取消
显示结果 
搜索替代 
您的意思是: 
cancel
4703
查看次数
10
有帮助
3
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2020-5-6 09:46 编辑
一.概述
ASA防火墙透明模式,需要两个接口连接不同的VLAN,如果旁挂只是控制到一个VLAN访问,部署相对简单,如下图所示,交换机不配置VLAN5接口地址,但是设置VLAN3的接口地址,并且与VLAN5设备地址在相同网段,VLAN5设备的网关指向VLAN3接口地址,这样VLAN5的设备就能够穿越透明墙找到自己的网关,从而通过三层交换机的路由功能与其他网段互通。
101301t01pwdwg1hz7hdim.png
二.测试拓扑
这次测试的是ASA旁挂控制到两个VLAN访问,防火墙只有两根线连接交换机,这就需要交换机配置Trunk接口,走不同的VLAN,测试拓扑如下:

101312ebtsveeooubbdoa7.png
三.基本配置
1.Inside路由器

hostname Inside
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.254
2.DMZ路由器
hostname DMZ
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.254
3.Outside路由器
hostname Outside
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.100.1.254
4.SW交换机
hostname SW
vlan 4
vlan 5
vlan 6
vlan 15
vlan 16
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/2
switchport access vlan 4
switchport mode access
interface Ethernet0/3
switchport access vlan 6
switchport mode access
interface Ethernet1/0
switchport access vlan 5
switchport mode access
interface Vlan4
ip address 10.1.1.254 255.255.255.0
no shutdown
interface Vlan15
ip address 192.168.1.254 255.255.255.0
no shutdown
interface Vlan16
ip address 202.100.1.254 255.255.255.0
no shutdown
5.ASAv防火墙
hostname ASAv
firewall transparent
interface GigabitEthernet0/0
no shutdown
interface GigabitEthernet0/0.15
vlan 15
bridge-group 1
nameif Inside-15
security-level 100
interface GigabitEthernet0/0.16
vlan 16
bridge-group 2
nameif Inside-16
security-level 100
interface GigabitEthernet0/1
no shutdown
interface GigabitEthernet0/1.5
vlan 5
bridge-group 1
nameif DMZ
security-level 50
interface GigabitEthernet0/1.6
vlan 6
bridge-group 2
nameif Outside
security-level 0
interface BVI1
ip address 192.168.1.10 255.255.255.0
interface BVI2
ip address 202.100.1.10 255.255.255.0
route Inside-15 0.0.0.0 0.0.0.0 192.168.1.254
policy-map global_policy
class inspection_default
inspect icmp
四.验证
1.交换机可以ping通DMZ和Outside路由器

SW#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW#
2.Inside路由器也可以ping通DMZ和Outside路由器
Inside#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Inside#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Inside#

评论
one-time
Level 13
Level 13
感谢楼主分享,谢谢~
likuo
Spotlight
Spotlight
讲解的很到位。
ottokennycai
Level 1
Level 1
不明白,按你的配置,有没有防火墙,你的测试都是能通,且不走防火墙的
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接