网络工程师成长日记340-某邮政防火墙
本文共 6793 字,大约阅读时间需要 22 分钟。
网络工程师成长日记340-某邮政防火墙
这是我的第340篇原创文章,记录网络工程师行业的点点滴滴,结交IT行业有缘之人
12月24日平安夜的这一天上午出去做工程啦,配置的是ASA5520的防火墙,地点在某邮政公司,这次做工程只有两个人,
我当然还有还有老大。在还没去之前,就在准备cisco防火墙的资料,回顾了一下防火墙配置的内容,大概有了细致的了解,想着这回去应该可以很快的解决吧。
我们走着去工程现场的,那里我们这里不是很远,走路大概20分钟就到了吧。
还好天气还是很不错的,有太阳外面暖暖的,跟上回做工程的天气一样好,还好这次地方不是很难找,一会就到了。到了工程现场之后,就等那边的工程师给我们一个具体的要求,不一会那边的工程师就到了。因为是圣诞节啊,所以工程师还戴着圣诞帽,挺有过节的气氛的。大概了解到客户的需求,我们就准备开始配置防火墙了,看着需求第一感觉是不难,挺简单的,想着应该一会就好了。没想到当我们配完之后要验证的时候,出现了问题。那就是PAT转换不成功,就是把一个网段的地址,转换成一个IP地址。然后立马去检查配置,看过配置以后没有发现问题,但就是没有现象出来。没办法,只有试一下用图形化界面去配置,也就是用SDM登录到防火墙上进行配置。防火墙有一个管理接口,是出厂之前配好的IP地址,是192.168.1.0网段的,只要手动配置电脑IP地址,就可以用SDM来配置防火墙了。配完成之后,我们再次去验证PAT转换是否成功,但结果是没有,不知道哪里出了问题。试了很多办法,就是转换不成功,也看了很多的资料,认为配置没有问题,但效果都不明显。配到人家下班了,问题还是没有找出来,那就只好等着明天再来检查问题了。这时有人来送一送礼物了,当然没有我们的份啦,因为我们不是人家的员工啊。客户那边下班了,我们没有解决问题,就只有明天再来了,希望明天可以很快的把问题解决了。第二天找到了问题的所在,其实客户要求方面有点问题,如果按他们的方法把内网设置成outside而外网设置成intside,也就是说外网的安全级别比内网要高,可以实现效果就必须做静态NAT,做起来需要写很多个访空列表,配置起来比较繁琐。如果改一下方向,配置起来就简单多了。最后的实施的方案跟客户沟通之后就改了一下inside和outside的方向,NAT转换成功。这次工程的印象实在是太深刻了,不仅在工程当中了解客户的需求之后,给出解决方案。而且如果当客户给出的方案与实际中有差别的话,应立刻提出问题进行沟通并向客户进行说明,这样在做工程中就会事半功倍。项目需求:
1、内网访问外网作NAT转换成一个IP地址出去2、交换机作为内网的网关拓扑:
配置:ASA# sh running-config : Saved:ASA Version 7.2(3) !hostname ASAdomain-name default.domain.invalidenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface GigabitEthernet0/0nameif insidesecurity-level 100ip address 101.168.53.160 255.255.255.192 !interface GigabitEthernet0/1nameif outsidesecurity-level 0ip address X.X.X.254 255.255.255.192 !interface GigabitEthernet0/2shutdownno nameifno security-levelno ip address! interface GigabitEthernet0/3shutdownno nameifno security-levelno ip address!interface Management0/0nameif managementsecurity-level 100ip address 192.168.1.1 255.255.255.0 management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidaccess-list 2 extended permit icmp any any access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 100 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 101 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 102 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 103access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 104 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 105access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 100 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 101access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 102 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 103 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 104 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 105 access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.200 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.201 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.202 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.12.130.203 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.204 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.205 eq www access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.206 eq www pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500mtu management 1500no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/ASDM-523.BINno asdm history enablearp timeout 14400nat-controlglobal (outside) 1 X.X.X.250 netmask 255.255.255.192nat (inside) 1 X.X.X.0 255.255.255.192access-group 2 in interface outsideroute outside 101.21.129.197 255.255.255.255 X.X.X.252 1route outside 101.21.129.196 255.255.255.255 X.X.X.252 1route outside 101.21.130.200 255.255.255.255 X.X.X.252 1route outside 101.21.130.201 255.255.255.255 X.X.X.252 1route outside 101.21.130.202 255.255.255.255 X.X.X.252 1route outside 101.21.130.203 255.255.255.255 X.X.X.252 1route outside 101.21.130.204 255.255.255.255 X.X.X.252 1route outside 101.21.130.205 255.255.255.255 X.X.X.252 1route outside 101.21.130.206 255.255.255.255 X.X.X.252 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutehttp server enablehttp 192.168.1.0 255.255.255.0 managementno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstarttelnet timeout 5ssh timeout 5 console timeout 0dhcpd address 192.168.1.2-192.168.1.254 managementdhcpd enable management!!class-map inspection_defaultmatch default-inspection-traffic!!policy-map type inspect dns migrated_dns_map_1parametersmessage-length maximum 512policy-map global_policyclass inspection_defaultinspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp !service-policy global_policy globalusername cisco password 3USUcOPFUiMCO4Jk encryptedprompt hostname context Cryptochecksum:b3ff4228ee79bc0299b4a34ed40fb3b2: end ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area-
- candidate default, U - per-user static route, o - ODRP - periodic downloaded static route
Gateway of last resort is not set
C 101.168.5.0 255.255.255.192 is directly connected, inside
C 101.168.5.192 255.255.255.192 is directly connected, outsideS 101.21.129.197 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.129.196 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.206 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.204 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.205 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.202 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.203 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.200 255.255.255.255 [1/0] via X.X.X.252, outsideS 101.21.130.201 255.255.255.255 [1/0] via X.X.X.252, outside转载于:https://blog.51cto.com/13448371/2072957
你可能感兴趣的文章