Cisco ASA 5505-使用一个公共IP访问DMZ

Cisco ASA 5505-使用一个公共IP访问DMZ

我正在尝试配置我的 Cisco ASA 5505 防火墙,以允许从互联网访问 DMZ 网站和邮件服务器。我是 Cisco 世界的新手,所以如果这是一个新手问题,请原谅我。我知道这个主题已经在许多网站上讨论过了,但大多数网站都假设您有多个公共 IP 地址。我的情况是,我只有一个公共 IP 地址,因此我认为必须使用 PAT 配置。

这是我的设置:我的 ASA(具有基本许可证)配置了三个接口,分别用于内部、外部和 dmz 区域。我的 dmz 中有两台服务器 - 一台是 Web 服务器,一台是邮件服务器。

我相信我已经在互联网上的各个网站上检查了我的配置,但我仍然不知道如何正确配置。这是我的运行配置:

...  
ASA Version 9.0(4)26  
...  
!  
interface Ethernet0/0  
switchport access vlan 2  
!  
interface Ethernet0/1  
switchport access vlan 3  
!  
interface Ethernet0/2  
switchport access vlan 3  
!  
interface Ethernet0/3  
switchport access vlan 3  
!  
interface Ethernet0/4  
switchport access vlan 1  
!  
interface Ethernet0/5  
switchport access vlan 1  
!  
interface Ethernet0/6  
switchport access vlan 1  
!  
interface Ethernet0/7  
switchport access vlan 1  
!  
interface Vlan1  
  nameif inside  
  security-level 100  
  ip address 192.168.1.1 255.255.255.0   
!  
interface Vlan2  
  nameif outside  
  security-level 0  
  ip address 109.198.xxx.yyy 255.0.0.0 
!  
interface Vlan3  
  no forward interface Vlan1  
  nameif dmz  
  security-level 50  
  ip address 172.16.1.1 255.255.255.0  
!  
ftp mode passive  
dns server-group DefaultDNS  
domain-name mydomain.dk  
same-security-traffic permit inter-interface  
same-security-traffic permit intra-interface  
!  
object network obj_any  
  subnet 0.0.0.0 0.0.0.0  
!  
object network inside-subnet  
  subnet 192.168.1.0 255.255.25 5.0  
!  
object network dmz-subnet  
  subnet 172.16.1.0 255.255.255.0  
!  
object network hst-mail-server  
  host 172.16.1.11  
  description Mail server in DMZ  
!  
object network hst-web-server  
  host 172.16.1.10  
  description Web server in DMZ  
!  
object network hst-web-dns  
  host 172.16.1.10  
  description Web dmz host DNS  
!  
object network hst-web-http  
  host 172.16.1.10  
  description Web dmz host HTTP  
!  
object network hst-web-https  
  host 172.16.1.10  
  description Web dmz host HTTPS  
!  
object-group service web-services tcp  
  port-object eq www  
  port-object eq https  
!  
object-group service mail-services tcp  
  port-object eq smtp  
  port-object eq 587  
  port-object eq 993  
  port-object eq 4190  
!  
object-group service svcgrp-web-udp udp  
  port-object eq dnsix  
!  
object-group service svcgrp-web-tcp tcp  
  port-object eq www  
  port-object eq https  
!  
object-group network RFC1918  
  network-object 10.0.0.0 255.0.0.0  
  network-object 172.16.0.0 255.240.0.0  
  network-object 192.168.0.0 255.255.0.0  
!  
object-group service svcgrp-mail-tcp tcp  
  port-object eq smtp  
!  
access-list outside_access_in extended deny ip any object-group RFC1918   
access-list outside_access_in extended permit udp any object hst-web-server object-group svcgrp-web-udp  
access-list outside_access_in extended permit tcp any object hst-web-server object-group svcgrp-web-tcp  
access-list outside_access_in extended permit tcp any object hst-mail-server object-group svcgrp-mail-tcp  
access-list outside_access_in extended permit ip any any  
...  
!  
object network obj_any  
  nat (inside,outside) dynamic interface  
object network inside-subnet  
  nat (inside,dmz) dynamic interface  
object network dmz-subnet  
  nat (dmz,outside) dynamic interface  
object network hst-web-dns  
  nat (dmz,outside) static interface service udp dnsix dnsix  
object network hst-web-http  
  nat (dmz,outside) static interface service tcp www www  
object network hst-web-https  
  nat (dmz,outside) static interface service tcp https https  
access-group outside_access_in in interface outside  
route outside 0.0.0.0 0.0.0.0 109.198.xxx.zzz 1 
...  

答案1

我终于让它工作了——这是一个错误配置的 acl,它拒绝从外部访问 rfc1918 子网。
顺便说一句:我发现了一篇有趣的文章,关于拒绝访问 rfc3330 中的所有子网,而不仅仅是 rfc1918 中的私有子网:https://techbloc.net/archives/1392
受此启发,我稍微增强了我的配置。这是拒绝访问子网的新定义:

object-group network rfc3330-subnets  
  description Group of all rfc3330 subnets incl private and special use  
  network-object 0.0.0.0 255.0.0.0  
  network-object 10.0.0.0 255.0.0.0  
  network-object 14.0.0.0 255.0.0.0  
  network-object 24.0.0.0 255.0.0.0  
  network-object 39.0.0.0 255.0.0.0  
  network-object 127.0.0.0 255.0.0.0  
  network-object 128.0.0.0 255.255.0.0  
  network-object 169.254.0.0 255.255.0.0  
  network-object 172.16.0.0 255.240.0.0  
  network-object 191.255.0.0 255.255.0.0  
  network-object 192.0.0.0 255.255.255.0  
  network-object 192.0.2.0 255.255.255.0  
  network-object 192.88.99.0 255.255.255.0  
  network-object 192.168.0.0 255.255.0.0  
  network-object 198.18.0.0 255.254.0.0  
  network-object 223.255.255.0 255.255.255.0  
  network-object 224.0.0.0 240.0.0.0  
  network-object 240.0.0.0 240.0.0.0  

这是我的新 acl 定义:

access-list outside_access_in extended deny ip object-group rfc3330-subnets any  
access-list outside_access_in extended permit udp any object hst-web-server object-group svcgrp-web-udp  
access-list outside_access_in extended permit tcp any object hst-web-server object-group svcgrp-web-tcp  
access-list outside_access_in extended permit tcp any object hst-mail-server object-group svcgrp-mail-tcp  
access-list outside_access_in extended permit ip any any  

相关内容