Cisco ASA 防火墙 同安全级别端口互相访问的问

--------------------------------------------------------------------------------

该文章讲述了Cisco ASA 防火墙 同安全级别端口互相访问的问题.


问一个ASA同安


 [object Object]

全级别端口互相访问的问题 --问题解决了,总结了一下和大家分享!


在输入same-security-traffic permit inter-interface命令之后,如果不添加任何ACL,同安全级别的端口之间所能做到的互相访问是不是应该像在同一台未作任何配置的交换机上面一样?包括FTP之类的应用服务~谢谢啦!

 --------------------------------------------------------------------------- 原问题如上 -------------------------------------------------------------------------------------------


首先,一个防火墙上的两个端口之间如果需要建立链接,必须满足两个条件:

 1,两个端口对儿上要有相应的地址转换策略;

 2,有安全策略对转发数据放行,一般以ACL体现;

 这样,

 当高安全级别区域访问低安全级别区域的时候,安全策略是允许的;

 低安全级别区域访问高安全级别区域就需要ACL放行了;

 当2个同安全级别区域互相访问的时候,如果端口没有关联NAT策略,那么通过same-security-traffic permit inter-interface可以实现互访,如果关联的NAT策略的话,就需要对这两个同安全级别端口进行端口之间的NAT调整,我这里使用了 static(natserver,vlan300)192.168.30.0 192.168.30.0 netmask 255.255.255.0,static(vlan300,natserver)192.168.12.0 192.168.12.0 netmask 255.255.255.0这一对儿对应的NAT来实现对2个同安全级别区域自身网段NAT的转换,目的就是让ASA受到packet之后,不只关联到 nat()1,而搞不清楚正确的转发方向。同样对于其他同安全级别互访区域都配置一对儿双向的静态NAT就可以了!

 NAT()0我感觉也应该可以实现,试了一下似乎没成,回头再试试看!


现行配置:

 ASA Version 7.0(7)

!

 hostname 5520

 domain-name default.domain.invalid

 enable password 8Ry2YjIyt7RRXU24 encrypted

 names

 dns-guard

 !

 interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 2××.1××.1××.×× 255.255.255.248

!

 interface GigabitEthernet0/1

 speed 100

 no nameif

 no security-level

 no ip address

 !

 interface GigabitEthernet0/1.100

 vlan 100

 nameif vlan100

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

 interface GigabitEthernet0/1.200

 vlan 200

 nameif vlan200

 security-level 100

 ip address 192.168.11.1 255.255.255.0

!

 interface GigabitEthernet0/1.300

 vlan 300

 nameif vlan300

 security-level 100

 ip address 192.168.12.1 255.255.255.0

!

 interface GigabitEthernet0/1.400

 vlan 400

 nameif vlan400

 security-level 100

 ip address 192.168.13.1 255.255.255.0

!

 interface GigabitEthernet0/2

 description link_to_server

 nameif dmz

 security-level 50

 ip address 192.168.20.1 255.255.255.0

!

 interface GigabitEthernet0/3

 description link_to_natserver

 nameif natserver

 security-level 100

 ip address 192.168.30.254 255.255.255.0

!

 interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

management-only

 !

 passwd 2KFQnbNIdI.2KYOU encrypted

 ftp mode passive

 same-security-traffic permit inter-interface

 same-security-traffic permit intra-interface

 access-list outside_to_natserver extended permit ip any host 211.142.134.99

access-list outside_to_natserver extended permit ip any host 211.142.134.100

pager lines 24

 logging asdm informational

 mtu outside 1500

 mtu vlan100 1500

 mtu vlan200 1500

 mtu vlan300 1500

 mtu vlan400 1500

 mtu dmz 1500

 mtu natserver 1500

 mtu management 1500

 no failover

 asdm p_w_picpath disk0:/asdm-507.bin

 no asdm history enable

 arp timeout 14400

 global (outside) 1 interface

 global (outside) 2 2××.1××.1××.1××

 global (outside) 3 2××.1××.1××.××

 nat (vlan100) 1 192.168.10.0 255.255.255.0

 nat (vlan300) 1 192.168.12.0 255.255.255.0

 nat (vlan400) 1 192.168.13.0 255.255.255.0

 nat (dmz) 2 192.168.20.0 255.255.255.0

 nat (natserver) 3 192.168.30.0 255.255.255.0

 static (dmz,outside) 2××.1××.1××.1×× 192.168.20.254 netmask 255.255.255.255

static (natserver,outside) 2××.1××.1××.×× 192.168.30.1 netmask 255.255.255.255

static (natserver,vlan300) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan300,natserver) 192.168.12.0 192.168.12.0 netmask 255.255.255.0

static (natserver,vlan100) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan100,natserver) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (natserver,vlan200) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (vlan200,natserver) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

access-group outside_to_natserver in interface outside

 route outside 0.0.0.0 0.0.0.0 211.142.134.97 1

 timeout xlate 3:00:00

 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

 timeout uauth 0:05:00 absolute

 username cisco password 3USUcOPFUiMCO4Jk encrypted

 aaa authentication ssh console LOCAL

http server enable

 http 192.168.1.0 255.255.255.0 management

 no snmp-server location

 no snmp-server contact

 snmp-server enable traps snmp authentication linkup linkdown coldstart

 telnet timeout 5

 ssh 0.0.0.0 0.0.0.0 outside

 ssh timeout 60

 ssh version 1

 console timeout 0

 dhcpd address 192.168.1.2-192.168.1.254 management

 dhcpd lease 3600

 dhcpd ping_timeout 50

 dhcpd enable management

 !

 class-map inspection_default

 match default-inspection-traffic

 !

 !

 policy-map global_policy

 class inspection_default

    inspect dns maximum-length 512

   inspect ftp

   inspect h323 h225

   inspect h323 ras

   inspect rsh

   inspect rtsp

   inspect esmtp

   inspect sqlnet

   inspect skinny

   inspect sunrpc

   inspect xdmcp

   inspect sip

   inspect netbios

   inspect tftp

!

 service-policy global_policy global

 Cryptochecksum:736895fa883f241310142e5961872c89

 : end