Requirements:
The DMZ publishes a Web server that Client2 can access Server3
Use the command Show Conn detail to view the Conn table
View the route table of the ASA and AR, respectively
Configuring ACLs to prohibit Client3 access Server2
Configuration steps and ideas:
I. Configuring IP for clients and servers
Server1:
ip:10.1.1.1
Subnet Mask: 255.255.255.0
Gateway: 10.1.1.254
Client1:
ip:10.2.2.1
Subnet Mask: 255.255.255.0
Gateway: 10.2.2.254
Server2:
ip:192.168.8.100
Subnet Mask: 255.255.255.0
Gateway: 192.168.8.254
Client2:
ip:192.168.8.1
Subnet Mask: 255.255.255.0
Gateway: 192.168.8.254
Server3:
ip:192.168.30.100
Subnet Mask: 255.255.255.0
Gateway: 192.168.3.254
Client3:
ip:192.168.30.1
Subnet Mask: 255.255.255.0
Gateway: 192.168.30.254
Two. Configure the area on the fire wall
Interface G0 Entry Port
Nameif the name of the inside configuration interface
IP address 192.168.1.254 255..255.255.0 configuration Gateway
Security-level 100 Configuring the Interface's security level (range is 0-100)
Interface G1 Entry Port
Nameif the name of the outside configuration interface
IP address 192.168.8.254 255..255.255.0 configuration Gateway
Security-level 0 Configuring the interface's security level (range is 0-100)
Interface G2 Entry Port
Nameif name of the DMZ configuration interface
IP address 192.168.30.254 255..255.255.0 configuration Gateway
Security-level 50 Configuring the interface's security level (range is 0-100)
Write an ACL so that Client2 can access Server3
Access list 1 Permit TCP any host 192.168.30.100 EQ 80
Access-group 1 in interface outside//the default firewall has an intranet security level of 100 and an external network of 0. Low level unreachable advanced so to configure ACL allow access
Verify, Test:
Three. Configure the routing that can go out of the network
Interface g0/0/0 Entry Port
IP address 10.1.1.254 255.255.255.0 configuration Gateway
Interface G0/0/1 Entry Port
IP address 10.2.2.254 255.255.255.0 configuration Gateway
Interface G0/0/2 Entry Port
IP address 192.168.1.1 255.255.255.0 configuring IP
Interface G0/0/2 belongs to the 192.168.1.0/24 network segment so configure an IP for a 192.168.1.0 network segment
Configure a default route on the router to give the next hop 192.168.1.254 '
IP Route 0.0.0.0 0.0.0.0 192.168.1.254
Configure the back packet routing on the firewall to the next hop 192.168.1.1
Route inside 10.1.1.0 255.255.255.0 192.168.1.1 to go to the network segment
Route inside 10.2.2.0 255.255.255.0 192.168.1.1 to go to the network segment
Display IP route table View routing tables
Show Route View ASA Firewall
Validation, testing
If you have access to an external network FTP
# 接下来可以查看 conn表 show conn detail ![](http://i2.51cto.com/images/blog/201801/31/9fa884862c16f6d2951f5d7fc5b76d27.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 三.# 最后配置acl使clietn 2不能访问server1 access-list 2(名字) deny tcp any host 192.168.8.100 eq 80 access-group 2(名字) in interface DMAZ //在dmaz端口调用
Test:
Algorithm and basic configuration of Windows Firewall