Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Help cấu hình ASA

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help cấu hình ASA

    Nhờ ace giúp đỡ, em đang cấu hình con ASA 5525-x chạy ASA 8.6, muốn các host trong dmz và inside giao tiếp qua lại với nhau, ví dụ như: RDP mà hiện giờ vẫn chưa thực hiện được. ACE nào check giúp em phần config được không ạ?



    : Saved
    :
    ASA Version 8.6(1)2
    !
    hostname ASA
    enable password FJBSRjaNrck2SEKT encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address IP_public 255.255.255.192
    !
    interface GigabitEthernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/2
    nameif dmz
    security-level 50
    ip address 10.9.8.1 255.255.255.24
    !
    interface GigabitEthernet0/3
    nameif inside
    security-level 100
    ip address 10.9.9.1 255.255.255.240
    !
    interface GigabitEthernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/6
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/7
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    object network IP_LOCAL_WEBSERVER
    host 10.9.8.2
    object network IP_GLOBAL_WEBSERVER
    host ip_web_global
    object network IP_subnet_inside
    subnet 10.9.9.0 255.255.255.240
    object network IP_subnet_dmz
    subnet 10.9.8.0 255.255.255.240
    access-list outside-in extended permit tcp any object IP_LOCAL_WEBSERVER eq www

    access-list dmz-in extended permit tcp object IP_LOCAL_WEBSERVER object IP_subne
    t_inside eq www
    access-list dmz-in extended permit tcp object IP_LOCAL_WEBSERVER object IP_subne
    t_inside eq 1433
    access-list inside-in extended permit tcp object IP_subnet_inside object IP_LOCA
    L_WEBSERVER eq 3839
    access-list dmz-i extended permit tcp host 10.9.8.2 host 10.9.9.4 eq telnet
    access-list dmz-i extended permit icmp host 10.9.8.2 host 10.9.9.4 echo
    access-list dmz-i extended permit icmp host 10.9.8.2 host 10.9.9.4 echo-reply
    pager lines 24
    logging asdm informational
    mtu management 1500
    mtu outside 1500
    mtu dmz 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,dmz) source static IP_subnet_inside IP_subnet_inside destination sta
    tic IP_subnet_dmz IP_subnet_dmz
    !
    object network IP_LOCAL_WEBSERVER
    nat (dmz,outside) static IP_GLOBAL_WEBSERVER service tcp www www
    object network IP_subnet_dmz
    nat (dmz,outside) dynamic interface
    access-group outside-in in interface outside
    access-group dmz-in in interface dmz
    access-group inside-in in interface inside
    route outside 0.0.0.0 0.0.0.0 ip_gateway 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maxim
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:464185c7e3d68ec48afb2f180b2a11c8
    : end
Working...
X