第十九期ASA【防火墻】綜合拓?fù)?/h1>

實驗?zāi)康模?br/>1.VLAN互通
2.VRRP
3.內(nèi)網(wǎng)PAT訪問外網(wǎng)【地址轉(zhuǎn)換成119.1.1.0/29網(wǎng)段】
4.發(fā)布Web服務(wù)器供外網(wǎng)訪問
實驗步驟：
配置各個交換機(jī)：
SW1：創(chuàng)建vlan1【交換機(jī)自帶】、vlan2、vlan100

創(chuàng)新互聯(lián)專注為客戶提供全方位的互聯(lián)網(wǎng)綜合服務(wù)，包含不限于網(wǎng)站設(shè)計、做網(wǎng)站、化德網(wǎng)絡(luò)推廣、小程序制作、化德網(wǎng)絡(luò)營銷、化德企業(yè)策劃、化德品牌公關(guān)、搜索引擎seo、人物專訪、企業(yè)宣傳片、企業(yè)代運營等，從售前售中售后，我們都將竭誠為您服務(wù)，您的肯定，是我們最大的嘉獎；創(chuàng)新互聯(lián)為所有大學(xué)生創(chuàng)業(yè)者提供化德建站搭建服務(wù)，24小時服務(wù)熱線：028-86922220，官方網(wǎng)址：muchs.cn

 interface GigabitEthernet0/0/1
 port link-type access
 port def vlan 1
 interface GigabitEthernet0/0/12
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 interface GigabitEthernet0/0/13
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094

SW2：創(chuàng)建vlan1【交換機(jī)自帶】、vlan2、vlan100、vlan3

 interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 2
 interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 3
 interface GigabitEthernet0/0/12
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 interface GigabitEthernet0/0/23
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094

SW3：創(chuàng)建vlan1【交換機(jī)自帶】、vlan2、vlan100、vlan4

 interface GigabitEthernet0/0/1
 port link-type access                    
 port default vlan 100
 interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 4
 interface GigabitEthernet0/0/13
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 interface GigabitEthernet0/0/23
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094

配置VRRP：SW3做主VRRP、SW2做備用VRRP

     SW3：interface Vlanif1                         
          ip address 192.168.1.250 255.255.255.0
          vrrp vrid 1 virtual-ip 192.168.1.254\\配置虛擬網(wǎng)關(guān)IP
          vrrp vrid 1 priority 150\\配置優(yōu)先級
          vrrp vrid 1 track interface GigabitEthernet0/0/2 reduced 100
          \\配置鏈路跟蹤使其斷掉后優(yōu)先級下降100
          interface Vlanif2
          ip address 192.168.2.250 255.255.255.0
          vrrp vrid 2 virtual-ip 192.168.2.254\\配置虛擬網(wǎng)關(guān)IP
          vrrp vrid 2 priority 150\\配置優(yōu)先級
          vrrp vrid 2 track interface GigabitEthernet0/0/2 reduced 100
           \\配置鏈路跟蹤使其斷掉后優(yōu)先級下降100
          interface Vlanif100
          ip address 192.168.100.253 255.255.255.0
          vrrp vrid 100 virtual-ip 192.168.100.254\\配置虛擬網(wǎng)關(guān)IP
          vrrp vrid 100 priority 150\\配置優(yōu)先級
          vrrp vrid 100 track interface GigabitEthernet0/0/2 reduced 100
           \\配置鏈路跟蹤使其斷掉后優(yōu)先級下降100
     SW2：interface Vlanif1                         
          ip address 192.168.1.253 255.255.255.0
          vrrp vrid 1 virtual-ip 192.168.1.254\\配置虛擬網(wǎng)關(guān)IP
          interface Vlanif2
          ip address 192.168.2.253 255.255.255.0
          vrrp vrid 2 virtual-ip 192.168.2.254\\配置虛擬網(wǎng)關(guān)IP
          interface Vlanif100
          ip address 192.168.100.250 255.255.255.0
          vrrp vrid 100 virtual-ip 192.168.100.254\\配置虛擬網(wǎng)關(guān)IP

配置OSPF：SW3：ospf 1 router-id 3.3.3.3

               area 0.0.0.0
               network 192.168.1.0 0.0.0.255
               network 192.168.2.0 0.0.0.255
               network 192.168.100.0 0.0.0.255
               network 192.168.4.0 0.0.0.255
          SW2：ospf 1 router-id 2.2.2.2
               area 0.0.0.0
               network 192.168.1.0 0.0.0.255
               network 192.168.2.0 0.0.0.255
               network 192.168.3.0 0.0.0.255
               interface Vlanif3
               ip address 192.168.3.1 255.255.255.0
               interface Vlanif4
               ip address 192.168.4.1 255.255.255.0

配置防火墻【ASA】：interface GigabitEthernet0

                 nameif inside1
                 security-level 100
                 ip address 192.168.4.254 255.255.255.0
                 interface GigabitEthernet1
                 nameif inside2
                 security-level 100
                 ip address 192.168.3.254 255.255.255.0
                 interface GigabitEthernet2
                 nameif outside
                 security-level 0
                 ip address 200.8.8.1 255.255.255.252

配置防火墻下一跳:

route inside1 192.168.1.0 255.255.255.0 192.168.4.1
route inside1 192.168.2.0 255.255.255.0 192.168.4.1
route inside1 192.168.100.0 255.255.255.0 192.168.4.1

配置ISP：interface GigabitEthernet0/0/0

         ip address 200.8.8.2 255.255.255.252 \\配置IP【子網(wǎng)為30位】
         interface GigabitEthernet0/0/1
         ip address 200.9.9.254 255.255.255.0\\配置IP
         默認(rèn)路由：ip route-static 0.0.0.0 0.0.0.0 200.8.8.1

配置防火墻對ISP下一跳：

 route outside 200.9.9.0 255.255.255.0 200.8.8.2

防火墻設(shè)置ACL【使外網(wǎng)可訪問內(nèi)網(wǎng)的web服務(wù)】：

 access-list out-to-in permit tcp host 200.9.9.2 host 192.168.100.1 eq 80

調(diào)用ACL：

 access-group out-to-in in interface outside

NAT地址轉(zhuǎn)換【將私有地址轉(zhuǎn)換為公有地址119.1.1.0/29】：

            object network vlan1\\配置vlan1 NAT
            subnet 192.168.1.0 255.255.255.0
            nat (inside1,outside) dynamic 119.1.1.1
            quit
           object network vlan2\\配置vlan2 NAT
           subnet 192.168.2.0 255.255.255.0
           nat (inside1,outside) dynamic 119.1.1.2
           quit
          object network vlan100 \\配置vlan100 NAT
          subnet 192.168.100.0 255.255.255.0
          nat (inside1,outside) dynamic 119.1.1.3
          quit

客戶端IP:

         Client1:192.168.1.1 255.255.255.0
         Client2:192.168.2.1 255.255.255.0
         Server-web:192.168.100.1 255.255.255.0
         Client3:200.9.9.2 255.255.255.0
         Server-ftp:200.9.9.1 255.255.255.0

結(jié)果驗證：
1vlan互通
第十九期ASA【防火墻】綜合拓?fù)?/a>
分享URL：http://muchs.cn/article6/phdoig.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供虛擬主機(jī)、域名注冊、響應(yīng)式網(wǎng)站、關(guān)鍵詞優(yōu)化、移動網(wǎng)站建設(shè)、電子商務(wù)

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時需注明來源： 創(chuàng)新互聯(lián)