CREAR POLITICAS DE ACCESO PARA PROTEGAR ACCESO ENTRE ZONA
WAN-INSIDE A TRAVES DE NAT ESTATICO Y DINAMICO PARA ACCESO A INTERNET Y PUBLICACION DE SERVICIOS
WAN-DMZ DENEGAR NAVEGACION HACIA INTERNET
INSIDE-DMZ PARA PUBLICAR SERVICIOS DE NAT ESTATICO ACL EN ENLACES PUNTO A PUNTO
:
ASA Version 9.6(1)
!
hostname ciscoasa
domain-name write
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 180.180.180.2 255.255.255.240
!
interface GigabitEthernet1/3
nameif dmz
security-level 50
ip address 172.60.1.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
shutdown
!
object network mailserver-internet
host 192.168.2.4
nat (inside,outside) static 180.180.180.4
object network publicip-mailserver
host 180.180.180.4
object network publicip-webserver
host 172.60.1.4
object network webserver-dmz
host 192.168.2.3
nat (inside,dmz) static 172.60.1.4
object network webserver-internet
host 192.168.2.3
nat (inside,outside) static 180.180.180.3
!
!
access-list dmz extended permit tcp any any
access-list dmz extended permit icmp any any echo
access-list dmz extended permit icmp any any echo-reply
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any host 180.180.180.3 eq www
access-list outside extended permit tcp any host 180.180.180.4 eq pop3
access-list outside extended permit tcp any host 180.180.180.4 eq smtp
access-list outside extended permit ip any host 192.168.2.3
access-list outside extended permit ip any host 192.168.2.4
access-list outside extended permit tcp any eq www host 192.168.3.2
access-list outside extended deny tcp any eq www 172.60.1.0 255.255.255.0
!
!
access-group dmz in interface dmz
access-group outside in interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
!
!
router ospf 1
log-adjacency-changes
network 180.180.180.0 255.255.255.240 area 1
network 192.168.1.0 255.255.255.0 area 1
network 172.60.1.0 255.255.255.0 area 1
!
Негізгі бет CONFIGURAR EN ASA 5506 SEGURIDAD PERIMETRAL ZONA DMZ ( NAT INSIDE -DMZ) VIDEO 25
No video
Пікірлер: 4