天天看点
返回

配置ASA的dhcp中继

1.拓扑图:

<a href="http://blog.51cto.com/attachment/201205/164716676.jpg" target="_blank"></a>

DHCP服务器在dmz区

2.接口配置:

R1:

R1(config)#int e0/0

R1(config-if)#ip address dhcp 

R1(config-if)#shutdown

R2:

R2(config)#int e0/0

R2(config-if)#ip add 20.1.1.10 255.255.255.0

R2(config-if)#no sh

R3:

R3(config)#int e0/0

R3(config-if)#ip add 30.1.1.10 255.255.255.0

R3(config-if)#no sh

ASA:

ASA(config)# int e0

ASA(config-if)# ip add 10.1.1.1 255.255.255.0

ASA(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ASA(config-if)# no sh

ASA(config-if)# 

ASA(config-if)# int e1

ASA(config-if)# ip add 20.1.1.1 255.255.255.0

ASA(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ASA(config-if)# sec

ASA(config-if)# security-level 50

ASA(config-if)# int e2

ASA(config-if)# ip add 30.1.1.1 255.255.255.0

ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

3.路由配置:

R2(config)#ip route 0.0.0.0 0.0.0.0 20.1.1.1

------R2需要配置到inside接口网段的路由,否则无法为R1分派IP地址

R3(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.1

4.配置R2为DHCP服务器:

A.先必须配置地址排除

R2(config)#ip dhcp excluded-address 10.1.1.1

----实际测试发现如果没有先配置inside接口地址排除,会把inside接口地址分配给DHCP客户端,因为DHCP服务器分派IP地址前发出的icmp包不能得到回应

-----添加完地址池后再添加地址排除,不会生效

B.再配置DHCP地址池

R2(config)#ip dhcp pool dhcppool

R2(dhcp-config)#network 10.1.1.0 /24

5.配置ASA的DHCP中继:

ASA(config)# dhcprelay server 20.1.1.1

-----设定DHCP服务器的地址

ASA(config)# dhcprelay setroute inside

----设定默认路由有inside接口地址

ASA(config)# dhcprelay enable inside

----在inside接口启用DHCP中继

6.测试:

A.开启R1的e0/0端口,并在R2端口抓包

R1成功获得ip地址,和下条为防火墙接口地址的默认路由:

R1(config-if)#no sh

R1(config-if)#

*Mar  1 01:46:31.595: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

*Mar  1 01:46:32.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up

*Mar  1 01:46:35.903: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.1.2, mask 255.255.255.0, hostname R1

R1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     20.0.0.0/32 is subnetted, 1 subnets

S       20.1.1.10 [254/0] via 10.1.1.1, Ethernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Ethernet0/0

S*   0.0.0.0/0 [254/0] via 10.1.1.1

B.分析抓包

1)DHCP的广播包,经过中继后成了单播包

2)DHCP服务器分派ip地址前会尝试ping该地址,但是被防火墙策丢弃,因为超时认为该地址没有被使用

<a href="http://blog.51cto.com/attachment/201205/164824242.jpg" target="_blank"></a>

本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/852408,如需转载请自行联系原作者

网络协议 安全 shell 网络安全 配置dhcp中继 dhcp中继ip地址 DHCP配置 DHCP中继 shell网络
上一篇: ASA/PIX同一接口中转同区域流量测试(pix8.0)
下一篇: ASA同一接口中转同区域流量测试(ASA 8.42)

继续阅读