A whisper of a networker.

1. 不好意思, 假設我inside是192.168.0.0/16的網段,我沒有啟動nat-control,可以inside 都不能route 到dmz的ip 192.168.12.x/24的主機很怪, 一定要設定nat (dmz,inside) 192.168.0.0 192.168.0.0 255.255.255.0 才會通。

不好意思 我是用ASA 5510的防火牆的新手 我一直搞不懂一個東西 我在防火牆上作NAT port對應 這樣我的內部設備就可以讓外部連(特定的port) 我想請問 聽網路上寫ASA的DMZ區 我一直不懂這各要在哪裡設定 效果感覺跟我做NAT對應是一樣的 不過還是想知道DMZ到底在哪看 怎麼設的...想釐清一下觀念 可以請大師指導一下嗎....

allenhua

DMZ只是一個觀念，用來切割內外網路，基本上，從資安角度來看，內部網路不應該有一對一的NAT出現在Firewall的設定上，而那些需要提供給Internet連線的hosts 應該集中於與內部網路不同的segment，這個segment 我們就稱為DMZ，而網路流向應該像是如此 Inside -> Outside Permit, DMZ -> Outside Permit, Inside -> DMZ Permit Outside -> Inside Deny, Outside -> DMZ Partial Permit, DMZ -> Inside Deny 其用意在於可讓Internet存取的hosts萬一被crack了，也無法透過victim host當跳板來攻擊內部網路，但實際上的設定並沒有太大差異，把security level設不同就可以了，不過還是要看您想達到什麼樣的需求來決定 It depends..

2009-03-26 21:19

ASA Version 8.2(1) ! hostname ciscoasa domain-name xxxx.com.tw enable password M8sMV2vvDocBrvFd encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 10.10.0.0 site1 ! interface Ethernet0/0 nameif outside security-level 0 ip address 60.251.xxx.xxx 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.109.254 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ftp mode passive dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.109.3 domain-name peiling.com.tw object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service DM_INLINE_TCP_1 tcp port-object eq pop3 port-object eq smtp access-list LAN_to_WAN extended permit tcp any interface outside eq domain access-list LAN_to_WAN extended permit tcp any interface outside eq ftp access-list LAN_to_WAN extended permit tcp any interface outside eq sqlnet access-list LAN_to_WAN extended permit tcp any interface outside eq www access-list LAN_to_WAN extended permit tcp any interface outside eq smtp access-list LAN_to_WAN extended permit tcp any interface outside eq pop3 access-list LAN_to_WAN extended permit ip site1 255.255.0.0 192.168.109.0 255.25 5.255.0 access-list LAN_to_WAN extended permit object-group TCPUDP interface outside hos t 192.168.109.5 eq www access-list LAN_to_WAN extended permit tcp interface outside host 192.168.109.3 object-group DM_INLINE_TCP_1 access-list LAN_to_WAN extended permit icmp any any access-list outside_1_cryptomap extended permit ip 192.168.109.0 255.255.255.0 s ite1 255.255.0.0 access-list inside_nat0_outbound extended permit ip 192.168.109.0 255.255.255.0 site1 255.255.0.0 access-list WAN_to_LAN extended permit tcp interface outside host 192.168.109.5 eq www access-list host110 extended permit ip host 192.168.109.44 any access-list host110 extended permit ip any host 192.168.109.44 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.109.0 255.255.255.0 static (inside,outside) tcp interface sqlnet 192.168.109.1 sqlnet netmask 255.25 5.255.255 static (inside,outside) tcp interface ftp 192.168.109.1 ftp netmask 255.255.255. 255 static (inside,outside) tcp interface domain 192.168.109.3 domain netmask 255.25 5.255.255 static (inside,outside) tcp interface smtp 192.168.109.3 smtp netmask 255.255.25 5.255 static (inside,outside) tcp interface pop3 192.168.109.3 pop3 netmask 255.255.25 5.255 static (inside,outside) udp interface www 192.168.109.5 www netmask 255.255.255. 255 static (outside,inside) tcp 192.168.109.5 www 60.251.xxx.xxx www netmask 255.255 .255.255 static (outside,inside) tcp 192.168.109.3 smtp 60.251.xxx.xxx smtp netmask 255.2 55.255.255 static (outside,inside) tcp 192.168.109.3 pop3 60.251.xxx.xxx pop3 netmask 255.2 55.255.255 access-group LAN_to_WAN in interface outside route outside 0.0.0.0 0.0.0.0 60.251.202.xxx 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set connection-type answer-only crypto map outside_map 1 set peer 60.248.155.252 crypto map outside_map 1 set transform-set ESP-DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption des hash sha group 1 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn tunnel-group these type ipsec-l2l tunnel-group these ipsec-attributes pre-shared-key * tunnel-group 60.248.155.252 type ipsec-l2l tunnel-group 60.248.155.252 ipsec-attributes pre-shared-key * ! class-map map110 match access-list host110 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map map110 class map110 police output 819000 1228800 police input 819000 1228800 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! service-policy global_policy global service-policy map110 interface outside service-policy map110 interface inside prompt hostname context Cryptochecksum:51fafba719e453bdbdd31cae45f26b88 : end