网络拓扑:
实验环境描述:PIX防火墙E0接口定义为inside区,Security-Level:100,接LAN-Router F0/0;PIX防火墙E1接口定义为outside区,Security-Level:0,接WAN-Router F0/0;PIX防火墙E3接口定义为dmz区,Security-Level:50,接DMZ-Router F0/0。本实验环境非真实环境,而是通过Dynamips+Pemu模拟的,难免存在Bug。
实验目的:实现低安全区域到高安全区域访问,即从WAN-Router和DMZ-Router能分别ping通/telnet通LAN-Router F0/0接口IP(192.168.2.2)的映射IP。
详细配置步骤:(注:假如接口IP已配置完成)
一、路由配置
PC:route add 192.168.2.0 mask 255.255.255.0 192.168.1.115 -p
route add 172.16.8.0 mask 255.255.255.0 192.168.1.115 -p
route add 10.0.0.0 mask 255.255.255.0 192.168.1.115 -p
LAN-Router:ip route 0.0.0.0 0.0.0.0 192.168.2.1
PIX:route inside 192.168.1.0 255.255.255.0 192.168.2.2
WNA-Router:ip route 0.0.0.0 0.0.0.0 172.16.8.1
DMZ-Router:ip route 0.0.0.0 0.0.0.0 10.0.0.1
二、定义静态IP映射(也称一对一映射)(在PIX上配置)
static (inside,dmz) 192.168.3.168 192.168.2.2 netmask 255.255.255.255 #实现从dmz区访问inside区的192.168.2.2时,就直接访问192.168.2.2 对dmz区的映射IP:192.168.3.168
static (inside,outside) 192.168.3.188 192.168.2.2 netmask 255.255.255.255 #实现从outside区访问inside区的192.168.2.2时,就直接访问192.168.2.2 对outside区的映射IP:192.168.3.188
三、定义access-list
access-list dmz_inbound extended permit icmp host 10.0.0.8 host 192.168.3.168 #放开ping权限
access-list dmz_inbound extended permit tcp host 10.0.0.8 host 192.168.3.168 eq telnet#放开telnet权限
access-list outside_inbound extended permit icmp host 172.16.8.10 host 192.168.3.188#放开ping权限
access-list outside_inbound extended permit tcp host 172.16.8.10 host 192.168.3.188 eq telnet#放开telnet权限
四、在接口上应用access-list
access-group dmz_inbound in interface dmz
access-group outside_inbound in interface outside
五、测试
在DMZ-Router上分别ping和telnet 192.168.3.168:
DMZ#ping 192.168.3.168
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.168, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 232/281/316 ms
DMZ#telnet 192.168.3.168
Trying 192.168.3.168 ... Open
User Access Verification
Password:
LAN>
以下为在PIX上开启debug icmp trace时看到的输出信息:
PIX802(config)# ICMP echo request from dmz:10.0.0.8 to inside:192.168.3.168 ID=127 seq=1292 len=72
ICMP echo request untranslating dmz:192.168.3.168 to inside:192.168.2.2
ICMP echo reply from inside:192.168.2.2 to dmz:10.0.0.8 ID=127 seq=1292 len=72
ICMP echo reply translating inside:192.168.2.2 to dmz:192.168.3.168
ICMP echo request from dmz:10.0.0.8 to inside:192.168.3.168 ID=128 seq=1292 len=72
ICMP echo request untranslating dmz:192.168.3.168 to inside:192.168.2.2
ICMP echo reply from inside:192.168.2.2 to dmz:10.0.0.8 ID=128 seq=1292 len=72
ICMP echo reply translating inside:192.168.2.2 to dmz:192.168.3.168
ICMP echo request from dmz:10.0.0.8 to inside:192.168.3.168 ID=129 seq=1292 len=72
ICMP echo request untranslating dmz:192.168.3.168 to inside:192.168.2.2
ICMP echo reply from inside:192.168.2.2 to dmz:10.0.0.8 ID=129 seq=1292 len=72
ICMP echo reply translating inside:192.168.2.2 to dmz:192.168.3.168
ICMP echo request from dmz:10.0.0.8 to inside:192.168.3.168 ID=130 seq=1292 len=72
ICMP echo request untranslating dmz:192.168.3.168 to inside:192.168.2.2
ICMP echo reply from inside:192.168.2.2 to dmz:10.0.0.8 ID=130 seq=1292 len=72
ICMP echo reply translating inside:192.168.2.2 to dmz:192.168.3.168
ICMP echo request from dmz:10.0.0.8 to inside:192.168.3.168 ID=131 seq=1292 len=72
ICMP echo request untranslating dmz:192.168.3.168 to inside:192.168.2.2
ICMP echo reply from inside:192.168.2.2 to dmz:10.0.0.8 ID=131 seq=1292 len=72
ICMP echo reply translating inside:192.168.2.2 to dmz:192.168.3.168
六、PIX配置
PIX802# sh run
: Saved
:
PIX Version 8.0(2)
!
hostname PIX802
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 172.16.8.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dmz_inbound extended permit icmp host 10.0.0.8 host 192.168.3.168 log
access-list dmz_inbound extended permit tcp host 10.0.0.8 host 192.168.3.168 eq telnet log
access-list outside_inbound extended permit icmp host 172.16.8.10 host 192.168.3.188
access-list outside_inbound extended permit tcp host 172.16.8.10 host 192.168.3.188 eq telnet
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,dmz) 192.168.3.168 192.168.2.2 netmask 255.255.255.255
static (inside,outside) 192.168.3.188 192.168.2.2 netmask 255.255.255.255
access-group outside_inbound in interface outside
access-group dmz_inbound in interface dmz
route inside 192.168.1.0 255.255.255.0 192.168.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
实验总结:
1、当流量从低安全区域流向高安全区域时,即使路由已经配通了,也不能成功访问;
2、当流量从低安全区域流向高安全区域时,路由已经配通了,同时必须正确配置了static IP地址映射及access-list,才能成功访问;
3、当流量从低安全区域流向高安全区域时,调通路由是基础,同时只跟static/access-list有关,而跟nat/global毫无关系。