我正在尝试配置我的 Cisco ASA 5505 防火墙,以允许从互联网访问 DMZ 网站和邮件服务器。我是 Cisco 世界的新手,所以如果这是一个新手问题,请原谅我。我知道这个主题已经在许多网站上讨论过了,但大多数网站都假设您有多个公共 IP 地址。我的情况是,我只有一个公共 IP 地址,因此我认为必须使用 PAT 配置。
这是我的设置:我的 ASA(具有基本许可证)配置了三个接口,分别用于内部、外部和 dmz 区域。我的 dmz 中有两台服务器 - 一台是 Web 服务器,一台是邮件服务器。
我相信我已经在互联网上的各个网站上检查了我的配置,但我仍然不知道如何正确配置。这是我的运行配置:
...
ASA Version 9.0(4)26
...
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 1
!
interface Ethernet0/5
switchport access vlan 1
!
interface Ethernet0/6
switchport access vlan 1
!
interface Ethernet0/7
switchport access vlan 1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 109.198.xxx.yyy 255.0.0.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.dk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network inside-subnet
subnet 192.168.1.0 255.255.25 5.0
!
object network dmz-subnet
subnet 172.16.1.0 255.255.255.0
!
object network hst-mail-server
host 172.16.1.11
description Mail server in DMZ
!
object network hst-web-server
host 172.16.1.10
description Web server in DMZ
!
object network hst-web-dns
host 172.16.1.10
description Web dmz host DNS
!
object network hst-web-http
host 172.16.1.10
description Web dmz host HTTP
!
object network hst-web-https
host 172.16.1.10
description Web dmz host HTTPS
!
object-group service web-services tcp
port-object eq www
port-object eq https
!
object-group service mail-services tcp
port-object eq smtp
port-object eq 587
port-object eq 993
port-object eq 4190
!
object-group service svcgrp-web-udp udp
port-object eq dnsix
!
object-group service svcgrp-web-tcp tcp
port-object eq www
port-object eq https
!
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
object-group service svcgrp-mail-tcp tcp
port-object eq smtp
!
access-list outside_access_in extended deny ip any object-group RFC1918
access-list outside_access_in extended permit udp any object hst-web-server object-group svcgrp-web-udp
access-list outside_access_in extended permit tcp any object hst-web-server object-group svcgrp-web-tcp
access-list outside_access_in extended permit tcp any object hst-mail-server object-group svcgrp-mail-tcp
access-list outside_access_in extended permit ip any any
...
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside-subnet
nat (inside,dmz) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network hst-web-dns
nat (dmz,outside) static interface service udp dnsix dnsix
object network hst-web-http
nat (dmz,outside) static interface service tcp www www
object network hst-web-https
nat (dmz,outside) static interface service tcp https https
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 109.198.xxx.zzz 1
...
答案1
我终于让它工作了——这是一个错误配置的 acl,它拒绝从外部访问 rfc1918 子网。
顺便说一句:我发现了一篇有趣的文章,关于拒绝访问 rfc3330 中的所有子网,而不仅仅是 rfc1918 中的私有子网:https://techbloc.net/archives/1392
受此启发,我稍微增强了我的配置。这是拒绝访问子网的新定义:
object-group network rfc3330-subnets
description Group of all rfc3330 subnets incl private and special use
network-object 0.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 14.0.0.0 255.0.0.0
network-object 24.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 128.0.0.0 255.255.0.0
network-object 169.254.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
network-object 191.255.0.0 255.255.0.0
network-object 192.0.0.0 255.255.255.0
network-object 192.0.2.0 255.255.255.0
network-object 192.88.99.0 255.255.255.0
network-object 192.168.0.0 255.255.0.0
network-object 198.18.0.0 255.254.0.0
network-object 223.255.255.0 255.255.255.0
network-object 224.0.0.0 240.0.0.0
network-object 240.0.0.0 240.0.0.0
这是我的新 acl 定义:
access-list outside_access_in extended deny ip object-group rfc3330-subnets any
access-list outside_access_in extended permit udp any object hst-web-server object-group svcgrp-web-udp
access-list outside_access_in extended permit tcp any object hst-web-server object-group svcgrp-web-tcp
access-list outside_access_in extended permit tcp any object hst-mail-server object-group svcgrp-mail-tcp
access-list outside_access_in extended permit ip any any