ASA5505调试文档.doc

基本需求： 如拓扑所示：满足内部用户正常访问Internet，公网和内网用户能通过公网域名来访问内部server（40.1 70.1）。基本配置如下： ciscoasa# sh run : Saved : ASA Version 7.2(4) ! hostname ciscoasa enable password WdJQMntV/mB02tJF encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 （启用三层接口） nameif inside security-level 100 ip address 44 ! interface Vlan2 （启用三层接口） nameif outside security-level 0 ip address 9 28 ! interface Vlan3 nameif DMZ security-level 50 no ip address ! interface Ethernet0/0 （把二层接口加入VLAN） switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 （把二层接口加入VLAN） switchport access vlan 3 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive same-security-traffic permit inter-interface access-list ABC extended permit ip any any access-list out-list extended deny tcp any any eq echo access-list out-list extended deny tcp any any eq chargen access-list out-list extended deny tcp any any eq 135 access-list out-list extended deny tcp any any eq 136 access-list out-list extended deny tcp any any eq 137 access-list out-list extended deny tcp any any eq 138 access-list out-list extended deny tcp any any eq netbios-ssn access-list out-list extended deny tcp any any eq ldap access-list out-list extended deny tcp any any eq 445 access-list out-list extended deny tcp any any eq 4444 access-list out-list extended deny udp any any eq tftp access-list out-list extended deny udp any any eq 135 access-list out-list extended deny udp any any eq 136 access-list out-list extended deny udp any any eq netbios-ns access-list out-list extended deny udp any any eq netbios-dgm access-list out-list extended deny udp any any eq 139 access-list out-list extended deny udp any any eq snmp access-list out-list extended deny udp any any eq 389 access-list out-list extended deny udp any any eq 445 access-list out-list extended deny udp any any