Note: Intranet port: 192.168.3.253 External Network port: 192.168.6.45 (The following instructions are accordingly)!!!
Join VLAN in interface mode:
Switchport Access VLAN 2
VLAN interface Configuration IP Address:
Interface Vlan1
Nameif inside
Security-level 50
IP address 192.168.3.253 255.255.255.0
To configure Port mappings:
access-list outside_access Extended permit IP any any to create an access control list
access-group outside_access in interface Outside applied to the external network port
static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255 do port mapping
To configure NAT:
Global (outside) 1 interface
Nat (inside) 1 192.168.3.0 255.255.255.0
Configuring an SSH Connection
username xxx password xxxxxx privilege Create user
AAA Authentication Enable console LOCAL
AAA authentication SSH Console local enable SSH native user authentication
ssh 192.168.3.0 255.255.255.0 inside SSH access control
Crypto key generate RSA open SSH Service
To add a static route:
Route outside 0.0.0.0 0.0.0.0 192.168.6.254 1
Route inside 192.168.6.0 255.255.255.0 192.168.6.254 1
To resolve the NAT reflow problem:
The following is a solution given by the forum
can use hairpinning+static Nat, the principle is to allow inside incoming traffic, without other interfaces go out and directly from the inside interface, the configuration is as follows: (note 1.1.1.1 for the public IP, 192.168.1.10 for the network IP)
1. Open hairpinning:same-security-traffic Permit Intra-interface
2. Define the global address for intranet users to access internal servers using hairpinning:Global (inside) 1 interface
3, address mapping, the public network port mapping to the intranet port
Static (inside,outside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
4. Define address mappings for hairpinning traffic return paths
Static (inside,inside) tcp 1.1.1.1 www 192.168.1.10 www netmask 255.255.255.255
5. Define ACLS:access-list 101 Extended per TCP any host 1.1.1.1 eq www
6. Apply the ACL to the external interface:Access-group 101 in interface outside
With the case of self-configuration: The intranet of a machine Remote Desktop server map to the external network, and the intranet terminal can be accessed through the extranet IP.
To turn on NAT:
Global (outside) 1 interface
Nat (inside) 1 192.168.3.0 255.255.255.0
Do port mapping:
static (inside,outside) TCP interface 192.168.3.222 3389 netmask 255.255.255.255
To do access control for an external network port:
Access-list outside_access Extended permit IP any any
Access-group Outside_access in Interface Outside
The above directive realizes, the external network user accesses the internal terminal through the public network IP, but the intranet user cannot access (only uses the intranet IP access).
Same-security-traffic Permit Intra-interface
Global (inside) 1 interface
Static (inside,inside) TCP 192.168.6.45 192.168.3.222 3389 netmask 255.255.255.255
About speed limit:
Access-list Extended Permit IP 192.168.3.0 255.255.255.0 any
Access-list Extended Permit IP any 192.168.3.0 255.255.255.0
Class-map 1000
Match Access-list 1000
Policy-map Xiansu
Class 1000
Police output 8000000 1600000 conform-action transmit exceed-action drop
Police input 8000000 1600000 conform-action transmit exceed-action drop
\ \ normal rate 1Mbps burst 2Mbps in accordance with the forwarding exceeded the burst is discarded
Service-policy Xiansu interface inside application to interface
======================================
This article is from "retrograde person" blog, declined reprint!
Cisco ASA Firewall Common configuration (ASA Version 8.2 (5))