1、ASA 防火墙 vlan 子接口互相通讯配置实例 作者:金振宇 日期:2008-5-13 19:47:5 实例需求:Cisco ASA 5520 防火墙用于内部多个 vlan 之间互相通讯。拓扑图:配置实例:asa 防火墙配置: Saved:ASA Version 7.0(7) !hostname *enable password GSk/3FjsRAiPoooi encryptednamesdns-guard!interface GigabitEthernet0/0shutdownnameif outsidesecurity-level 0no ip address!interface Gi
2、gabitEthernet0/1no nameifno security-levelno ip address!interface GigabitEthernet0/1.1 / 启用子接口连接 vlan 10,安全及别 99,分配地址vlan 10nameif Test1security-level 99ip address 10.8.128.254 255.255.255.0 ! interface GigabitEthernet0/1.2 / 启用子接口连接 vlan 20,安全及别 98,分配地址vlan 20nameif Test2security-level 98ip address
3、 10.8.129.254 255.255.255.0 !interface GigabitEthernet0/1.3 / 启用子接口连接 vlan 30,安全及别 97,分配地址vlan 30nameif Test3security-level 97ip address 10.8.130.254 255.255.255.0 !interface GigabitEthernet0/2shutdownno nameifno security-levelno ip address!interface GigabitEthernet0/3description LAN Failover Interf
4、ace!interface Management0/0nameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0 management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passiveaccess-list acl_Test1 extended permit icmp any any / 设置访问列表,允许全通过,为了测试方便access-list acl_Test1 extended permit ip any any access-list acl
5、_Test2 extended permit icmp any any access-list acl_Test2 extended permit ip any any access-list acl_Test3 extended permit icmp any any access-list acl_Test3 extended permit ip any any access-list nonat extended permit ip any any / 这个 acl 是用在 bypass nat 所用 *pager lines 24logging asdm informationalmt
6、u management 1500mtu outside 1500mtu Test1 1500mtu Test2 1500mtu Test3 1500failoverfailover lan unit primaryfailover lan interface failover GigabitEthernet0/3failover key *failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2no asdm history enablearp timeout 14400nat (Test
7、1) 0 access-list nonat / 把互通的子接口启用 bypass nat,让子接口各 vlan 数据互通 *nat (Test2) 0 access-list nonatnat (Test3) 0 access-list nonataccess-group acl_Test1 in interface Test1 / 把相应的访问列表设置在对应的接口上 *access-group acl_Test2 in interface Test2access-group acl_Test3 in interface Test3!policy-map global_policyclass inspection_defaultinspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp !
