天天看點
傳回

ASA/PIX同一接口中轉同區域流量測試(pix8.0)

1.拓撲圖:

<a target="_blank" href="http://blog.51cto.com/attachment/201205/003525187.jpg"></a>

2.接口配置:

PC1:

eth0:202.1.1.1/24

ASA:

ASA(config)# int e0

ASA(config-if)# ip add 10.1.1.1 255.255.255.0

ASA(config-if)# no sh

ASA(config-if)# ip add 10.1.1.10 255.255.255.0

ASA(config-if)# nameif inside

ASA(config-if)# int e1

ASA(config-if)# ip add 202.1.1.10 255.255.255.0

ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

R1:

R1(config)#int f0/0

R1(config-if)#ip add 10.1.1.1 255.255.255.0

R1(config-if)#no sh

R1(config-if)#int f0/1

R1(config-if)#ip add 20.1.1.1 255.255.255.0

R2:

R2(config)#int f0/0

R2(config-if)#ip add 10.1.1.2 255.255.255.0

R2(config-if)#no sh

R3:

R3(config)#int f0/0

R3(config-if)#ip add 20.1.1.3 255.255.255.0

R3(config-if)#no sh

3.路由配置:

ASA(config)# route inside 20.1.1.0 255.255.255.0 10.1.1.1

R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 

R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10

R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

4.防火牆NAT及政策配置:

ASA(config)# nat (inside) 1 0 0

ASA(config)# global (outside) 1 in

ASA(config)# global (outside) 1 interface 

ASA(config)# access-list outside permit icmp any any echo-reply 

ASA(config)# access-group outside in interface outside

5.公網通路測試:

R1#ping 202.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/52 ms

R2#ping 202.1.1.1

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/68 ms

R3#ping 202.1.1.1

Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/72 ms

6. 配置R2和R3互訪:

A.R2 ping R3,防火牆有如下日志:

%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)

%PIX-6-302010: 0 in use, 2 most used

B.防火牆開啟相同區域互訪:

ASA(config)# same-security-traffic permit intra-interface 

再次ping,仍然不通,防火牆日志如下:

%PIX-7-609001: Built local-host inside:10.1.1.2

%PIX-7-609001: Built local-host inside:20.1.1.1

%PIX-3-305006: portmap translation creation failed for icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)

%PIX-7-609002: Teardown local-host inside:10.1.1.2 duration 0:00:00

%PIX-7-609002: Teardown local-host inside:20.1.1.1 duration 0:00:00

C.配置NAT免除:

ASA(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0 

ASA(config)# access-list nonat  permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 

ASA(config)#  nat (inside) 0 access-list nonat

7.驗證

A.ping資料包雙向正常通行

R2#ping 20.1.1.3

Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/92 ms

R3#ping 10.1.1.2

Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/70/120 ms

B.TCP資料包不正常通

R2#telnet 20.1.1.3

Trying 20.1.1.3 ... 

% Connection timed out; remote host not responding

R2#

%PIX-6-106015: Deny TCP (no connection) from 10.1.1.2/35246 to 20.1.1.3/23 flags RST  on interface inside

C.分析不通的原因

1)R3主動通路R2

R3 telnetR2,TCP三向交握的時候,R1有去R2的直連路由,TCP/SYN資料包沒有經過防火牆,而回來時候,因為不是直連網段,R2将TCP/SYN-ACK資料包扔給了預設網關防火牆,而防火牆沒有檢查到之前的TCP/SYNK包是以拒絕通過。

2)R2主動通路R3

R2 telnet R3,TCP三向交握的時候,R2将TCP/SYN資料包扔給了防火牆,防火牆放行,并且修改了資料包的序列号;而TCP/SYN-ACK包未經過防火牆,但是R2檢測到資料包序列号與之前發出的不對應,導緻R2将資料包丢棄。(估計即使設定防火牆不修改資料包的序列号,TCP三向交握能成功建立,後續會話也不會被防火牆放行)

參見如下連結:

<a target="_blank" href="http://www.8-p.org/wiki/doku.php?id=asahairpinning">http://www.8-p.org/wiki/doku.php?id=asahairpinning</a>

8. 兩種解決方式:

A.來回的資料包都不經過防火牆:

1)R2上添加去往20.1.1.0的路由器走R1

R2(config)#ip route 20.1.1.0 255.255.255.0 10.1.1.1

----TELNET測試正常

R3#  telnet 10.1.1.2

Trying 10.1.1.2 ... Open

User Access Verification

Password:

2)想在防火牆接口設定icmp 重定向,但是防火牆不支援該功能

B.來回的資料包都經過防火牆:

1)R1上添加主機路由,指向防火牆

R1(config)#ip route 10.1.1.2 255.255.255.255 10.1.1.10

R3#telnet 10.1.1.2

Password: 

2)R1上面與防火牆非直接接口設定route-map

-----設定與防火牆相連網段的下一跳位址為防火牆接口位址

interface e1

  ip policy route-map inside

ip access-list extended inside

  permit ip any 10.1.1.0 0.0.0.255

route-map inside permit 10

 match ip address inside

 set ip next-hop 10.1.1.10

3)R1上設定101.1.2的mac位址為防火牆inside接口的mac位址

ASA# show interface e0

Interface Ethernet0 "inside", is up, line protocol is up

  Hardware is i82559, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        MAC address 00ab.bffb.c400, MTU 1500

        IP address 10.1.1.10, subnet mask 255.255.255.0

R1(config)#arp 10.1.1.2 00ab.bffb.c400 arpa

Trying 20.1.1.3 ... Open

本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/856558,如需轉載請自行聯系原作者

網絡協定 測試技術 shell 網絡安全 shell網絡 通過shell叢集 shell通過參數名 aix系統net snmp 通過頁面shell
上一篇: IPS線上模式實驗2-Interface Pair
下一篇: 配置ASA的dhcp中繼

繼續閱讀