CISCO ASA防火墙配置实验

101209553.jpg

实验要求:

分别划分inside(内网),outside(外网),dmz(服务器区)三个区

配置PAT,直接使用outside接口的ip地址进行转换

配置静态NAT,发布内网服务器

启用NAT控制,配置NAT豁免,pc2访问outside区中的主机时,不做NAT转换

配置远程管理ASA,配置telnet,只允许pc2使用telnet接入

配置ssh,允许pc2和outside区ssh接入

在GNS3模拟器上配置如下:

一、接口和路由配置

1)asa配置

ciscoasa>

ciscoasa> en

Password:

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)# ip add 192.168.1.2 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.


ciscoasa(config-if)# int e0/1

ciscoasa(config-if)# ip add 192.168.2.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)# security-level 50


ciscoasa(config-if)# int e0/2

ciscoasa(config-if)# ip add 200.0.0.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.


ciscoasa(config)# enable password asa 设置特权密码

ciscoasa(config)# passwd asa 设置远程连接密码


ciscoasa(config-if)# sh int ip bri

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 192.168.1.2 YES manual up up

Ethernet0/1 192.168.2.1 YES manual up up

Ethernet0/2 200.0.0.1 YES manual up up

Ethernet0/3 unassigned YES unset administratively down up

Ethernet0/4 unassigned YES unset administratively down up

Ethernet0/5 unassigned YES unset administratively down up

ciscoasa(config-if)# sh nameif

Interface Name Security

Ethernet0/0 inside 100

Ethernet0/1 dmz 50

Ethernet0/2 outside 0



ciscoasa(config)# route inside 0 0 192.168.1.1

ciscoasa(config)# route outside 172.16.16.0 255.255.255.0 200.0.0.2

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route


Gateway of last resort is 192.168.1.1 to network 0.0.0.0


C 200.0.0.0 255.255.255.0 is directly connected, outside

S 172.16.16.0 255.255.255.0 [1/0] via 200.0.0.2, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.2.0 255.255.255.0 is directly connected, dmz

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, inside



2)R3配置

R3>en

R3#

R3#conf t

R3(config)#int f0/0

R3(config-if)#ip add 10.0.0.1 255.255.255.0

R3(config-if)#no sh


R3(config-if)#int f1/0

R3(config-if)#ip add 10.1.1.1 255.255.255.0

R3(config-if)#no sh


R3(config-if)#int f2/0

R3(config-if)#ip add 192.168.1.1 255.255.255.0

R3(config-if)#no sh


R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3(config)#end

R3#sh ip int bri

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.0.0.1 YES manual up up

FastEthernet1/0 10.1.1.1 YES manual up up

FastEthernet2/0 192.168.1.1 YES manual up up


3)ISP配置


ISP(config)#int f0/0

ISP(config-if)#ip add 200.0.0.2 255.255.255.0

ISP(config-if)#no sh

ISP(config)#int f1/0

ISP(config-if)#ip add 172.16.16.1 255.255.255.0

ISP(config-if)#no sh

ISP(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.1


4)pc配置


pc1(config)#int f0/0

pc1(config-if)#ip add 10.0.0.2 255.255.255.0

pc1(config-if)#no sh

pc1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1 (在模拟器上有路由模拟的pc,这条是配置网关)


pc2(config)#int f0/0

pc2(config-if)#ip add 10.1.1.2 255.255.255.0

pc2(config-if)#no sh

pc2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1


pc3(config)#int f0/0

pc3(config-if)#ip add 172.16.16.2 255.255.255.0

pc3(config-if)#no sh

pc3(config)#ip route 0.0.0.0 0.0.0.0 172.16.16.1


server(config)#int f0/0

server(config-if)#ip add 192.168.2.2 255.255.255.0

server(config-if)#no sh

server(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1


二、动态PAT配置

直接使用outside接口的ip地址进行转换

ciscoasa(config)# nat-control 启用NAT控制

ciscoasa(config)# nat (inside) 1 10.0.0.0 255.255.255.0 需要进行转换的网段

ciscoasa(config)# global (outside) 1 interface

或者

nat(inside)1 10.0.0.0 255.255.255.0

global(outside)1 200.0.0.1

这时pc2访问那台主机都已不行,因为启用NAT控制,pc2发起连接不匹配NAT规则,所以禁止出站。

pc2#telnet 172.16.16.2

Trying 172.16.16.2 ...

