3. 配置访问控制列表。
ciscoasa(config)# access-list 1 extended permit ip any any
ciscoasa(config)# access-list 101 extended permit ip 192.168.10.0 255.255.255.0 any
ciscoasa# sh nameif
interface name security
gigabitethernet1/1 inside 100
gigabitethernet1/2 outside 0
ciscoasa(config)# ping 192.168.10.1
type escape sequence to abort.
sending 5, 100-byte icmpechos to 192.168.10.1, timeout is 2 seconds:
success rate is 100 percent (5/5), round-trip min/**g/max = 1/1/1 ms
ciscoasa(config)# ping 192.168.10.2
type escape sequence to abort.
sending 5, 100-byte icmpechos to 192.168.10.2, timeout is 2 seconds:
success rate is 100 percent (5/5), round-trip min/**g/max = 1/1/1 ms
ciscoasa(config)#
实验1:内外测试
ciscoasa(config)# sh access-list 1
access-list 1; 1 elements; name hash: 0xbbb5ca06
access-list 1 line 1 extended deny ip host 14.215.177.39 任何 (hitcnt=0) 0x3bcf1f89 禁止 IP:14215.177.39
ciscoasa(config)# sh access-list 101
access-list 101; 1 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip host 14.215.177.39 任意 (hitcnt=0) 0x94701252允许的外部 IP:14215.177.39
ciscoasa(config)#
结果:
证明:如果您禁用内部的 IP,您将无法 ping 操作。
实验 2:访问列表 1 扩展许可证 IP192168.10.0 255.255.255.0 any
access-list 101 extended permit ip192.168.10.0 255.255.255.0 any
ciscoasa(config)# sh access-list 1
access-list 1; 1 elements; name hash: 0xbbb5ca06
access-list 1 line 1 extended permit ip192.168.10.0 255.255.255.0 any (hitcnt=0) 0x8d755df7
ciscoasa(config)# sh access-list 101
access-list 101; 2 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit ip host 14.215.177.39 any (hitcnt=0) 0x94701252
access-list 101 line 2 extended permit ip192.168.10.0 255.255.255.0 any (hitcnt=0) 0xe76cc9b5
ciscoasa(config)#
ciscoasa(config)# wr
ciscoasa(config)# reload
仍然无法ping。
ciscoasa(config) access-group 101 in interface outside re**outside can ping 192168.10.1 和。
注意:当访问列表为空时,系统会自动删除 ** 的访问列表,这是真的吗?
此时,在asa本机可以正常访问互联网。