实验八ASA 配置NAT 和ACL
实验拓扑
实验要求
1 配置PAT,实现inside 区域内主机访问internet
2 配置静态地址转换,实现DMZ 区域主机172.16.2.1 转换为202.100.0.102
3 配置Identity NAT,实现172.16.100.2 访问inside 时,使用本ip地址
4 配置ACL,实现DMZ 区域内主机只允许icmp,telnet 流量访问去往inside 区域
5 配置ACL,实验inside 区域内主机192.168.1.1 不允许去往任何地址,只能在本区域访问
实验步骤
步骤2
根据设备表,配置ASA 和路由器的接口IP 地址
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.100.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface loopback 0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#exit
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 172.16.100.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface loopback 0
R2(config-if)#ip address 172.16.2.1 255.255.255.0
R2(config-if)#exit
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 202.100.0.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface loopback 0
R3(config-if)#ip address 123.123.123.123 255.255.255.0
R3(config-if)#exit
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.100.100 255.255.255.0 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 172.16.100.100 255.255.255.0 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 202.100.0.100 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
测试连通性:
ciscoasa(config)# ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms ciscoasa(config)# ping 172.16.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# ping 202.100.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
步骤3
配置路由协议,保证每台设备可以转发相应的数据包
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.100.100 //将所有不认识的数据包发送给ASA R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.100.100 //将所有不认识的数据包发送给ASA ciscoasa(config)# route outside 0 0 202.100.0.3 //ASA 为企业网关,默认路由指向internet
配置OSPF,保证内网通信
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 192.168.100.1 0.0.0.0 area 100
R1(config-router)#network 192.168.1.1 0.0.0.0 area 100
R1(config-router)#exit
R2(config)#router ospf 1
R2(config-router)#router-id 2.2.2.2
R2(config-router)#network 172.16.100.2 0.0.0.0 area 100
R2(config-router)#network 172.16.2.1 0.0.0.0 area 100
R2(config-router)#exit
ciscoasa(config)# router ospf 1
ciscoasa(config-router)# router-id 100.100.100.100
ciscoasa(config-router)# network 192.168.100.100 255.255.255.255 area 100
ciscoasa(config-router)# network 172.16.100.100 255.255.255.255 area 100
ciscoasa(config-router)# exit
步骤4
配置PAT,实现inside 区域内主机访问internet
配置PAT 前,现将MPF 中ICMP 流量放行
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class-mapinspection_default
(class-mapinspection_default
match default-inspection-traffic)
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
配置PAT
ciscoasa(config)# nat (inside) 1 192.168.0.0 255.255.0.0
ciscoasa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
ciscoasa(config)#
测试:
R1#ping 123.123.123.123
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 m
查看NAT 地址转换表
ciscoasa(config)# show xlate
1 in use,
2 most used
PAT Global 202.100.0.100(8) Local 192.168.100.1 ICMP id 11
步骤5
配置静态地址转换,实现DMZ 区域主机172.16.2.1 转换为202.100.0.102 ciscoasa(config)# static (DMZ,outside) 202.100.0.102 172.16.2.1
测试:
R2#ping 123.123.123.123 source 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
Packet sent with a source address of 172.16.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#debugipicmp
ICMP packet debugging is on
R3#
*Mar 1 01:09:38.391: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.387: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.391: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.395: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:09:40.399: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102 *Mar 1 01:10:52.263: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.102
步骤6
配置Identity NAT,实现192.168.1.1 访问outside 时,使用本ip地址
R1#ping 123.123.123.123 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3#
*Mar 1 02:33:28.955: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100
*Mar 1 02:33:28.959: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100
*Mar 1 02:33:28.963: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100
*Mar 1 02:33:28.967: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100
*Mar 1 02:33:28.971: ICMP: echo reply sent, src 123.123.123.123, dst 202.100.0.100
//此时用192.168.1.1 去ping 123.123.123.123 时,对于R3 来说看到是被地址转换后得IP
配置Identity NAT
ciscoasa(config)# nat (inside) 0 192.168.1.1 255.255.255.255
nat 0 192.168.1.1 will be identity translated for outbound
ciscoasa(config)#
测试
R1#ping 123.123.123.123 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
//发现现在不能ping 通123.123.123.123 了
R3# //在R3 开启debug,发现192.168.1.1 没有被地址转换
*Mar 1 02:35:50.639: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1
*Mar 1 02:35:52.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1
*Mar 1 02:35:54.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1
*Mar 1 02:35:56.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1
*Mar 1 02:35:58.635: ICMP: echo reply sent, src 123.123.123.123, dst 192.168.1.1
现在大家想想不通的原因?
查看R3 的路由表
R3#show ip route
Gateway of last resort is not set
C 202.100.0.0/24 is directly connected, FastEthernet0/0
123.0.0.0/24 is subnetted, 1 subnets
C 123.123.123.0 is directly connected, Loopback0
//没有去往192.168.1.1 的路由,因为192.168.1.1 为私有地址,在公网中是不能路由的,在本实验环境中,
我们可以手工写一个静态路由去往192.168.1.1
R3(config)#ip route 192.168.1.1 255.255.255.255 202.100.0.100
R1#ping 123.123.123.123 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
步骤7
配置ACL,实现DMZ 区域内主机只允许icmp,telnet 流量访问去往inside 区域删除之前配置的NA T,防止干扰
配置前,先测试下
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
在ASA 查看日志
ciscoasa(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 561 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
Mar 29 2011 19:34:15: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)
Mar 29 2011 19:34:17: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)
Mar 29 2011 19:34:19: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)
Mar 29 2011 19:34:21: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)
Mar 29 2011 19:34:23: %ASA-3-106014: Deny inbound icmpsrc DMZ:172.16.100.2dst inside:192.168.1.1 (type 8, code 0)
ciscoasa(config)#
//可以看到DMZ 区域去往inside 区域的ICMP 流量被拒绝掉了
因为防火墙默认为,安全级别低的区域访问安全级别高的区域时,拒绝所有数据通过
ciscoasa(config)#access-list DMZ extended permit icmp 172.16.0.0 255.255.0.0
192.168.0.0 255.255.0.0
ciscoasa(config)#access-list DMZ extended permit tcp 172.16.0.0 255.255.0.0
192.168.0.0 255.255.0.0 eq telnet
ciscoasa(config)# access-group DMZ in interface DMZ
测试:
R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
R1>
R1>exit
[Connection to 192.168.1.1 closed by foreign host]
R2#
步骤8
配置ACL,实验inside 区域内主机192.168.1.1 不允许去往任何地址,只能在本区域访问
R1#ping 172.16.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/84 ms
R1#ping 123.123.123.123 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
配置ACL,192.168.1.1 不允许去往任何地址,只能在本区域访问
ciscoasa(config)# access-list deny-inside standard deny 192.168.1.1 255.255.255.255 ciscoasa(config)# access-list deny-inside standard permit any
ciscoasa(config)# access-group deny-inside in interface inside
ERROR: access- - list
ciscoasa(config)#
//本步骤使用标准ACL 是可以实现的,但是在ASA 上标准ACL 不能在接口应用
ciscoasa(config)# access-list deny-inside-any extended deny ip host 192.168.1.1 any ciscoasa(config)# access-list deny-inside-any extended permit ip any any
ciscoasa(config)# access-group deny-inside-any in interface inside
测试:
R1#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/58/84 ms
R1#ping 172.16.2.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)