一.拓撲圖:
<a href="http://blog.51cto.com/attachment/201205/215900533.jpg" target="_blank"></a>
二.接口配置:
A.PC1:
eth0:202.1.1.1/24
B.ASA:
ciscoasa(config-if)# int g0
ciscoasa(config-if)# ip add 10.1.1.10 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no sh
ciscoasa(config)# int gigabitEthernet 1
ciscoasa(config-if)# ip add 202.1.1.10 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
C.R1:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f0/1
R1(config-if)#ip add 20.1.1.1 255.255.255.0
D.R2:
R2(config)#int f0/0
R2(config-if)#ip add 10.1.1.2 255.255.255.0
R2(config-if)#no sh
E.R3:
R3(config)#int f0/0
R3(config-if)#ip add 20.1.1.3 255.255.255.0
R3(config-if)#no sh
三.路由配置:
ASA(config)# route inside 20.1.1.0 255.255.255.0 10.1.1.1
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10
R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1
四.防火牆NAT及政策配置:
ciscoasa(config)# object network inside-network1
ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
ciscoasa(config-network-object)# exit exit
ciscoasa(config)# object network inside-network2
ciscoasa(config-network-object)# subnet 20.1.1.0 255.255.255.0
ciscoasa(config-network-object)# exit
ASA(config)# access-list outside permit icmp any object inside-work1 echo-reply
ASA(config)# access-list outside permit icmp any object inside-work2 echo-reply
ASA(config)# access-group outside in interface outside
五.公網通路測試:
R1#ping 202.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/52 ms
R2#ping 202.1.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/68 ms
R3#ping 202.1.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/72 ms
六.配置R2和R3互訪:
A.R2 ping R3,防火牆有如下日志:
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.3 (type 8, code 0)
B.防火牆開啟相同區域互訪:
ASA(config)# same-security-traffic permit intra-interface
R2#ping 20.1.1.3
Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/52/96 ms
R3#ping 10.1.1.2
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/51/96 ms
-----相對于pix 8.0,不用配置NAT免除。
七.驗證tcp連接配接
A.R2 TELNET R3
R2#telnet 20.1.1.3
Trying 20.1.1.3 ...
% Connection timed out; remote host not responding
R2#
防火牆日志如下:
%ASA-7-609001: Built local-host inside:10.1.1.2
%ASA-7-609001: Built local-host inside:20.1.1.3
%ASA-6-302013: Built inbound TCP connection 43 for inside:10.1.1.2/23957 (10.1.1.2/23957) to inside:20.1.1.3/23 (20.1.1.3/23)
%ASA-6-302014: Teardown TCP connection 43 for inside:10.1.1.2/23957 to inside:20.1.1.3/23 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-7-609002: Teardown local-host inside:10.1.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host inside:20.1.1.3 duration 0:00:00
%ASA-6-302013: Built inbound TCP connection 44 for inside:10.1.1.2/23957 (10.1.1.2/23957) to inside:20.1.1.3/23 (20.1.1.3/23)
%ASA-6-302014: Teardown TCP connection 44 for inside:10.1.1.2/23957 to inside:20.1.1.3/23 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.2/23957 to 20.1.1.3/23 flags RST on interface inside
B.R3 TELNET R2
R3#telnet 10.1.1.2
Trying 10.1.1.2 ...
R3#
防火牆對應日志如下:
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.2/23 to 20.1.1.3/21221 flags SYN ACK on interface inside
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.2/23 to 20.1.1.3/21221 flags ACK on interface inside
C.分析不通的原因
①R2 TELNET R3
tcp三次握手,R2發出SYN包經過防火牆inside接口轉發,送給R1,到達R3,
R3回複的SYN-ACK到達R1後,R1直接給了R2,
R2收到了SYN-ACK包後,回複ACK包,但是包送給了防火牆,防火牆更改ACK值後轉給R1,最終到達R3并被其丢棄。
----------備注:在模拟器中抓包時發現奇怪的現象,R3回複的SYN-ACK包從R1的接口出來是ACK=1,但是到達R2後ACK=666538828,進而被R2拒絕。
②配置MPF:
ciscoasa(config)# access-list inside-inside permit ip object inside-network1 object insdie-network2
ciscoasa(config)# access-list inside-inside permit ip object inside-network2 object insdie-network1
ciscoasa(config)# class-map inside
ciscoasa(config-cmap)# match access-list inside-inside
ciscoasa(config)# policy-map inside
ciscoasa(config-pmap)# class inside
ciscoasa(config-pmap-c)# set connection random-sequence-number disable
③telnet出現了變化,出現open:
Trying 20.1.1.3 ... Open
lll
^C
^Z
^^^C^C^C^C^C^C
^^^^^^^^^^^
quit
[Connection to 20.1.1.3 closed by foreign host]
--------通過抓包發現三次握手成功建立,但是後續的會話無法雙向進行,是以停留在連接配接狀态,需要手工輸入quit才會退出。
④.R3 TELNET R2
tcp三次握手,R3發出的SYN包到底R1後,R1直接給了R2,但是R2回複SYN-ACK包時給了防火牆,被防火牆丢棄,進而TCP三向交握無法建立。
7. 兩種解決方式:
A.來回的資料包都不經過防火牆
R2上添加去往20.1.1.0的路由器走R1
R2(config)#ip route 20.1.1.0 255.255.255.0 10.1.1.1
----TELNET測試正常
R3# telnet 10.1.1.2
Trying 10.1.1.2 ... Open
User Access Verification
Password:
B.來回的資料包都經過防火牆
①R1設定政策路由,指定下一跳為防火牆接口
R1(config)#ip access-list extended inside
R1(config-ext-nacl)#permit ip any 10.1.1.0 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#route-map inside permit 10
R1(config-route-map)#match ip address inside
R1(config-route-map)#set ip next-hop 10.1.1.10
R1(config-route-map)#exit
R1(config)#interface f0/1
R1(config-if)#ip policy rout
R1(config-if)#ip policy route-map inside
R1(config-if)#exit
Password:
②R1上添加主機路由,指向防火牆
R1(config)#ip route 10.1.1.2 255.255.255.255 10.1.1.10
③R1上設定101.1.2的mac位址為防火牆inside接口的mac位址
ASA# show interface e0
Interface Ethernet0 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 00ab.bffb.c400, MTU 1500
IP address 10.1.1.10, subnet mask 255.255.255.0
R1(config)#arp 10.1.1.2 00ab.bffb.c400 arpa
8.總結:
A.ASA8.42 從同一接口進又從該接口出的流量不會撞擊NAT,是以不需配置NAT免除
-----我的了解,因為object中配置NAT時已經指定了區域的原因,這是新NAT與傳統NAT配置的優勢,一個語句就搞定。
B.ASA8.3之後的NAT跟以前版本的NAT配置方式有很大的不同
<b>本文轉自 碧雲天 51CTO部落格,原文連結:</b><b>http://blog.51cto.com/333234/859180</b><b>,如需轉載請自行聯系原作者</b>
![unit 1 - redhat Enterprise 8.0 Linux 指令行使用技巧[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)