实验八(一) ASA 配置 NAT 和 ACL

实验八ASA 配置NAT 和ACL

实验拓扑

实验要求

1 配置PAT，实现inside 区域内主机访问internet

2 配置静态地址转换，实现DMZ 区域主机172.16.2.1 转换为202.100.0.102

3 配置Identity NAT，实现172.16.100.2 访问inside 时，使用本ip地址

4 配置ACL，实现DMZ 区域内主机只允许icmp，telnet 流量访问去往inside 区域

5 配置ACL，实验inside 区域内主机192.168.1.1 不允许去往任何地址，只能在本区域访问

实验步骤

步骤2

根据设备表，配置ASA 和路由器的接口IP 地址

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 192.168.100.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

R1(config)#interface loopback 0

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if)#ip address 172.16.100.2 255.255.255.0

R2(config-if)#no shutdown

R2(config-if)#exit

R2(config)#interface loopback 0

R2(config-if)#ip address 172.16.2.1 255.255.255.0

R2(config-if)#exit

R3(config)#interface fastEthernet 0/0

R3(config-if)#ip address 202.100.0.3 255.255.255.0

R3(config-if)#no shutdown

R3(config-if)#exit

R3(config)#interface loopback 0

R3(config-if)#ip address 123.123.123.123 255.255.255.0

R3(config-if)#exit

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.100.100 255.255.255.0 ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# nameif DMZ

INFO: Security level for "DMZ" set to 0 by default.

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# ip address 172.16.100.100 255.255.255.0 ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

ciscoasa(config)# interface ethernet 0/2

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 202.100.0.100 255.255.255.0

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# exit

测试连通性：

ciscoasa(config)# ping 192.168.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ciscoasa(config)# ping 172.16.100.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ciscoasa(config)# ping 202.100.0.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.0.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

步骤3

配置路由协议，保证每台设备可以转发相应的数据包

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.100 //将所有不认识的数据包发送给ASA R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.100 //将所有不认识的数据包发送给ASA ciscoasa(config)# route outside 0 0 202.100.0.3 //ASA 为企业网关，默认路由指向internet

配置OSPF，保证内网通信

R1(config)#router ospf 1

R1(config-router)#router-id 1.1.1.1

R1(config-router)#network 192.168.100.1 0.0.0.0 area 100

R1(config-router)#network 192.168.1.1 0.0.0.0 area 100

R1(config-router)#exit

R2(config)#router ospf 1

R2(config-router)#router-id 2.2.2.2

R2(config-router)#network 172.16.100.2 0.0.0.0 area 100

R2(config-router)#network 172.16.2.1 0.0.0.0 area 100

R2(config-router)#exit

ciscoasa(config)# router ospf 1

ciscoasa(config-router)# router-id 100.100.100.100

ciscoasa(config-router)# network 192.168.100.100 255.255.255.255 area 100

ciscoasa(config-router)# network 172.16.100.100 255.255.255.255 area 100

ciscoasa(config-router)# exit

步骤4

配置PAT，实现inside 区域内主机访问internet

配置PAT 前，现将MPF 中ICMP 流量放行

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)# class-mapinspection_default

(class-mapinspection_default

match default-inspection-traffic)

ciscoasa(config-pmap-c)# inspect icmp

ciscoasa(config-pmap-c)# exit

ciscoasa(config-pmap)# exit

配置PAT

ciscoasa(config)# nat (inside) 1 192.168.0.0 255.255.0.0

ciscoasa(config)# global (outside) 1 interface

INFO: outside interface address added to PAT pool

ciscoasa(config)#

测试：

R1#ping 123.123.123.123

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 m

查看NAT 地址转换表

ciscoasa(config)# show xlate

1 in use,

2 most used

PAT Global 202.100.0.100(8) Local 192.168.100.1 ICMP id 11

步骤5

配置静态地址转换，实现DMZ 区域主机172.16.2.1 转换为202.100.0.102 ciscoasa(config)# static (DMZ,outside) 202.100.0.102 172.16.2.1

测试:

R2#ping 123.123.123.123 source 172.16.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

Packet sent with a source address of 172.16.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R3#debugipicmp

