ASA Version 8.4(2)
hostname ciscoasa
enable password rQETR98wpSI1Lpr9 encrypted
passwd rQETR98wpSI1Lpr9 encrypted
names
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet1
nameif dmz
security-level 50
no ip address
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 10.254.1.1 255.255.255.0
!
ftp mode passive
object network test
host 192.168.1.5
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network test
nat (inside,outside) dynamic 10.254.1.10 ----动态NAT
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web***
anyconnect-essentials
username netemu password QTbvAEdn30mERkZb encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect
dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
crashinfo save disable
Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6
: end
NAT转化击中计数器 :
ciscoasa# show nat detail 去往Outside地址段的地址转换
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic test 10.254.1.10
translate_hits = 126, untranslate_hits = 90
Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32
在实验过程中发现inspection引擎下的配置删除掉了 需手动加上
并加上以下配置:
policy-map global_policy
class inspection_default
inspect icmp
网上有详细解释!
Inside 路由器配置 :
In#show running-config
Building configuration...
Current configuration : 959 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.4
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Outside 路由器配置 :
Out#show runn
Building configuration...
Current configuration : 1006 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Out
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username admin password 0 cisco
interface FastEthernet0/0
ip address 10.254.1.5 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.254.1.1 ----- 默认路由 指向Inside端网络
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
end
我们需要了解ASA对于inbound和outbound的定义 :
高安全级别 ----> 低安全级别 outbound
低安全级别 ----> 高安全级别 inbound
默认情况 :出站流量是允许的 (特例请见下文)
进流量是禁止的
也就是从高到低方向是允许的,也可以返回的。但不可以直接从低到高。
ACL可以禁止或允许这两个方向的流量