ASA icmp检测和内网NAT转化

发布时间:2020-06-07 15:22:05 作者:y450wang
来源:网络 阅读:1526

 拓扑结构 :

 

In(R1) ---- (inside)ASA 5520(outside) --- Out(R2)
 
 
 
 
ASA配置 :
 
 
ASA Version 8.4(2)
hostname ciscoasa
enable password rQETR98wpSI1Lpr9 encrypted
passwd rQETR98wpSI1Lpr9 encrypted
names
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet1
nameif dmz
security-level 50
no ip address
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 10.254.1.1 255.255.255.0
!
ftp mode passive
object network test
host 192.168.1.5
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network test
nat (inside,outside) dynamic 10.254.1.10   ----动态NAT
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web***
anyconnect-essentials
username netemu password QTbvAEdn30mERkZb encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
 
crashinfo save disable
Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6
: end
 
 
 
NAT转化击中计数器 :
ciscoasa# show nat detail      去往Outside地址段的地址转换
 
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic test 10.254.1.10
translate_hits = 126, untranslate_hits = 90
Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32
 
 
在实验过程中发现inspection引擎下的配置删除掉了 需手动加上
并加上以下配置:
policy-map global_policy
class inspection_default
inspect icmp
网上有详细解释!
 
 
 
Inside 路由器配置 :
In#show running-config
Building configuration...
 
Current configuration : 959 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.4
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
 
 
 
Outside 路由器配置 :
Out#show runn
Building configuration...
 
Current configuration : 1006 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Out
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
 
username admin password 0 cisco
interface FastEthernet0/0
ip address 10.254.1.5 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.254.1.1   ----- 默认路由 指向Inside端网络
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
end
 
 
我们需要了解ASA对于inbound和outbound的定义 :
高安全级别  ----> 低安全级别   outbound
低安全级别  ----> 高安全级别   inbound
 
默认情况 :出站流量是允许的 (特例请见下文)
           进流量是禁止的  
 
也就是从高到低方向是允许的,也可以返回的。但不可以直接从低到高。
 
ACL可以禁止或允许这两个方向的流量
 

 摘自 ASA840 配置手册 讲的是inspection引擎对于一些特定协议流量的检测机制 

ACL 返回流量规则 :  

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)or echo (8) (host to ASA).

 

思科官方文档解释还是蛮给力的  需要我们好好膜拜! 

推荐阅读:
  1. ASA
  2. ASA基于用户的MPF 、高级访问控 制和地址转换_05

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

na

上一篇:jQuery特效(二)

下一篇:架构演进之「微服务架构」

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》