ASA8.4的Inside区域同时访问DMZ公网地址和真实地址测试-创新互联

一.测试拓扑

为安化等地区用户提供了全套网页设计制作服务,及安化网站建设行业解决方案。主营业务为成都网站设计、成都网站制作、安化网站设计,以传统方式定制建设网站,并提供域名空间备案等一条龙服务,秉承以专业、用心的态度为用户提供真诚的服务。我们深信只要达到每一位用户的要求,就会得到认可,从而选择与我们长期合作。这样,我们也可以走得更远!

  R1---Outside----ASA842----Inside-----R2

                                   |

                                 DMZ

                                   |

                                 R3

二.测试思路

 利用ASA的twice nat实现访问DMZ的公网地址时转向DMZ的真实地址。

三.基本配置

A.R1:

interface FastEthernet0/0
 ip address 202.100.1.1 255.255.255.0
 no shut

B.R2:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.10

C.R3:

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0

 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

line vty 0 4

 password cisco

 login

D.ASA842:

interface GigabitEthernet0
 nameif Outside
 security-level 0
 ip address 202.100.1.10 255.255.255.0
 no shut
interface GigabitEthernet1
 nameif DMZ
 security-level 50
 ip address 192.168.1.10 255.255.255.0
 no shut
interface GigabitEthernet2
 nameif Inside
 security-level 100
 ip address 10.1.1.10 255.255.255.0
 no shut

四.ASA静态NAT,twice-NAT和策略配置

A.定义对象:

object network R3-dmz
 host 192.168.1.1
object network R3-outside
 host 202.100.1.8
object network Inside-net
 subnet 10.1.1.0 255.255.255.0

B.配置DMZ到Outside的静态NAT:

object network R3-dmz
    nat (DMZ,Outside) static R3-outside

C.配置inside到DMZ的的twice-nat:

nat (Inside,DMZ) source static Inside-net Inside-net destination static R3-outside R3-dmz

D.配置并应用outside接口策略:

-----Inside访问DMZ默认放行

access-list Outside extended permit ip any object R3-dmz
access-group Outside in interface Outside

五.验证:

A.从Ouside访问DMZ的公网地址:

R1#telnet 202.100.1.8
Trying 202.100.1.8 ... Open

User Access Verification

Password:
R3>show users
   Line      User      Host(s)             Idle      Location
  0 con 0               idle                00:14:22
* 2 vty 0               idle                00:00:00 202.100.1.1

 Interface   User              Mode        Idle    Peer Address

R3>

B.从Inside访问DMZ的公网地址:

R2#telnet 202.100.1.8
Trying 202.100.1.8 ... Open

User Access Verification

Password:
R3>show users
   Line      User      Host(s)             Idle      Location
  0 con 0               idle                00:16:37
* 2 vty 0               idle                00:00:00 10.1.1.1

 Interface   User              Mode        Idle    Peer Address

R3>

C.从Inside访问DMZ真实地址:

R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
R3>show users
   Line      User      Host(s)             Idle      Location
  0 con 0               idle                00:17:03
* 2 vty 0               idle                00:00:00 10.1.1.1

 Interface   User              Mode        Idle    Peer Address

R3>

另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。


新闻标题:ASA8.4的Inside区域同时访问DMZ公网地址和真实地址测试-创新互联
文章来源:http://pwwzsj.com/article/pgejh.html