開局asa1
#/mnt/disk0/lina_monitor ciscoasa
> enable
invalid password
password:
ciscoasa#
配置ip
r1(config)#int fa0/0
r1(config-if)#ip address 11.0.0.1 255.255.255.0
r1(config-if)#no shut
ciscoasa(config)# int e0/0
ciscoasa(config-if)# nameif inside
info: security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 11.0.0.2 255.255.255.0
ciscoasa(config-if)# no shut
ciscoasa(config)# int e0/1
ciscoasa(config-if)# nameif outside
info: security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 12.0.0.1 255.255.255.0
r2(config)#int fa0/0
r2(config-if)#ip address 12.0.0.2 255.255.255.0
r2(config-if)#no shut
指定靜态路由:
r1(config-if)#ip route 12.0.0.0 255.255.255.0 11.0.0.2
r2(config)#ip route 11.0.0.0 255.255.255.0 12.0.0.1
驗證靜态路由:
由于ping指令使用的是icmp協定,是以r1ping外網ping不通。
在r2上開遠端,驗證asa對tcp協定的狀态化連接配接:
r2(config)#line vty 0 4
r2(config-line)#password abc
r2(config-line)#login
在r1上遠端r2
<a href="http://www.51testing.com/batch.download.php?aid=47295" target="_blank"></a>
到此r1仍舊可以正常通路r2,如下:
結論:證明在r2給r1回包的時候,防火牆對acl清單和conn表同時檢測,如果有一個規則比對就過;
在r2上配置環回口,驗證以上結論:
r2(config)#int loo 0
r2(config-if)#ip address 2.2.2.2 255.255.255.255
r2(config-if)#no shut
配置靜态路由:
r1(config)#ip route 2.2.2.2 255.255.255.255 11.0.0.2
ciscoasa(config)# route outside 2.2.2.2 255.255.255.255 12.0.0.2
在acl清單“asa_acl”中配置允許host2.2.2.2/24通過防火牆;
ciscoasa(config)# access-list asa_acl permit tcp 2.2.2.2 255.255.255.255 any
ciscoasa(config)# access-group asa_acl in interface outside
用r1遠端r2:
最新内容請見作者的github頁:http://qaseven.github.io/