如何在ASA的DMZ区域中托管服务器
如何在ASA的DMZ区域中托管服务器
提问于 2013-06-17 11:49:56
我有一个带有9.1.2的an 5525-X。它上有几个接口,但我主要看的是:
(假子网)
- 内部10.0.0.0/24,安全级别100
- 外部10.0.200.0/24,安全级别为0
- DMZ 10.0.100.0/24,安全级别50
我在DMZ中有一个DNS服务器,10.0.100.1,我可以从内部访问它,没有问题。但是,我希望它在互联网上显示为10.0.200.95 (这个例子不是真正的IP )。我有我认为这是必要的,但当我测试它时,包被默认的acl丢弃。
相关配置片段:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.200.194 255.255.255.192
interface GigabitEthernet0/6
nameif DMZ
security-level 50
ip address 10.0.100.254 255.255.255.0
interface GigabitEthernet0/7
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
object network DMZ-DNS-Server-1
host 10.0.100.1
nat (inside,outside-backup) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static VPN VPN no-proxy-arp route-lookup
nat (inside,outside) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static VPN VPN no-proxy-arp route-lookup
nat (inside,outside) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (inside,outside-backup) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (inside,DMZ) source static Company-MPLS-Network-Group Company-MPLS-Network-Group destination static DMZ DMZ no-proxy-arp route-lookup
nat (DMZ,outside) source static DMZ DMZ destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
nat (DMZ,outside-backup) source static DMZ DMZ destination static Site-Site-VPN Site-Site-VPN no-proxy-arp route-lookup
object network DMZ-DNS-Server-1
nat (DMZ,outside) static 10.0.200.195 net-to-net
nat (inside,outside-backup) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
nat (DMZ,outside-backup) after-auto source dynamic any interface
access-list traffic-in-outside extended permit tcp any host 10.0.200.195 eq domain
access-list traffic-in-outside extended permit udp any host 10.0.200.195 eq domain
access-group traffic-in-outside in interface outside有什么想法吗?
回答 2
Network Engineering用户
回答已采纳
发布于 2013-06-17 15:54:11
将ACL更改为引用服务器的实际地址(10.0.100.1),而不是转换地址(10.0.200.195)。这是8.3+中的另一个变化。ACL与真实地址匹配。
Network Engineering用户
发布于 2013-06-17 12:31:49
为此,您需要设置一个静态NAT,因为8.3+ (这一点)略有改变,在9中,您需要这样做:
object network STATIC_NAT
host 10.0.100.1
nat (DMZ,outside) static 10.0.200.95 页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/1912
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号