本文详细介绍了Cisco ASA防火墙的基本配置过程,包括接口设置、安全级别定义、ACL应用及路由配置等关键步骤,并通过实际测试验证了内外网间的连通性。
防火墙的配置
ciscoasa# show run
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
access-list aclin extended permit icmp any any //我在防火墙的外部接口使用的ACL,是为了测试网络的连通性
access-group aclin in interface outside
!
router ospf 1 //我在防火墙和R1使用的ospf
network 1.1.1.0 255.255.255.0 area 0
default-information originate
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
access-list aclin extended permit icmp any any //我在防火墙的外部接口使用的ACL,是为了测试网络的连通性
access-group aclin in interface outside
!
router ospf 1 //我在防火墙和R1使用的ospf
network 1.1.1.0 255.255.255.0 area 0
default-information originate
route outside 0.0.0.0 0.0.0.0 192.168.1.3 // 指定8个0的路由
ciscoasa# show route
Gateway of last resort is 192.168.1.3 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, inside
O IA 1.1.3.1 255.255.255.255 [110/11] via 1.1.1.1, 0:34:44, inside
O IA 1.1.2.0 255.255.255.0 [110/20] via 1.1.1.1, 0:34:44, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.3, outside
O IA 1.1.3.1 255.255.255.255 [110/11] via 1.1.1.1, 0:34:44, inside
O IA 1.1.2.0 255.255.255.0 [110/20] via 1.1.1.1, 0:34:44, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.3, outside
R1上的配置
R1#show run
interface Loopback0
ip address 1.1.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.2.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 1.1.2.0 0.0.0.255 area 1
network 1.1.3.0 0.0.0.255 area 1
ip address 1.1.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.2.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 1.1.2.0 0.0.0.255 area 1
network 1.1.3.0 0.0.0.255 area 1
R1#show ip route
Gateway of last resort is 1.1.1.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 3 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
C 1.1.2.0 is directly connected, FastEthernet0/1
C 1.1.3.0 is directly connected, Loopback0
O*E2 0.0.0.0/0 [110/1] via 1.1.1.2, 00:34:04, FastEthernet0/0
C 1.1.1.0 is directly connected, FastEthernet0/0
C 1.1.2.0 is directly connected, FastEthernet0/1
C 1.1.3.0 is directly connected, Loopback0
O*E2 0.0.0.0/0 [110/1] via 1.1.1.2, 00:34:04, FastEthernet0/0
R3上的配置
R3#show run
interface FastEthernet0/0
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2 //这里为了测试连通性,在外网的路由器R3上指定了一条静态路由
ip address 192.168.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
no keepalive
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2 //这里为了测试连通性,在外网的路由器R3上指定了一条静态路由
R1#ping 192.168.1.3 //内部ping外网接口,能通
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/42/84 ms
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/42/84 ms
R3#ping 1.1.2.1 //外部ping内部接口,能通
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/56/116 ms
Sending 5, 100-byte ICMP Echos to 1.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/56/116 ms
R3#ping 192.168.1.2 //ping防火墙outside口,缺省情况下是不通的,但是我刚才使用了ACL,可以ping通
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/60 ms
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/60 ms
转载于:https://blog.51cto.com/xiaomu205/142414
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
