实验目的:1. DMZ发布Web服务器,Client2可以访问Server3
- 使用命令show conn detail查看Conn表
- 查看ASA和AR【R1】的路由表
- 配置ACL禁止Client3访问Sever2
实验步骤:- 配置ASA及路由器:
R1:配置IP地址:interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.1.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.2.2.254 255.255.255.0
配置下一跳: ip route-static 0.0.0.0 0.0.0.0 192.168.1.254 - 配置ASA及端口:
ASA:配置接口:
interface GigabitEthernet0
nameif inside
security-level 100\inside默认安全级别为100
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet1
nameif outside
security-level 0\outside默认安全级别为0
ip address 192.168.8.254 255.255.255.0interface GigabitEthernet2 nameif DMZ security-level 50\\DMZ默认安全级别为0-100之间即可 ip address 192.168.3.254 255.255.255.0 route inside 10.1.1.0 255.255.255.0 192.168.1.1 1\\配置下一跳
route inside 10.2.2.0 255.255.255.0 192.168.1.1 1\配置下一跳
- 配置ASA及路由器:
- 配置ACL:ASA(config)# show ru access-list
access-list ICMP extended permit icmp any any \设置ping包成功【ping为ICMP】
access-list in-to-out extended deny ip 10.1.1.0 255.255.255.0 any
access-list in-to-out extended permit ip any any
access-list DMZ extended permit tcp host 192.168.8.1 host 192.168.3.100
access-list C3-S2 extended deny tcp host 192.168.3.1 host 192.168.8.100
access-list C3-S2 extended deny tcp host 192.168.3.1 host 192.168.8.100 - 调用ACL:access-group C3-S2 in interface outside
access-group DMZ in interface outside
实验结果:
使用命令show conn detail查看Conn表
查看ASA的路由表
DMZ发布Web服务器,Client2可以访问Server3
配置ACL禁止Client3访问Server2
查看AR【R1】路由表
谢谢大家支持
原文地址:http://blog.51cto.com/13556999/2067911
时间: 2024-10-05 20:11:30