天天看點
傳回

配置ASA的dhcp中繼

1.拓撲圖:

<a href="http://blog.51cto.com/attachment/201205/164716676.jpg" target="_blank"></a>

DHCP伺服器在dmz區

2.接口配置:

R1:

R1(config)#int e0/0

R1(config-if)#ip address dhcp 

R1(config-if)#shutdown

R2:

R2(config)#int e0/0

R2(config-if)#ip add 20.1.1.10 255.255.255.0

R2(config-if)#no sh

R3:

R3(config)#int e0/0

R3(config-if)#ip add 30.1.1.10 255.255.255.0

R3(config-if)#no sh

ASA:

ASA(config)# int e0

ASA(config-if)# ip add 10.1.1.1 255.255.255.0

ASA(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ASA(config-if)# no sh

ASA(config-if)# 

ASA(config-if)# int e1

ASA(config-if)# ip add 20.1.1.1 255.255.255.0

ASA(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ASA(config-if)# sec

ASA(config-if)# security-level 50

ASA(config-if)# int e2

ASA(config-if)# ip add 30.1.1.1 255.255.255.0

ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

3.路由配置:

R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

------R2需要配置到inside接口網段的路由,否則無法為R1分派IP位址

R3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.1

4.配置R2為DHCP伺服器:

A.先必須配置位址排除

R2(config)#ip dhcp excluded-address 10.1.1.1

----實際測試發現如果沒有先配置inside接口位址排除,會把inside接口位址配置設定給DHCP用戶端,因為DHCP伺服器分派IP位址前發出的icmp包不能得到回應

-----添加完位址池後再添加位址排除,不會生效

B.再配置DHCP位址池

R2(config)#ip dhcp pool dhcppool

R2(dhcp-config)#network 10.1.1.0 /24

5.配置ASA的DHCP中繼:

ASA(config)# dhcprelay server 20.1.1.1

-----設定DHCP伺服器的位址

ASA(config)# dhcprelay setroute inside

----設定預設路由有inside接口位址

ASA(config)# dhcprelay enable inside

----在inside接口啟用DHCP中繼

6.測試:

A.開啟R1的e0/0端口,并在R2端口抓包

R1成功獲得ip位址,和下條為防火牆接口位址的預設路由:

R1(config-if)#no sh

R1(config-if)#

*Mar  1 01:46:31.595: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

*Mar  1 01:46:32.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up

*Mar  1 01:46:35.903: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.1.2, mask 255.255.255.0, hostname R1

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     20.0.0.0/32 is subnetted, 1 subnets

S       20.1.1.10 [254/0] via 10.1.1.1, Ethernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Ethernet0/0

S*   0.0.0.0/0 [254/0] via 10.1.1.1

B.分析抓包

1)DHCP的廣播包,經過中繼後成了單點傳播包

2)DHCP伺服器分派ip位址前會嘗試ping該位址,但是被防火牆策丢棄,因為逾時認為該位址沒有被使用

<a href="http://blog.51cto.com/attachment/201205/164824242.jpg" target="_blank"></a>

本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/852408,如需轉載請自行聯系原作者

網絡協定 安全 shell 網絡安全 配置dhcp中繼 dhcp中繼ip位址 DHCP配置 DHCP中繼 shell網絡
上一篇: ASA/PIX同一接口中轉同區域流量測試(pix8.0)
下一篇: ASA同一接口中轉同區域流量測試(ASA 8.42)

繼續閱讀