实验八ASA 配置 NAT 和 ACL
实验拓扑
设备 | 接口 | IP地址/掩码 |
R1 | Fa0/0 | 192.168.100.1/24 |
R1 | 儿子 Loopback0 | 192.168.1.1/24 |
R2 | Fa0/0 | 172.16.100.2/24 |
R2 | Loopback0 | 阿史那步真 172.16.2.1/24 |
R3 | Fa0/0 | 202.100.0.3/24 |
R3 | Loopback0 | 123.123.123.123/24 |
ASA1 | E0/0 | 192.168.100.100/24 |
ASA1 | E0/1 | 172.16.100.100/24 |
ASA1 | E0/2 | 202.100.0.100/24 |
| | |
实验要求
1 配置 PAT,实现 inside 区域内主机访问 internet
2 配置静态地址转换,实现 DMZ 区域主机 172.16.2.1 转换为 202.100.0.102
3 配置 Identity NAT,实现 172.16.100.2 访问 inside 时,使用本ip地址
4 配置 ACL,实现 DMZ 区域内主机只允许icmp,telnet 流量访问去往 inside 区域
5 配置 ACL,实验 inside 区域内主机 192.168.1.1 不允许去往任何地址,只能在本区域访问
实验步骤
步骤 2
根据设备表,配置 ASA 和路由器的接口 IP 地址新年快乐的祝福语
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.100.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 172.16.100.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface loopback 0
R2(config-if)#ip address 172.16.2.1 255.255.255.0
R2(config-if)#exit福建大专排名
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 202.100.0.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface loopback 0
R3(config-if)#ip address 123.123.123.123 255.255.255.0
R3(config-if)#exit
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" t to 100 by default.
ciscoasa(config-if)# ip address 192.168.100.100 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# nameif DMZ
无法播放视频
INFO: Security level for "DMZ" t to 0 by default.
ciscoasa(config-if)# curity-level 50
ciscoasa(config-if)# ip address 172.16.100.100 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" t to 0 by default.
ciscoasa(config-if)# ip address 202.100.0.100 255.255.255.0
ciscoasa(config-if)# no shutdown
皮蛋汤的做法
ciscoasa(config-if)# exit
测试连通性:
ciscoasa(config)# ping 192.168.100.1
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 conds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# ping 172.16.100.2
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 conds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# ping 202.100.0.3
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.0.3, timeout is 2 conds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
步骤 3
配置路由协议,保证每台设备可以转发相应的数据包
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.100 //将所有不认识的数据包发送给 ASA
R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.100 //将所有不认识的数据包发送给 ASA
ciscoasa(config)# route outside 0 0 202.100.0.3 //ASA 为企业网关,默认路由指向 internet
配置 OSPF,保证内网通信
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1互逆定理
R1(config-router)#network 192.168.100.1 0.0.0.0 area 100
R1(config-router)#network 192.168.1.1 0.0.0.0 area 100
R1(config-router)#exit
R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 172.16.100.2 0.0.0.0 area 100
R2(config-router)#network 172.16.2.1 0.0.0.0 area 100
R2(config-router)#exit
ciscoasa(config)# router ospf 1
ciscoasa(config-router)# router-id 100.100.100.100
ciscoasa(config-router)# network 192.168.100.100 255.255.255.255 area 100
ciscoasa(config-router)# network 172.16.100.100 255.255.255.255 area 100
ciscoasa(config-router)# exit
步骤 4
配置 PAT,实现 inside 区域内主机访问 internet
配置 PAT 前,现将 MPF 中 ICMP 流量放行
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class-mapinspection_default
(class-mapinspection_default
match default-inspection-traffic)
ciscoasa(config-pmap-c)# inspect icmp
两个字的形容词
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
配置 PAT
ciscoasa(config)# nat (inside) 1 192.168.0.0 255.255.0.0
ciscoasa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)#
测试:
R1#ping 123.123.123.123
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 conds:
