Shulou(Shulou.com)06/03 Report--

Request:

DMZ publishes Web server, and Client2 can access Server3

Use the command show conn detail to view the Conn table

View the routing tables of ASA and AR respectively

Configure ACL to prevent Client3 from accessing Server2

Configuration steps and ideas:

one。 Configure ip for clients and servers

Server1:

Ip: 10.1.1.1

Subnet mask: 255.255.255.0

Gateway: 10.1.1.254

Client1:

Ip: 10.2.2.1

Subnet mask: 255.255.255.0

Gateway: 10.2.2.254

Server2:

Ip: 192.168.8.100

Subnet mask: 255.255.255.0

Gateway: 192.168.8.254

Client2:

Ip: 192.168.8.1

Subnet mask: 255.255.255.0

Gateway: 192.168.8.254

Server3:

Ip: 192.168.30.100

Subnet mask: 255.255.255.0

Gateway: 192.168.3.254

Client3:

Ip: 192.168.30.1

Subnet mask: 255.255.255.0

Gateway: 192.168.30.254

two。 Configure zones on the firewall

Interface G0 entry port

Name of the nameif inside configuration interface

Ip address 192.168.1.254 255.. 255.255.0 configure the gateway

Security-level 100 configures the security level of the interface (range is 0-100)

Interface G1 entry port

Name of the nameif outside configuration interface

Ip address 192.168.254 2555.. 255.255.0 configure the gateway

Security-level 0 configures the security level of the interface (range is 0-100)

Interface G2 entry port

Name of the nameif dmz configuration interface

Ip address 192.168.30.254 255.. 255.255.0 configure the gateway

Security-level 50 configures the security level of the interface (range is 0-100)

Write an acl so that Client2 can access Server3

Access list 1 permit tcp any host 192.168.30.100 eq 80

Access-group 1 in interface outside / / the default firewall has a security level of 100 for the internal network and 0. 0 for the external network. The low-level ones cannot access the advanced ones, so configure acl to allow access.

Validate, test:

three。 Configure routes that can go to the public network

Interface g0Accord 0 entry port

Ip address 10.1.1.254 255.255.255.0 configure the gateway

Interface g0Accord 1 entry port

Ip address 10.2.2.254 255.255.255.0 configure the gateway

Interface g0Accord 2 entry port

Ip address 192.168.1.1 255.255.255.0 configure ip

Interface g0Accord 2 belongs to the network segment 192.168.1.0, so configure an ip for the segment 192.168.1.0.

Configure a default route on the router to give the next hop 192.168.1.254'

Ip route 0.0.0.0 0.0.0.0 192.168.1.254

Configure return packet routing on the firewall to the next hop 192.168.1.1

Route inside 10.1.1.0 255.255.255.0 192.168.1.1 the network segment to go to

Route inside 10.2.2.0 255.255.255.0 192.168.1.1 the network segment to go to

Display ip route table View routing tabl

Show route View asa Firewall

Verification, test

The following figure allows you to access the public network ftp

# next, you can view the conn table show conn detail! [] (https://s1.51cto.com/images/blog/201801/31/9fa884862c16f6d2951f5d7fc5b76d27.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90, Type_ZmFuZ3poZW5naGVpdGk=) III. # finally configure acl so that clietn 2 cannot access server1 access-list 2 (name) deny tcp any host 192.168.8.100 eq 80 access-group 2 (name) in interface DMAZ / / call on the dmaz port

Test:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.