實驗任務
驗證R1可以telnet到R2和R3,R3可以telnet到R2但不能telnet到R1,R2不能telnet到R1和R3
思路及實驗步驟
将RR的端口額IP設定正确并開啟路由功能
Enable
Configure terminal
Ip routing
Interface fastethernet 1/0
Ip address 172.16.1.1 255.255.255.0
No shutdown
Exit
Interface fastethernet 0/0
Ip address 4.4.4.2 255.255.255.0
配置好R2的端口的IP位址并關閉路由功能
No ip routing
Ip default-gateway 4.4.4.2
Ip address 4.4.4.1 255.255.255.0
配置好R1的端口的IP位址并關閉路由功能
Ip default-gateway 10.1.1.254
Ip address 10.1.1.1 255.255.255.0
配置好R3的端口的IP位址并關閉路由功能
Ip default-gateway 192.168.1.254
Ip address192.168.1.1 255.255.255.0
首先先清除ASA防火牆的配置
Clear configure all
配置ASA防火牆端口的IP并設定優先級和端口名
Interface gigabitethernet 0
Ip address 10.1.1.254 255.255.255.0
Nameif inside
Security-level 100
Interface gigabitethernet 1
Ip address 172.16.1.254 255.255.255.0
Nameif outside
Security-level 0
Interface gigabitethernet 2
Ip address 192.168.1.254 255.255.255.0
Nameif DMZ
Security-level 50
因為ASA防火牆在流量通路時先看conn表然後再看acl表然後再看優先級
是以需要配置ACL
Access-list 100 extended permit ip any any
Access-list 100 extended permit ip host 172.16.1.0 any
Access-list 100 extended permit ip host 4.4.4.0 any
Access-group 100 in interface outside
因為ASA上防火牆沒有4.4.4.0的路由
是以需要添加一個預設路由
Route outside 0.0.0.0 0.0.0.0 172.16.1.1
因為RR上沒有R1的路由
Ip route 0.0.0.0 0.0.0.0 172.16.1.254
在R2和RR上開啟telnet功能并設定密碼
enable password 123456zzz
line vty 0 4
password 123456
結果驗證 驗證與測試
show conn detail
R1:
Ping 172.16.1.1
Ping 4.4.4.1
telnet 172.16.1.1
telnet 4.4.4.1
問題及分析
ICMP在預設情況下是不能允許通過的
優先級小的不能直接通路優先級大的
ASA先檢查conn表再檢查acl表再檢查優先級
本文轉自 Mr_Lee_1986 51CTO部落格,原文連結:http://blog.51cto.com/13504837/2058696,如需轉載請自行聯系原作者
![vulnhub DC-4靶機實戰0X01 環境部署[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)