本文共 5017 字,大约阅读时间需要 16 分钟。
1.拓扑图:
2.接口配置:PC1: eth0:202.1.1.1/24ASA: ASA(config)# int e0 ASA(config-if)# ip add 10.1.1.1 255.255.255.0 ASA(config-if)# no sh ASA(config-if)# ip add 10.1.1.10 255.255.255.0 ASA(config-if)# nameif inside ASA(config-if)# int e1 ASA(config-if)# ip add 202.1.1.10 255.255.255.0 ASA(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ASA(config-if)# no shR1: R1(config)#int f0/0 R1(config-if)#ip add 10.1.1.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#int f0/1 R1(config-if)#ip add 20.1.1.1 255.255.255.0 R1(config-if)#no shR2: R2(config)#int f0/0 R2(config-if)#ip add 10.1.1.2 255.255.255.0 R2(config-if)#no shR3: R3(config)#int f0/0 R3(config-if)#ip add 20.1.1.3 255.255.255.0 R3(config-if)#no sh3.路由配置: ASA(config)# route inside 20.1.1.0 255.255.255.0 10.1.1.1 R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.14.防火墙NAT及策略配置: ASA(config)# nat (inside) 1 0 0 ASA(config)# global (outside) 1 in ASA(config)# global (outside) 1 interface ASA(config)# access-list outside permit icmp any any echo-reply ASA(config)# access-group outside in interface outside5.公网访问测试: R1#ping 202.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/52 ms R2#ping 202.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/68 ms R3#ping 202.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/72 ms6. 配置R2和R3互访:A.R2 ping R3,防火墙有如下日志: %PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-6-302010: 0 in use, 2 most usedB.防火墙开启相同区域互访: ASA(config)# same-security-traffic permit intra-interface再次ping,仍然不通,防火墙日志如下:
%PIX-7-609001: Built local-host inside:10.1.1.2 %PIX-7-609001: Built local-host inside:20.1.1.1 %PIX-3-305006: portmap translation creation failed for icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0) %PIX-7-609002: Teardown local-host inside:10.1.1.2 duration 0:00:00 %PIX-7-609002: Teardown local-host inside:20.1.1.1 duration 0:00:00C.配置NAT免除: ASA(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0 ASA(config)# access-list nonat permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 ASA(config)# nat (inside) 0 access-list nonat7.验证A.ping数据包双向正常通行 R2#ping 20.1.1.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/92 ms R3#ping 10.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/70/120 msB.TCP数据包不正常通 R2#telnet 20.1.1.3 Trying 20.1.1.3 ... % Connection timed out; remote host not responding R2# %PIX-6-106015: Deny TCP (no connection) from 10.1.1.2/35246 to 20.1.1.3/23 flags RST on interface insideC.分析不通的原因1)R3主动访问R2 R3 telnetR2,TCP三次握手的时候,R1有去R2的直连路由,TCP/SYN数据包没有经过防火墙,而回来时候,因为不是直连网段,R2将TCP/SYN-ACK数据包扔给了默认网关防火墙,而防火墙没有检查到之前的TCP/SYNK包所以拒绝通过。2)R2主动访问R3R2 telnet R3,TCP三次握手的时候,R2将TCP/SYN数据包扔给了防火墙,防火墙放行,并且修改了数据包的序列号;而TCP/SYN-ACK包未经过防火墙,但是R2检测到数据包序列号与之前发出的不对应,导致R2将数据包丢弃。(估计即使设置防火墙不修改数据包的序列号,TCP三次握手能成功建立,后续会话也不会被防火墙放行)
参见如下链接:
8. 两种解决方式:A.来回的数据包都不经过防火墙:1)R2上添加去往20.1.1.0的路由器走R1 R2(config)#ip route 20.1.1.0 255.255.255.0 10.1.1.1 ----TELNET测试正常 R3# telnet 10.1.1.2 Trying 10.1.1.2 ... Open User Access Verification Password: 2)想在防火墙接口设定icmp 重定向,但是防火墙不支持该功能B.来回的数据包都经过防火墙:1)R1上添加主机路由,指向防火墙 R1(config)#ip route 10.1.1.2 255.255.255.255 10.1.1.10 ----TELNET测试正常 R3#telnet 10.1.1.2 Trying 10.1.1.2 ... Open User Access Verification Password: 2)R1上面与防火墙非直接接口设置route-map-----设定与防火墙相连网段的下一跳地址为防火墙接口地址
interface e1
ip policy route-map inside ip access-list extended inside permit ip any 10.1.1.0 0.0.0.255 route-map inside permit 10 match ip address inside set ip next-hop 10.1.1.103)R1上设定101.1.2的mac地址为防火墙inside接口的mac地址
ASA# show interface e0 Interface Ethernet0 "inside", is up, line protocol is up Hardware is i82559, BW 100 Mbps, DLY 100 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) MAC address 00ab.bffb.c400, MTU 1500 IP address 10.1.1.10, subnet mask 255.255.255.0 R1(config)#arp 10.1.1.2 00ab.bffb.c400 arpa----TELNET测试正常
R2#telnet 20.1.1.3 Trying 20.1.1.3 ... Open User Access Verification Password:
转载地址:http://mybxl.baihongyu.com/