您的位置:360文档中心› ASA防火墙单臂路由配置实例

ASA防火墙单臂路由配置实例

合集下载
相关主题
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

ASA防火墙vlan子接口互相通讯配置实例

实例需求:Cisco ASA 5520 防火墙用于内部多个vlan之间互相通讯。拓扑图:

配置实例:

[asa防火墙配置]

: Saved

:

ASA Version 7.0(7)

!

hostname *****

enable password GSk/3FjsRAiPoooi encrypted

names

dns-guard

!

interface GigabitEthernet0/0

shutdown

nameif outside

security-level 0

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.1 // 启用子接口连接vlan 10,安全及别99,分配地址

vlan 10

nameif Test1

security-level 99

ip address 10.8.128.254 255.255.255.0

!

interface GigabitEthernet0/1.2 // 启用子接口连接vlan 20,安全及别98,分配地址

vlan 20

nameif Test2

security-level 98

ip address 10.8.129.254 255.255.255.0

!

interface GigabitEthernet0/1.3 // 启用子接口连接vlan 30,安全及别97,分配地址

vlan 30

nameif Test3

security-level 97

ip address 10.8.130.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list acl_Test1 extended permit icmp any any // 设置访问列表,允许全通过,为了测试方便access-list acl_Test1 extended permit ip any any

access-list acl_Test2 extended permit icmp any any

access-list acl_Test2 extended permit ip any any

access-list acl_Test3 extended permit icmp any any

access-list acl_Test3 extended permit ip any any

access-list nonat extended permit ip any any // 这个acl是用在bypass nat所用*

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu Test1 1500

mtu Test2 1500

mtu Test3 1500

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2

no asdm history enable

arp timeout 14400

nat (Test1) 0 access-list nonat // 把互通的子接口启用bypass nat,让子接口各vlan数据互通* nat (Test2) 0 access-list nonat

nat (Test3) 0 access-list nonat

access-group acl_Test1 in interface Test1 // 把相应的访问列表设置在对应的接口上*

access-group acl_Test2 in interface Test2

access-group acl_Test3 in interface Test3

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

相关文档
最新文档