Cisco Cisco ASA 5555-X Adaptive Security Appliance 产品宣传页

interface gigabitethernet0/1.202

vlan 202

nameif outside4

security-level 0

ip address 203.0.113.1 255.255.255.0

zone-member outside

no shutdown

interface gigabitethernet0/2.301

vlan 301

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

no shutdown

interface gigabitethernet0/2.302

vlan 302

nameif dmz

security-level 50

ip address 10.3.5.1 255.255.255.0

no shutdown

# Static NAT for DMZ web server on any destination interface

object network WEBSERVER

host 10.3.5.9 255.255.255.255

nat (dmz,any) static 209.165.202.129 dns

# Dynamic PAT for inside network on any destination interface

object network INSIDE

subnet 192.168.9.0 255.255.255.0

nat (inside,any) dynamic 209.165.202.130

# Global access rule for DMZ web server

access-list WEB-SERVER extended permit tcp any host WEBSERVER eq 80

access-group WEB-SERVER global

# 4 equal cost default routes for outside interfaces

route outside1 0 0 209.165.200.230

route outside2 0 0 209.165.201.10

route outside3 0 0 198.51.100.99

route outside4 0 0 203.0.113.87

# Static routes for NAT addresses - see redistribute static command

route dmz 209.165.202.129 255.255.255.255 10.3.5.99

route inside 209.165.202.130 255.255.255.255 192.168.9.99

# The global service policy

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

dns-guard

protocol-enforcement

nat-rewrite

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225 _default_h323_map

inspect h323 ras _default_h323_map

inspect ip-options _default_ip_options_map

inspect netbios

inspect rsh