% Connection refused by remote host

配置豁免

ciscoasa(config)# nat (inside) 0 10.1.1.2 255.255.255.255

WARNING: IP address <10.1.1.2> and netmask <255.255.255.255> inconsistent

nat 0 10.1.1.0 will be identity translated for outbound

或者

asa(config)#access-list nonat permit ip host10.1.1.2 host 172.16.16.2

asa(config)nat (inside) 0 access-list nonat


pc2#telnet 172.16.16.2

Trying 172.16.16.2 ... Open



User Access Verification


Username:

这样就绕过了NAT规则。


ciscoasa(config)# sh xlate detail

2 in use, 3 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

TCP PAT from inside:10.0.0.2/11004 to outside:200.0.0.1/1024 flags ri



三,静态NAT(发布DMZ区的服务器)一对一的固定转换

ciscoasa(config)# static (dmz,outside) 200.0.0.5 192.168.2.2

ciscoasa(config)#access-list out_to_dmz permit ip host 172.16.16.2 host 200.0.0.5

ciscoasa(config)# access-group out_to_dmz in int outside

注意:acl配置命令中的目的地址应配置为映射地址200.0.0.5,而不是192.168.2.2


server(config)#ip http server 启动http


pc3#telnet 200.0.0.5 80

Trying 200.0.0.5, 80 ... Open


ciscoasa(config)# sh xlate detail 查看NAT转换表

3 in use, 3 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from dmz:192.168.2.2 to outside:200.0.0.5 flags s


四,远程管理ASA

1)配置允许telnet接入

ciscoasa(config)# username lijun password 123456

ciscoasa(config)# aaa authentication telnet console LOCAL

ciscoasa(config)# telnet 10.1.1.2 255.255.255.255 inside

只有pc2能telnet ASA防火墙


pc2#telnet 192.168.1.2

Trying 192.168.1.2 ... Open



User Access Verification


Username: lijun

Password: ******

Type help or '?' for a list of available commands.

ciscoasa>


pc1#telnet 192.168.1.2

Trying 192.168.1.2 ...

% Connection timed out; remote host not responding

pc1 是不能连接


2)配置ssh接入


ciscoasa(config)# host asa 配置主机名

asa(config)# username lihao password 123456

asa(config)# aaa authentication ssh console LOCAL

asa(config)# domain-name benet.com 配置域名

asa(config)# crypto key generate rsa modulus 1024 生成RSA密钥对

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

asa(config)# ssh 10.1.1.2 255.255.255.255 inside 允许pc2 连接防火墙

asa(config)# ssh 0 0 outside 允许外部连接ASA 防火墙


pc2#SSH -L lihao 192.168.1.2


Password:

Type help or '?' for a list of available commands.

asa>


内部只有pc2可以使用ssh接入,外部任何主机

pc3#ssh -l lihao 200.0.0.1


Password:

Type help or '?' for a list of available commands.

asa>

(额外补充)端口映射命令

static (dmz,outside) tcp 200.0.0.5 80 192.168.2.2 80

access-list out_to_dmz permit ip host 172.16.2.2 host 200.0.0.5

access-group out_to_dmz in int outside


五,查询命令

sh nameif 查询区域

sh int ip bri 查询ip配置

sh ssh 查看ssh配置信息

sh crypto key mypubkey rsa 查看产生的rsa密钥值

crypto key zeroize

asa(config)# capture telnet interface outside 抓包排错

ASA(config)# no capture telnet 关闭抓包

asa(config)# sh capture ssh

119 packets captured

1: 02:36:50.108057 172.16.16.2.11005 > 200.0.0.1.22: P 710551790:710551842(52) ack 856118752 win 3644

2: 02:36:50.108057 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551842 win 8192

3: 02:36:50.108041 200.0.0.1.22 > 172.16.16.2.11005: P 856118752:856118804(52) ack 710551842 win 8192

4: 02:36:50.139809 172.16.16.2.11005 > 200.0.0.1.22: . ack 856118804 win 4128

5: 02:36:51.418099 172.16.16.2.11005 > 200.0.0.1.22: P 710551842:710551894(52) ack 856118804 win 4128

6: 02:36:51.418099 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551894 win 8192

7: 02:36:51.418099 200.0.0.1.22 > 172.16.16.2.11005: P 856118804:856118856(52) ack 710551894 win 8192

8: 02:36:51.680583 172.16.16.2.11005 > 200.0.0.1.22: . ack 856118856 win 4076

9: 02:36:52.698755 172.16.16.2.11005 > 200.0.0.1.22: P 710551894:710551946(52) ack 856118856 win 4076

10: 02:36:52.698755 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551946 win 8192


你可能感兴趣的:(Cisco,ASA防火墙)