ICMP packet debugging is on

R3#

*Mar 1 01:09:38.391: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.387: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.391: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.395: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.399: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:10:52.263: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102

步骤6

配置Identity NAT，实现192.168.1.1 访问outside 时，使用本ip地址

R1#ping 123.123.123.123 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R3#

*Mar 1 02:33:28.955: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100

*Mar 1 02:33:28.959: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100

*Mar 1 02:33:28.963: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100

*Mar 1 02:33:28.967: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100

*Mar 1 02:33:28.971: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100

//此时用192.168.1.1 去ping 123.123.123.123 时，对于R3 来说看到是被地址转换后得IP

配置Identity NAT

ciscoasa(config)# nat (inside) 0 192.168.1.1 255.255.255.255

nat 0 192.168.1.1 will be identity translated for outbound

ciscoasa(config)#

测试

R1#ping 123.123.123.123 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

//发现现在不能ping 通123.123.123.123 了

R3# //在R3 开启debug,发现192.168.1.1 没有被地址转换

*Mar 1 02:35:50.639: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1

*Mar 1 02:35:52.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1

*Mar 1 02:35:54.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1

*Mar 1 02:35:56.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1

*Mar 1 02:35:58.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1

现在大家想想不通的原因？

查看R3 的路由表

R3#show ip route

Gateway of last resort is not set

C 202.100.0.0/24 is directly connected, FastEthernet0/0

123.0.0.0/24 is subnetted, 1 subnets

C 123.123.123.0 is directly connected, Loopback0

//没有去往192.168.1.1 的路由，因为192.168.1.1 为私有地址，在公网中是不能路由的，在本实验环境中，

我们可以手工写一个静态路由去往192.168.1.1

R3(config)#ip route 192.168.1.1 255.255.255.255 202.100.0.100

R1#ping 123.123.123.123 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

步骤7

配置ACL，实现DMZ 区域内主机只允许icmp，telnet 流量访问去往inside 区域删除之前配置的NA T，防止干扰

配置前，先测试下

R2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

在ASA 查看日志

ciscoasa(config)# show logging

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level informational, 561 messages logged

Trap logging: disabled

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: disabled

Mar 29 2011 19:34:15: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)

Mar 29 2011 19:34:17: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)

Mar 29 2011 19:34:19: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)

Mar 29 2011 19:34:21: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)

Mar 29 2011 19:34:23: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)

ciscoasa(config)#

//可以看到DMZ 区域去往inside 区域的ICMP 流量被拒绝掉了

因为防火墙默认为，安全级别低的区域访问安全级别高的区域时，拒绝所有数据通过

ciscoasa(config)#access-list DMZ extended permit icmp 172.16.0.0 255.255.0.0

192.168.0.0 255.255.0.0

ciscoasa(config)#access-list DMZ extended permit tcp 172.16.0.0 255.255.0.0

192.168.0.0 255.255.0.0 eq telnet

ciscoasa(config)# access-group DMZ in interface DMZ

测试：

R2#ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2#telnet 192.168.1.1

Trying 192.168.1.1 ... Open

R1>

R1>exit

[Connection to 192.168.1.1 closed by foreign host]

R2#

步骤8

配置ACL，实验inside 区域内主机192.168.1.1 不允许去往任何地址，只能在本区域访问

R1#ping 172.16.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/84 ms

R1#ping 123.123.123.123 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

配置ACL，192.168.1.1 不允许去往任何地址，只能在本区域访问

ciscoasa(config)# access-list deny-inside standard deny 192.168.1.1 255.255.255.255 ciscoasa(config)# access-list deny-inside standard permit any

ciscoasa(config)# access-group deny-inside in interface inside

ERROR: access- - list is standard. Only "extended" or "ethertype" acls can be attached to an interface

ciscoasa(config)#

//本步骤使用标准ACL 是可以实现的，但是在ASA 上标准ACL 不能在接口应用

ciscoasa(config)# access-list deny-inside-any extended deny ip host 192.168.1.1 any ciscoasa(config)# access-list deny-inside-any extended permit ip any any

ciscoasa(config)# access-group deny-inside-any in interface inside

测试：

R1#ping 172.16.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/84 ms

R1#ping 172.16.2.1 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)