实验八(一) ASA 配置 NAT 和 ACL

2024年6月13日发(作者：)

实验八ASA 配置 NAT 和 ACL

实验拓扑

设备

R1

R1

R2

R2

R3

R3

ASA1

ASA1

ASA1

接口

Fa0/0

Loopback0

Fa0/0

Loopback0

Fa0/0

Loopback0

E0/0

E0/1

E0/2

IP地址/掩码

192.168.100.1/24

192.168.1.1/24

172.16.100.2/24

172.16.2.1/24

202.100.0.3/24

123.123.123.123/24

192.168.100.100/24

172.16.100.100/24

202.100.0.100/24

实验要求

1 配置 PAT，实现 inside 区域内主机访问 internet

2 配置静态地址转换，实现 DMZ 区域主机 172.16.2.1 转换为 202.100.0.102

3 配置 Identity NAT，实现 172.16.100.2 访问 inside 时，使用本ip地址

4 配置 ACL，实现 DMZ 区域内主机只允许icmp，telnet 流量访问去往 inside 区域

5 配置 ACL，实验 inside 区域内主机 192.168.1.1 不允许去往任何地址，只能在本区域访

问

实验步骤

步骤 2

根据设备表，配置 ASA 和路由器的接口 IP 地址

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 192.168.100.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface loopback 0

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 172.16.100.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface loopback 0

R2(config-if)#ip address 172.16.2.1 255.255.255.0

R2(config-if)#exit

R3(config)#interface fastEthernet 0/0

R3(config-if)#ip address 202.100.0.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#exit

R3(config)#interface loopback 0

R3(config-if)#ip address 123.123.123.123 255.255.255.0

R3(config-if)#exit

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.100.100 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# nameif DMZ

INFO: Security level for "DMZ" set to 0 by default.

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# ip address 172.16.100.100 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# interface ethernet 0/2

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 202.100.0.100 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

测试连通性：

ciscoasa(config)# ping 192.168.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa(config)# ping 172.16.100.2

Type escape sequence to abort.