尝试在 Cisco ASA 5510 中配置 FTP。以下是配置。如何在 ASA 上配置 FTP?

尝试在 Cisco ASA 5510 中配置 FTP。以下是配置。如何在 ASA 上配置 FTP?

尝试在 Cisco ASA 5510 中配置 FTP。以下是配置。如何在 ASA 上配置 FTP?

ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password <removed> encrypted
passwd <removed> encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 122.180.48.54 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.0.254 255.255.0.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
access-list dmztooutside extended permit tcp host 172.16.0.65 host 172.18.0.65
access-list dmztooutside extended permit ip 172.16.0.0 255.255.0.0 any
access-list dmztooutside extended permit tcp host 172.16.0.62 host 172.18.0.62
access-list outside-int extended permit tcp any host 122.160.122.141 eq www
access-list outside-int extended permit tcp any host 122.160.122.141 eq smtp
access-list outside-int extended permit tcp any host 122.160.122.141 eq domain
access-list outside-int extended permit tcp any host 122.160.122.141 eq ftp-data

access-list outside-int extended permit tcp any host 122.160.122.142 eq imap4
access-list outside-int extended permit tcp any host 122.160.122.142 eq https
access-list outside-int extended permit tcp any host 122.160.122.142 eq www
access-list outside-int extended permit tcp any host 122.160.122.142 eq pop3
access-list outside-int extended permit tcp any host 122.160.122.142 eq smtp
access-list outside-int extended permit tcp any host 122.160.122.142 eq 993
access-list outside-int extended permit tcp any host 122.160.122.142 eq 995
access-list outside-int extended permit udp any host 122.160.122.142 eq domain
access-list outside-int extended permit tcp any host 122.160.122.142 eq domain
access-list outside-int extended permit udp any host 122.160.122.141 eq domain
access-list outside-int extended permit tcp any host 122.160.122.140 eq www
access-list outside-int extended permit tcp any host 122.160.122.140 eq smtp
access-list outside-int extended permit tcp any host 122.160.122.140 eq domain
access-list outside-int extended permit udp any host 122.160.122.140 eq domain
access-list outside-int extended permit tcp any host 122.160.122.140 eq https
access-list dmz-int extended permit tcp any host 172.16.0.63 eq www
access-list dmz-int extended permit tcp any host 172.16.0.63 eq smtp
access-list dmz-int extended permit tcp any host 172.16.0.63 eq https
access-list dmz-int extended permit tcp any host 172.16.0.63 eq domain
access-list dmz-int extended permit tcp any host 172.16.0.63 eq pop3
access-list dmz-int extended permit tcp any host 172.16.0.63 eq imap4
access-list dmz-int extended permit tcp any host 172.16.0.64 eq www
access-list dmz-int extended permit tcp any host 172.16.0.64 eq smtp
access-list dmz-int extended permit tcp any host 172.16.0.64 eq domain
access-list dmz-int extended permit tcp any host 172.16.0.64 eq ftp-data
access-list dmz-int extended permit tcp any host 172.16.0.63 eq ftp-data
access-list dmz-int extended permit udp any host 172.16.0.63 eq domain
access-list dmz-int extended permit udp any host 172.16.0.64 eq domain
access-list dmz-int extended permit tcp any host 172.16.0.62 eq www
access-list dmz-int extended permit tcp any host 172.16.0.62 eq smtp
access-list dmz-int extended permit tcp any host 172.16.0.62 eq https
access-list dmz-int extended permit tcp any host 172.16.0.62 eq domain
access-list dmz-int extended permit udp any host 172.16.0.62 eq domain
access-list block_database_internet extended deny ip host 192.168.10.5 any
access-list block_database_internet extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 172.16.0.0 255.255.0.0
static (DMZ,outside) 122.160.122.141 172.16.0.64 netmask 255.255.255.255 dns
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,DMZ) 172.18.0.65 192.168.10.5 netmask 255.255.255.255
static (DMZ,outside) 122.160.122.142 172.16.0.63 netmask 255.255.255.255 dns
static (DMZ,outside) 122.160.122.140 172.16.0.62 netmask 255.255.255.255 dns
static (inside,DMZ) 172.18.0.62 192.168.10.209 netmask 255.255.255.255
access-group outside-int in interface outside
access-group block_database_internet in interface inside
access-group dmztooutside in interface DMZ
route outside 0.0.0.0 0.0.0.0 122.180.48.53 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password <removed> encrypted
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
Cryptochecksum:9fa31ff1c0b8f20d07bf965f82f7c1c4
: end
ciscoasa#

答案1

ASA 是一种防火墙,通常不会在其中配置 FTP。

相关内容