ASA防火墙vlan子接口互相通讯配置实例

ASA防火墙vlan子接口互相通讯配置实例

作者:金振宇 日期:2008-5-13 19:47:5

实例需求：Cisco ASA 5520 防火墙用于内部多个vlan之间互相通讯。 拓扑图：

配置实例： [asa防火墙配置] : Saved :

ASA Version 7.0(7) !

hostname *****

enable password GSk/3FjsRAiPoooi encrypted names dns-guard !

interface GigabitEthernet0/0 shutdown nameif outside security-level 0 no ip address !

interface GigabitEthernet0/1

no nameif no security-level no ip address !

interface GigabitEthernet0/1.1 // 启用子接口连接vlan 10，安全及别99，分配地址 vlan 10 nameif Test1 security-level 99

ip address 10.8.128.254 255.255.255.0 !

interface GigabitEthernet0/1.2 // 启用子接口连接vlan 20，安全及别98，分配地址 vlan 20 nameif Test2 security-level 98

ip address 10.8.129.254 255.255.255.0 !

interface GigabitEthernet0/1.3 // 启用子接口连接vlan 30，安全及别97，分配地址 vlan 30 nameif Test3 security-level 97

ip address 10.8.130.254 255.255.255.0 !

interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address !

interface GigabitEthernet0/3 description LAN Failover Interface !

interface Management0/0 nameif management security-level 100

ip address 192.168.1.1 255.255.255.0 management-only !

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive

access-list acl_Test1 extended permit icmp any any // 设置访问列表，允许全通过，为了测试方便 access-list acl_Test1 extended permit ip any any access-list acl_Test2 extended permit icmp any any access-list acl_Test2 extended permit ip any any access-list acl_Test3 extended permit icmp any any

access-list acl_Test3 extended permit ip any any

access-list nonat extended permit ip any any // 这个acl是用在bypass nat所用 * pager lines 24

logging asdm informational mtu management 1500 mtu outside 1500 mtu Test1 1500 mtu Test2 1500 mtu Test3 1500 failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3 failover key *****

failover interface ip failover 192.168.254.1 255.255.255.0 standby 192.168.254.2 no asdm history enable arp timeout 14400

nat (Test1) 0 access-list nonat // 把互通的子接口启用bypass nat，让子接口各vlan数据互通 * nat (Test2) 0 access-list nonat nat (Test3) 0 access-list nonat

access-group acl_Test1 in interface Test1 // 把相应的访问列表设置在对应的接口上 * access-group acl_Test2 in interface Test2 access-group acl_Test3 in interface Test3 !

policy-map global_policy class inspection_default

inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp !