Cisco ASA 防火墙 同安全级别端口互相访问的问

--------------------------------------------------------------------------------

该文章讲述了Cisco ASA 防火墙 同安全级别端口互相访问的问题.

 

问一个ASA同安

 

 [object Object]

全级别端口互相访问的问题 --问题解决了,总结了一下和大家分享!

 

在输入same-security-traffic permit inter-interface命令之后,如果不添加任何ACL,同安全级别的端口之间所能做到的互相访问是不是应该像在同一台未作任何配置的交换机上面一样?包括FTP之类的应用服务~谢谢啦!

 --------------------------------------------------------------------------- 原问题如上 -------------------------------------------------------------------------------------------
 
首先,一个防火墙上的两个端口之间如果需要建立链接,必须满足两个条件:
 1,两个端口对儿上要有相应的地址转换策略;
 2,有安全策略对转发数据放行,一般以ACL体现;
 这样,
 当高安全级别区域访问低安全级别区域的时候,安全策略是允许的;
 低安全级别区域访问高安全级别区域就需要ACL放行了;
 当2个同安全级别区域互相访问的时候,如果端口没有关联NAT策略,那么通过same-security-traffic permit inter-interface可以实现互访,如果关联的NAT策略的话,就需要对这两个同安全级别端口进行端口之间的NAT调整,我这里使用了 static(natserver,vlan300)192.168.30.0 192.168.30.0 netmask 255.255.255.0,static(vlan300,natserver)192.168.12.0 192.168.12.0 netmask 255.255.255.0这一对儿对应的NAT来实现对2个同安全级别区域自身网段NAT的转换,目的就是让ASA受到packet之后,不只关联到 nat()1,而搞不清楚正确的转发方向。同样对于其他同安全级别互访区域都配置一对儿双向的静态NAT就可以了!
 NAT()0我感觉也应该可以实现,试了一下似乎没成,回头再试试看!
 
现行配置:
 ASA Version 7.0(7)
!
 hostname 5520
 domain-name default.domain.invalid
 enable password 8Ry2YjIyt7RRXU24 encrypted
 names
 dns-guard
 !
 interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 2××.1××.1××.×× 255.255.255.248
!
 interface GigabitEthernet0/1
 speed 100
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet0/1.100
 vlan 100
 nameif vlan100
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
 interface GigabitEthernet0/1.200
 vlan 200
 nameif vlan200
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
 interface GigabitEthernet0/1.300
 vlan 300
 nameif vlan300
 security-level 100
 ip address 192.168.12.1 255.255.255.0
!
 interface GigabitEthernet0/1.400
 vlan 400
 nameif vlan400
 security-level 100
 ip address 192.168.13.1 255.255.255.0
!
 interface GigabitEthernet0/2
 description link_to_server
 nameif dmz
 security-level 50
 ip address 192.168.20.1 255.255.255.0
!
 interface GigabitEthernet0/3
 description link_to_natserver
 nameif natserver
 security-level 100
 ip address 192.168.30.254 255.255.255.0
!
 interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
management-only
 !
 passwd 2KFQnbNIdI.2KYOU encrypted
 ftp mode passive
 same-security-traffic permit inter-interface
 same-security-traffic permit intra-interface
 access-list outside_to_natserver extended permit ip any host 211.142.134.99
access-list outside_to_natserver extended permit ip any host 211.142.134.100
pager lines 24
 logging asdm informational
 mtu outside 1500
 mtu vlan100 1500
 mtu vlan200 1500
 mtu vlan300 1500
 mtu vlan400 1500
 mtu dmz 1500
 mtu natserver 1500
 mtu management 1500
 no failover
 asdm p_w_picpath disk0:/asdm-507.bin
 no asdm history enable
 arp timeout 14400
 global (outside) 1 interface
 global (outside) 2 2××.1××.1××.1××
 global (outside) 3 2××.1××.1××.××
 nat (vlan100) 1 192.168.10.0 255.255.255.0
 nat (vlan300) 1 192.168.12.0 255.255.255.0
 nat (vlan400) 1 192.168.13.0 255.255.255.0
 nat (dmz) 2 192.168.20.0 255.255.255.0
 nat (natserver) 3 192.168.30.0 255.255.255.0
 static (dmz,outside) 2××.1××.1××.1×× 192.168.20.254 netmask 255.255.255.255
static (natserver,outside) 2××.1××.1××.×× 192.168.30.1 netmask 255.255.255.255
static (natserver,vlan300) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan300,natserver) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
static (natserver,vlan100) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan100,natserver) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (natserver,vlan200) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan200,natserver) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
access-group outside_to_natserver in interface outside
 route outside 0.0.0.0 0.0.0.0 211.142.134.97 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout uauth 0:05:00 absolute
 username cisco password 3USUcOPFUiMCO4Jk encrypted
 aaa authentication ssh console LOCAL
http server enable
 http 192.168.1.0 255.255.255.0 management
 no snmp-server location
 no snmp-server contact
 snmp-server enable traps snmp authentication linkup linkdown coldstart
 telnet timeout 5
 ssh 0.0.0.0 0.0.0.0 outside
 ssh timeout 60
 ssh version 1
 console timeout 0
 dhcpd address 192.168.1.2-192.168.1.254 management
 dhcpd lease 3600
 dhcpd ping_timeout 50
 dhcpd enable management
 !
 class-map inspection_default
 match default-inspection-traffic
 !
 !
 policy-map global_policy
 class inspection_default
    inspect dns maximum-length 512
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
 service-policy global_policy global
 Cryptochecksum:736895fa883f241310142e5961872c89
 : end
本文来自: 高校自动化网() 详细出处参考(转载请保留本链接):