Tweet
Hi all !
Em dưng một bài lab trên ASA 5540 rồi cấu hình để 2 host đặt ở 2 interface ping được với nhau. Mô hình cụ thể như sau:
- port Gi0/0: inside interface, 172.161.1.1/24, security-level: 100
- port Gi0/1: DMZ interface,172.16.4.1/24, security-level:50
- em dựng một server windows server 2008 với ip 172.16.4.3/24, kết nối tới DMZ interface
- Tại vùng inside e dựng một máy pc chạy winxp với ip 172..16.1.2/24, kết nối tới inside interface.
Sau khi cấu hình xong ASA5540, nhưng từ host chạy winxp không ping được tới host chạy windows server 2008. Mong các anh giúp.
Cấu hình của ASA 5540 như sau:
ssha# show running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ssha
domain-name xxxx
enable password jDUXMyqeIzxQIVgK encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.16.4.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
<--- More --->
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif managerment
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd jDUXMyqeIzxQIVgK encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx
access-list inside_acl extended permit icmp any any
access-list inside_acl extended permit ip any any
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit ip any any
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
<--- More --->
mtu managerment 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (DMZ) 1 172.16.4.10-172.16.4.12
nat (inside) 1 172.16.1.0 255.255.255.0
access-group inside_acl in interface inside
access-group dmz_acl in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.4.20 255.255.255.255 DMZ
http 192.168.1.2 255.255.255.255 managerment
snmp-server location enable
snmp-server contact enable
snmp-server enable traps syslog
sla monitor 123
type echo protocol ipIcmpEcho 172.16.4.188 interface DMZ
<--- More --->
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
no crypto isakmp nat-traversal
telnet 172.16.1.0 255.255.255.0 inside
telnet 172.16.4.0 255.255.255.0 DMZ
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
prompt hostname context
Cryptochecksum:52b7c00e76c4b2f1fc897a256552d3d3
: end
Thanks all !
Em dưng một bài lab trên ASA 5540 rồi cấu hình để 2 host đặt ở 2 interface ping được với nhau. Mô hình cụ thể như sau:
- port Gi0/0: inside interface, 172.161.1.1/24, security-level: 100
- port Gi0/1: DMZ interface,172.16.4.1/24, security-level:50
- em dựng một server windows server 2008 với ip 172.16.4.3/24, kết nối tới DMZ interface
- Tại vùng inside e dựng một máy pc chạy winxp với ip 172..16.1.2/24, kết nối tới inside interface.
Sau khi cấu hình xong ASA5540, nhưng từ host chạy winxp không ping được tới host chạy windows server 2008. Mong các anh giúp.
Cấu hình của ASA 5540 như sau:
ssha# show running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ssha
domain-name xxxx
enable password jDUXMyqeIzxQIVgK encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.16.4.1 255.255.255.0
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
<--- More --->
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif managerment
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd jDUXMyqeIzxQIVgK encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx
access-list inside_acl extended permit icmp any any
access-list inside_acl extended permit ip any any
access-list dmz_acl extended permit icmp any any
access-list dmz_acl extended permit ip any any
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
<--- More --->
mtu managerment 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (DMZ) 1 172.16.4.10-172.16.4.12
nat (inside) 1 172.16.1.0 255.255.255.0
access-group inside_acl in interface inside
access-group dmz_acl in interface DMZ
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.4.20 255.255.255.255 DMZ
http 192.168.1.2 255.255.255.255 managerment
snmp-server location enable
snmp-server contact enable
snmp-server enable traps syslog
sla monitor 123
type echo protocol ipIcmpEcho 172.16.4.188 interface DMZ
<--- More --->
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
no crypto isakmp nat-traversal
telnet 172.16.1.0 255.255.255.0 inside
telnet 172.16.4.0 255.255.255.0 DMZ
telnet timeout 15
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
prompt hostname context
Cryptochecksum:52b7c00e76c4b2f1fc897a256552d3d3
: end
Thanks all !
Comment