Cisco ASA 防火墙 同安全级别端口互相访问的问
--------------------------------------------------------------------------------
该文章讲述了Cisco ASA 防火墙 同安全级别端口互相访问的问题.
问一个ASA同安
[object Object]
全级别端口互相访问的问题 --问题解决了,总结了一下和大家分享!
在输入same-security-traffic permit inter-interface命令之后,如果不添加任何ACL,同安全级别的端口之间所能做到的互相访问是不是应该像在同一台未作任何配置的交换机上面一样?包括FTP之类的应用服务~谢谢啦!
--------------------------------------------------------------------------- 原问题如上 ------------------------------------------------------------------------------------------- 首先,一个防火墙上的两个端口之间如果需要建立链接,必须满足两个条件: 1,两个端口对儿上要有相应的地址转换策略; 2,有安全策略对转发数据放行,一般以ACL体现; 这样, 当高安全级别区域访问低安全级别区域的时候,安全策略是允许的; 低安全级别区域访问高安全级别区域就需要ACL放行了; 当2个同安全级别区域互相访问的时候,如果端口没有关联NAT策略,那么通过same-security-traffic permit inter-interface可以实现互访,如果关联的NAT策略的话,就需要对这两个同安全级别端口进行端口之间的NAT调整,我这里使用了 static(natserver,vlan300)192.168.30.0 192.168.30.0 netmask 255.255.255.0,static(vlan300,natserver)192.168.12.0 192.168.12.0 netmask 255.255.255.0这一对儿对应的NAT来实现对2个同安全级别区域自身网段NAT的转换,目的就是让ASA受到packet之后,不只关联到 nat()1,而搞不清楚正确的转发方向。同样对于其他同安全级别互访区域都配置一对儿双向的静态NAT就可以了! NAT()0我感觉也应该可以实现,试了一下似乎没成,回头再试试看! 现行配置: ASA Version 7.0(7) ! hostname 5520 domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 2××.1××.1××.×× 255.255.255.248 ! interface GigabitEthernet0/1 speed 100 no nameif no security-level no ip address ! interface GigabitEthernet0/1.100 vlan 100 nameif vlan100 security-level 100 ip address 192.168.10.1 255.255.255.0 ! interface GigabitEthernet0/1.200 vlan 200 nameif vlan200 security-level 100 ip address 192.168.11.1 255.255.255.0 ! interface GigabitEthernet0/1.300 vlan 300 nameif vlan300 security-level 100 ip address 192.168.12.1 255.255.255.0 ! interface GigabitEthernet0/1.400 vlan 400 nameif vlan400 security-level 100 ip address 192.168.13.1 255.255.255.0 ! interface GigabitEthernet0/2 description link_to_server nameif dmz security-level 50 ip address 192.168.20.1 255.255.255.0 ! interface GigabitEthernet0/3 description link_to_natserver nameif natserver security-level 100 ip address 192.168.30.254 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_to_natserver extended permit ip any host 211.142.134.99 access-list outside_to_natserver extended permit ip any host 211.142.134.100 pager lines 24 logging asdm informational mtu outside 1500 mtu vlan100 1500 mtu vlan200 1500 mtu vlan300 1500 mtu vlan400 1500 mtu dmz 1500 mtu natserver 1500 mtu management 1500 no failover asdm p_w_picpath disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 2 2××.1××.1××.1×× global (outside) 3 2××.1××.1××.×× nat (vlan100) 1 192.168.10.0 255.255.255.0 nat (vlan300) 1 192.168.12.0 255.255.255.0 nat (vlan400) 1 192.168.13.0 255.255.255.0 nat (dmz) 2 192.168.20.0 255.255.255.0 nat (natserver) 3 192.168.30.0 255.255.255.0 static (dmz,outside) 2××.1××.1××.1×× 192.168.20.254 netmask 255.255.255.255 static (natserver,outside) 2××.1××.1××.×× 192.168.30.1 netmask 255.255.255.255 static (natserver,vlan300) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 static (vlan300,natserver) 192.168.12.0 192.168.12.0 netmask 255.255.255.0 static (natserver,vlan100) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 static (vlan100,natserver) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 static (natserver,vlan200) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 static (vlan200,natserver) 192.168.11.0 192.168.11.0 netmask 255.255.255.0 access-group outside_to_natserver in interface outside route outside 0.0.0.0 0.0.0.0 211.142.134.97 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute username cisco password 3USUcOPFUiMCO4Jk encrypted aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 ssh version 1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:736895fa883f241310142e5961872c89 : end 本文来自: 高校自动化网() 详细出处参考(转载请保留本链接):