253 24

vlanif50 ip：192.168.50.1 24

vlanif100 ip：192.168.100.253 24

防火墙Firewalls ASA

4.配置sw20 配置 vlan1的vrrp

vrrp vrid 10 virtual-ip 192.168.10.250

vrrp vrid 10 priority150

vrrp vrid 10 track interface g0/0/3 reduce 80

vrrp vrid 10 track interface g0/0/2 reduce 80

配置 vlan100的vrrp

vrrp vrid 100 virtual-ip 192.168.100.250

vrrp vrid 100 priority150

vrrp vrid 100 track interface g0/0/3 reduce 80

vrrp vrid 100 track interface g0/0/2 reduce 80

配置 vlan20的vrrp

vrrp vrid 20 virtual-ip 192.168.20.250

防火墙Firewalls ASA

5.配置sw30 配置 vlan10的vrrp

vrrp vrid 10 virtual-ip 192.168.20.250

配置 vlan20的vrrp

vrrp vrid 20 virtual-ip 192.168.20.250

vrrp vrid 20priority150

vrrp vrid 20 track interface g0/0/3 reduce 80

vrrp vrid 20 track interface g0/0/2 reduce 80

配置 vlan100的vrrp

vrrp vrid 100 virtual-ip 192.168.100.250

防火墙Firewalls ASA

6.配置sw20 配置rip

rip

version2

network 192.168.10.0

network 192.168.100.0

network 192.168.20.0

network 192.168.40.0

静态浮动路由

ip route-static 0.0.0.0 0.0.0.0 192.168.40.254

防火墙Firewalls ASA

7.配置sw30 配置rip

rip

version2

network 192.168.10.0

network 192.168.20.0

network 192.168.50.0

network 192.168.100.0

静态浮动路由

ip route-static 0.0.0.0 0.0.0.0 192.168.50.254

防火墙Firewalls ASA

8.配置防火墙

interface g0

nameif inside1

no shutdown

ip address 192.168.40.254 255.255.255.0

security-level 100

interface g1

nameif inside2

no shutdown

ip address 192.168.50.254 255.255.255.0

security-level 90

interface g2

nameif outside

no shutdown

ip address 200.8.8.1 255.255.255.252

security-level 0

防火墙Firewalls ASA

配置默认路由

route inside1 192.168.10.0 255.255.255.0 192.168.40.1

route inside1 192.168.100.0 255.255.255.0 192.168.40.1

route inside2 192.168.20.0 255.255.255.0 192.168.50.1

route outside 200.1.1.0 255.255.255.0 200.8.8.2

防火墙Firewalls ASA

备份

route inside2 192.168.1.0 255.255.255.0 192.168.50.2

route inside2 192.168.100.0 255.255.255.0 192.168.50.2

route inside2 192.168.2.0 255.255.255.0 192.168.50.2

9.配置AR1

配置0端口ip：200.1.1.254 24

1端口ip：200.8.8.2 255.255.255.252

配置静态浮动路由

ip route-static 0.0.0.0 0.0.0.0 200.8.8.1

防火墙Firewalls ASA

10.在防火墙上配置静态NAT

object network ob-in1

subnet 192.168.10.0 255.255.255.0

nat （inside1，outside）dynamic 119.1.1.1

object network ob-in2

subnet 192.168.20.0 255.255.255.0

nat （inside2，outside）dynamic 119.1.1.2

防火墙Firewalls ASA

此时client1和clent2 都可访问公网ftp 并抓包查看内网地址已转化

防火墙Firewalls ASA

配置动态PAT 使公网访问内网

object network ob-out

host 119.1.1.3

object network outside

host 200.1.1.1

nat （outside，inside1）static ob-out service tcp 80 80

防火墙Firewalls ASA

配置ACL

access-list out-to-ins permit tcp any object inside1 eq http

access-group out-to-ins in interface outside

向AI问一下细节

防火墙Firewalls ASA

猜你喜欢

最新资讯

相关推荐

相关标签