《ASA防火墙vlan子接口互相通讯配置实例》由会员分享,可在线阅读,更多相关《ASA防火墙vlan子接口互相通讯配置实例(4页珍藏版)》请在金锄头文库上搜索。
1、作者:金振宇日期:2008-5-1319:47:5实例需求:CiscoASA5520防火墙用于内部多个vlan之间互相通讯拓扑图:ASA5520vrOVian 20Vian配置实例:asa防火墙配置:SavedASAVersion7.0(7)!hostname*enablepasswordGSk/3FjsRAiPoooiencryptednamesdns-guard!interfaceGigabitEthernet0/0shutdownnameifoutsidesecurity-level0noipaddress!interfaceGigabitEthernet0/1nonameifnosec
2、urity-levelnoipaddress!interfaceGigabitEthernet0/1.1vlan10nameifTest1security-level99ipaddress!interfaceGigabitEthernet0/1.2vlan20nameifTest2security-level98ipaddress!interfaceGigabitEthernet0/1.3vlan30nameifTest3/启用子接口连接vlan10安全及别99,分配地址/启用子接口连接vlan20,安全及别98,分配地址/启用子接口连接vlan30安全及别97,分配地址security-le
3、vel97ipaddress!interfaceGigabitEthernet0/2shutdownnonameifnosecurity-levelnoipaddress!interfaceGigabitEthernet0/3descriptionLANFailoverInterface!interfaceManagement。/。nameifmanagementsecurity-level100ipaddressmanagement-only!/设置访问列表,允许全通过,为了测试方便passwd2KFQnbNIdI.2KYOUencryptedftpmodepassiveaccess-lis
4、tacl_Test1extendedpermiticmpanyanyaccess-listacl_Test1extendedpermitipanyanyaccess-listacl_Test2extendedpermiticmpanyanyaccess-listacl_Test2extendedpermitipanyanyaccess-listacl_Test3extendedpermiticmpanyanyaccess-listacl_Test3extendedpermitipanyanyaccess-listnonatextendedpermitipanyany/这个acl是用在bypas
5、snat所用*pagerlines24loggingasdminformationalmtumanagement1500mtuoutside1500mtuTest11500mtuTest21500mtuTest31500failoverfailoverlanunitprimaryfailoverlaninterfacefailoverGigabitEthernet0/3failoverkey*failoverinterfaceipfailoverstandbynoasdmhistoryenablearptimeout14400nat(Test1)0access-listnonat/把互通的子接
6、口启用bypassnat,让子接口各vlan数据互通*nat(Test2)0access-listnonatnat(Test3)0access-listnonataccess-groupacl_Test1ininterfaceTest1/把相应的访问列表设置在对应的接口上*access-groupacl_Test2ininterfaceTest2access-groupacl_Test3ininterfaceTest3!policy-mapglobal_policyclassinspection_defaultinspectdnsmaximum-length512inspectftpinspecth323h225inspecth323rasinspectrshinspectrtspinspectesmtpinspectsqlnetinspectskinnyinspectsunrpcinspectxdmcpinspectsipinspectnetbiosinspecttftp