R1#sho ip route
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is
directly connected, Loopback0
C 203.81.71.0/24 is
directly connected, FastEthernet0/0
R2#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX -
EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA
external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF
external type 1, E2 - OSPF external type 2
i - IS-IS, su -
IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS
inter area, * - candidate default, U - per-user static route
o - ODR, P -
periodic downloaded static route
Gateway of last resort is 192.168.12.2 to network 0.0.0.0
C 192.168.12.0/24
is directly connected, FastEthernet0/0
2.0.0.0/24 is
subnetted, 1 subnets
C 2.2.2.0 is
directly connected, Loopback0
S* 0.0.0.0/0 [1/0]
via 192.168.12.2
R3#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B -
BGP
D - EIGRP, EX -
EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA
external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF
external type 1, E2 - OSPF external type 2
i - IS-IS, su -
IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS
inter area, * - candidate default, U - per-user static route
o - ODR, P -
periodic downloaded static route
Gateway of last resort is 10.10.10.2 to network 0.0.0.0
3.0.0.0/24 is
subnetted, 1 subnets
C 3.3.3.0 is
directly connected, Loopback0
10.0.0.0/24 is
subnetted, 1 subnets
C 10.10.10.0 is
directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0]
via 10.10.10.2
ciscoasa(config)# int gi0
ciscoasa(config-if)# ip add 203.81.71.2 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# exit
ciscoasa(config)# int gi1
ciscoasa(config-if)# ip add 192.168.12.2 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# exit
ciscoasa(config)# int gi2
ciscoasa(config-if)# ip add 10.10.10.2 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# exit
ciscoasa(config)# end
ciscoasa# wr me
Building configuration...
Cryptochecksum: 533145fc 8acf6705 27aa6b1f eca7451c
2009 bytes copied in 1.60 secs (2009 bytes/sec)
[OK]
ciscoasa#
ciscoasa# sho int ip bri
Interface
IP-Address OK? Method
Status Protocol
GigabitEthernet0
203.81.71.2 YES manual up up
GigabitEthernet1
192.168.12.2 YES manual up up
GigabitEthernet2
10.10.10.2 YES manual up up
ciscoasa# sho ip
System IP Addresses:
Interface
Name IP address Subnet mask Method
GigabitEthernet0
outside
203.81.71.2 255.255.255.0 manual
GigabitEthernet1
dmz
192.168.12.2 255.255.255.0 manual
GigabitEthernet2
inside
10.10.10.2 255.255.255.0 manual
Current IP Addresses:
Interface
Name IP
address Subnet mask Method
GigabitEthernet0
outside
203.81.71.2 255.255.255.0 manual
GigabitEthernet1
dmz
192.168.12.2 255.255.255.0 manual
GigabitEthernet2
inside
10.10.10.2 255.255.255.0 manual
ciscoasa(config)# object network lan_net
ciscoasa(config-network-object)# subnet 10.10.10.0
255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network lan_net2
ciscoasa(config-network-object)# subnet 3.3.3.0
255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)#
ciscoasa(config)# object network dmz_net
ciscoasa(config-network-object)# sub
ciscoasa(config-network-object)# subnet 192.168.12.0
255.255.255.0
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network dmz_net2
ciscoasa(config-network-object)# subnet 2.2.2.0 255.255.255.0
ciscoasa(config-network-object)# end
ciscoasa(config)# object-group network group_lan
ciscoasa(config-network-object-group)# net
ciscoasa(config-network-object-group)# network-object object lan_net2
ciscoasa(config-network-object-group)# exit
ciscoasa(config)# object-group network group_dmz
ciscoasa(config-network-object-group)# network-object object
dmz_net
ciscoasa(config-network-object-group)# network-object object
dmz_net2
ciscoasa(config-network-object-group)# end
ciscoasa# sho run access-list
access-list dmz_to_lan extended permit ip object dmz_net
object lan_net
access-list dmz_to_lan extended permit ip object dmz_net
object lan_net2
access-list dmz_to_lan extended permit ip object dmz_net2
object lan_net
access-list dmz_to_lan extended permit ip object dmz_net2
object lan_net2
(OR)
ciscoasa(config)# access-list dmz_to_lan extended permit ip
object-group group_dmz object-group group_lan
ciscoasa(config)# access-group dmz_to_lan in interface dmz
ciscoasa(config)# route inside 3.3.3.0 255.255.255.0
10.10.10.1
ciscoasa(config)# route dmz 2.2.2.0 255.255.255.0
192.168.12.1
R3#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
96/96/100 ms
R3#ping 2.2.2.2 sourc lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2
seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
44/61/68 ms
R3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
64/65/72 ms
Dynamic PAT
ciscoasa(config)# object network lan_net
ciscoasa(config-network-object)# nat (insi
ciscoasa(config-network-object)# nat (inside,ou
ciscoasa(config-network-object)# nat (inside,outside) dy
ciscoasa(config-network-object)# nat (inside,outside)
dynamic in
ciscoasa(config-network-object)# nat (inside,outside)
dynamic interface
ciscoasa(config-network-object)# exit
ciscoasa(config)# access-list inside_nat_outside extended
permit ip any object-group group_lan
ciscoasa(config)# access-group inside_nat_outside in
interface outside
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 203.81.71.1
1
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
64/70/96 ms
ciscoasa# sho nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic lan_net
interface
translate_hits =
1, untranslate_hits = 1
ciscoasa# sho xlate
0 in use, 1 most used
Static NAT
ciscoasa(config)# object network static_nat_web
ciscoasa(config-network-object)# host 2.2.2.2
ciscoasa(config-network-object)# nat (dmz,outside) static
203.81.71.3
ciscoasa(config)# access-list dmz_to_outside extended permit
ip object-group group_dmz any
ciscoasa(config)# access-list dmz_to_outside extended permit
ip object static_nat_web any
ciscoasa(config)# access-group dmz_to_outside in interface
dmz
ciscoasa(config)# access-list outside_to_dmz extended permit
ip any object- group group_dmz
ciscoasa(config)# access-list outside_to_dmz extended permit
ip any object static_nat_web
ciscoasa(config)# access-group outside_to_dmz in interface
outside
ciscoasa# sho nat
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static static_nat_web
203.81.71.3
translate_hits =
10, untranslate_hits = 0
2 (inside) to (outside) source dynamic lan_net
interface
translate_hits =
5, untranslate_hits = 6
ciscoasa# sho xlat
1 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I -
identity, T - twice
NAT from dmz:2.2.2.2 to outside:203.81.71.3
flags s idle
0:13:14 timeout 0:00:00
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
48/58/64 ms
0 comments:
Post a Comment