很高兴加入论坛。我也希望能得到帮助,并尽可能多地提供帮助。目前我有一个大问题。我正在使用 Cisco ASA 5512。我在防火墙上定义了 3 个接口:内部 (192.168.0.0)、外部 (192.198.100.253) 和 DMZ (192.168.1.0),其中包括 Web 服务器和其他 VPN 服务。尽管我认为我已经做了一切,但 DMZ 无法访问互联网。更有经验的人和专家可以帮助我吗?这是防火墙配置 谢谢
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password HiGcJ9e0GTkEROyY encrypted
passwd WixegyNLwa6OgUk7 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.253 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.3.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network INSIDE-LAN-SUBNET
subnet 192.168.0.0 255.255.255.0
object network DMZ-LAN-SUBNET
subnet 192.168.1.0 255.255.255.0
object network dmz
subnet 192.168.1.0 255.255.255.0
object network webserver-IP_MTN
host xxx.xxx.xxx.xxx
object network webserver
host 192.168.1.103
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_access_in extended permit ip any 192.168.0.0 255.255.255.0
access-list dmz_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network INSIDE-LAN-SUBNET
nat (inside,outside) dynamic interface
object network DMZ-LAN-SUBNET
nat (dmz,outside) dynamic interface
object network webserver
nat (dmz,outside) static webserver-IP_MTN service tcp www www
access-group outside_acl in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.0.2-192.168.0.99 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd domain savannah.local interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.2.254 \\SaveConfigCisco\aa
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4105b5919bbb530e69adc84f75dff135
: end