实验任务
验证R1可以telnet到R2和R3,R3可以telnet到R2但不能telnet到R1,R2不能telnet到R1和R3
思路及实验步骤
将RR的端口额IP设置正确并开启路由功能
Enable
Configure terminal
Ip routing
Interface fastethernet 1/0
Ip address 172.16.1.1 255.255.255.0
No shutdown
Exit
Interface fastethernet 0/0
Ip address 4.4.4.2 255.255.255.0
配置好R2的端口的IP地址并关闭路由功能
No ip routing
Ip default-gateway 4.4.4.2
Ip address 4.4.4.1 255.255.255.0
配置好R1的端口的IP地址并关闭路由功能
Ip default-gateway 10.1.1.254
Ip address 10.1.1.1 255.255.255.0
配置好R3的端口的IP地址并关闭路由功能
Ip default-gateway 192.168.1.254
Ip address192.168.1.1 255.255.255.0
首先先清除ASA防火墙的配置
Clear configure all
配置ASA防火墙端口的IP并设置优先级和端口名
Interface gigabitethernet 0
Ip address 10.1.1.254 255.255.255.0
Nameif inside
Security-level 100
Interface gigabitethernet 1
Ip address 172.16.1.254 255.255.255.0
Nameif outside
Security-level 0
Interface gigabitethernet 2
Ip address 192.168.1.254 255.255.255.0
Nameif DMZ
Security-level 50
因为ASA防火墙在流量访问时先看conn表然后再看acl表然后再看优先级
所以需要配置ACL
Access-list 100 extended permit ip any any
Access-list 100 extended permit ip host 172.16.1.0 any
Access-list 100 extended permit ip host 4.4.4.0 any
Access-group 100 in interface outside
因为ASA上防火墙没有4.4.4.0的路由
所以需要添加一个缺省路由
Route outside 0.0.0.0 0.0.0.0 172.16.1.1
因为RR上没有R1的路由
Ip route 0.0.0.0 0.0.0.0 172.16.1.254
在R2和RR上开启telnet功能并设置密码
enable password 123456zzz
line vty 0 4
password 123456
结果验证 验证与测试
show conn detail
R1:
Ping 172.16.1.1
Ping 4.4.4.1
telnet 172.16.1.1
telnet 4.4.4.1
问题及分析
ICMP在默认情况下是不能允许通过的
优先级小的不能直接访问优先级大的
ASA先检查conn表再检查acl表再检查优先级
本文转自 Mr_Lee_1986 51CTO博客,原文链接:http://blog.51cto.com/13504837/2058696,如需转载请自行联系原作者
![vulnhub DC-4靶机实战0X01 环境部署[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)