拓扑很简单.
一台5510配置了2个接口,1个inside口(10.0.0.0/8),1个dmz口(20.0.0.0/8),两个接口下各接了一台PC地址为10.0.0.2和20.0.0.2,配置如下: interface Ethernet0/2 nameif dmz security-level 50 ip address 20.0.0.1 255.0.0.0interface Ethernet0/3
nameif inside security-level 100 ip address 10.0.0.1 255.0.0.0 nat-controlaccess-list 100 permit icmp any any
access-group 100 in interface dmz
nat (inside) 1 0 0
global (dmz) 1 20.0.0.10-20.0.0.20 netmask 255.0.0.0
上面两条命令为允许高安全级别到低安全级别的访问 static (dmz,inside) 10.0.0.10 20.0.0.2access-list dmz extended permit ip any any
access-group dmz in interface inside 上面三条命令允许低安全级别到高安全级别的访问