思科防火墙ASA5505 如何设置两个网段互通？

步骤：

1、创建2个vlan，在进入vlan设置IP，设置inside与outside，在把vlan划分到接口

2、做NAT，允许ping包通过，允许10.49.11.X 能够ping通 10.49.0.X

interface Vlan2\x0d\x0a nameif outside --------------------对端口命名外端口 \x0d\x0a security-level 0 --------------------设置端口等级\x0d\x0a ip address X.X.X.X 255.255.255.224 --------------------调试外网地址\x0d\x0a!\x0d\x0ainterface Vlan3\x0d\x0a nameif inside--------------------对端口命名内端口 \x0d\x0a security-level 100 --------------------调试外网地址\x0d\x0a ip address 192.168.1.1 255.255.255.0 --------------------设置端口等级\x0d\x0a!\x0d\x0ainterface Ethernet0/0\x0d\x0a switchport access vlan 2 --------------------设置端口VLAN与VLAN2绑定\x0d\x0a!\x0d\x0ainterface Ethernet0/1\x0d\x0a switchport access vlan 3 --------------------设置端口VLAN与VLAN3绑定\x0d\x0a!\x0d\x0ainterface Ethernet0/2\x0d\x0a shutdown\x0d\x0a!\x0d\x0ainterface Ethernet0/3\x0d\x0a shutdown\x0d\x0a!\x0d\x0ainterface Ethernet0/4\x0d\x0a shutdown\x0d\x0a!\x0d\x0ainterface Ethernet0/5\x0d\x0a shutdown\x0d\x0a!\x0d\x0ainterface Ethernet0/6\x0d\x0a shutdown\x0d\x0a!\x0d\x0ainterface Ethernet0/7\x0d\x0a shutdown\x0d\x0a!\x0d\x0apasswd 2KFQnbNIdI.2KYOU encrypted\x0d\x0aftp mode passive\x0d\x0adns domain-lookup inside\x0d\x0adns server-group DefaultDNS\x0d\x0a name-server 211.99.129.210\x0d\x0a name-server 202.106.196.115\x0d\x0aaccess-list 102 extended permit icmp any any ------------------设置ACL列表（允许ICMP全部通过）\x0d\x0aaccess-list 102 extended permit ip any any------------------设置ACL列表（允许所有IP全部通过）\x0d\x0apager lines 24\x0d\x0amtu outside 1500 \x0d\x0amtu inside 1500\x0d\x0aicmp unreachable rate-limit 1 burst-size 1\x0d\x0ano asdm history enable\x0d\x0aarp timeout 14400\x0d\x0aglobal (outside) 1 interface ------------------设置NAT地址映射到外网口\x0d\x0anat (inside) 1 0.0.0.0 0.0.0.0------------------NAT地址池（所有地址）\x0d\x0aaccess-group 102 in interface outside ------------------设置ACL列表绑定到外端口\x0d\x0aroute outside 0.0.0.0 0.0.0.0 x.x.x.x 1------------------设置到外网的默认路由\x0d\x0atimeout xlate 3:00:00\x0d\x0atimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02\x0d\x0atimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00\x0d\x0atimeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00\x0d\x0atimeout uauth 0:05:00 absolute\x0d\x0ano snmp-server location\x0d\x0ano snmp-server contact\x0d\x0asnmp-server enable traps snmp authentication linkup linkdown coldstart\x0d\x0atelnet 0.0.0.0 0.0.0.0 inside------------------设置TELNET所有地址进入\x0d\x0atelnet timeout 5\x0d\x0assh 0.0.0.0 0.0.0.0 outside ------------------设置SSH所有地址进入\x0d\x0assh timeout 30\x0d\x0assh version 2\x0d\x0aconsole timeout 0 \x0d\x0a!\x0d\x0adhcpd address 192.168.1.100-192.168.1.199 inside ------------------设置DHCP服务器地址池\x0d\x0adhcpd dns 211.99.129.210 202.106.196.115 interface inside ------------------设置DNS服务器到内网端口\x0d\x0adhcpd enable inside------------------设置DHCP应用到内网端口

你不用担心，如果物理端口是access vlan的话，缺省就是VLAn1，如果端口划分到了VLAN1，在查看配置时，缺省命令是不显示的，也就是说你如果把任何一个端口划分到VLAN1，在配置中都不会显示，其他的VLAN则必须明确显示。

可以用show vlan命令查看具体的VLAN归属

---