ASA5200的NAT旁路访问DMZ区域!
最近开始搞cisco ASA设备,发现在nat的acl中无法使用deny语句实现对dmz区域的访问:
access-list natlist-1 extended deny ip 172.17.0.0 255.255.0.0 172.17.6.0 255.255.255.0
access-list natlist-1 extended permit ip 172.17.0.0 255.255.0.0 any
nat (inside) 1 access-list natlist-1
ciscoasa(config)# nat (inside) 1 access-list natlist-1
ERROR: Deny rules not supported in Policy Nat
?
经过上网搜索和查看8.2版本的ASA文档得知,可以通过nat()0 的方式对访问DMZ区域流量进行旁路规则:
access-list natlist extended permit ip 172.17.0.0 255.255.255.0 any
nat (inside) 1 access-list natlist
access-list exempt extended permit ip any 172.17.6.0 255.255.255.0
nat (inside) 0 access-list exempt
