1. 程式人生 > >24-思科防火墻:ASA透明防火墻實驗

24-思科防火墻:ASA透明防火墻實驗

分享 防火墻 sin out 三層 router cisco gns 會有

一、實驗拓撲:
技術分享圖片
二、實驗要求:
1、show mode:單模式;show firewall:路由模式——>firewall transparent;ASA清除所有配置;
切換透明模式是不需要重啟的;透明模式的ASA是二層設備,所以這裏的接口不能在配IP地址了,按Tab鍵也沒有效果的;
2、要配置一個管理IP地址,其實所謂的管理IP地址就是橋的主IP;配置:interface bvi 1,並配置IP地址:100.1.1.100,組是可以配IP地址的;
3、因為有2個組,所以網管IP必須是有2個,增加B2組管理組bvi 2,IP地址:200.1.1.200;show int ip bri只能看到組的IP地址,那麽其它接口怎麽才能和組綁定在一起呢?
4、進入接口G0,定義名字:nameif B1.outside(定義為B1組裏的Outside),定義安全級別:security-level 0,定義所屬哪個組:bridge group 1;no shutdown;
G2:dmz,50,bridge group 1,no shutdown;G4:inside,100,bridge group 100,no shutdown;
綁定好以後再去show int ip bri,就會有相應的接口地址顯示;
5、同理:G1、G3對應B2的outside、inside;show ip int bri驗證
6、測試:ASA分別去Ping 各個路由器應該可以通了。R5 Telnt R1也可以做到;R1 Telnet R5因為是Inbound流量,所以不通;ARP默認是可以穿越ASA的,所以R1可以獲得R5接口的地址,但是不通,原因是三層流量不通的;
7、采用ACL抓取並放行R1到R5的Telnet流量;測試R1登錄R5?
8、如遇到ASA只顯示4個接口,建議重啟ASA、GNS3;或者添加6個VM網卡,再重啟。
三、命令部署:
1、R1、R2、R3、R4、R5基本配置:
R1(config)#int f0/0
R1(config-if)#no shutdown
R1(config-if)#ip add 100.1.1.1 255.255.255.0
R1(config)#username aa password aa
R1(config)#line vty 0 4
R1(config-line)#login local

R2(config)#int f0/0
R2(config-if)#no shutdown

R2(config-if)#ip add 200.1.1.2 255.255.255.0

R3(config)#int f0/0
R3(config-if)#no shutdown
R3(config-if)#ip add 100.1.1.3 255.255.255.0
R3(config)#username aa password aa
R3(config)#line vty 0 4
R3(config-line)#login local

R4(config)#int f0/0
R4(config-if)#no shutdown
R4(config-if)#ip add 200.1.1.4 255.255.255.0

R5(config)#int f0/0
R5(config-if)#no shutdown
R5(config-if)#ip add 100.1.1.5 255.255.255.0
R5(config)#username aa password aa
R5(config)#line vty 0 4
R5(config-line)#login local
2、ASA查看模式、防火墻、清除所有配置,修改防火墻模式:
ASA# show mode
Security context mode: single
ASA# show firewall
Firewall mode: Router
ASA(config)# clear configure all
ciscoasa(config)# firewall transparent
驗證:
ciscoasa(config)# show firewall
Firewall mode: Transparent

ciscoasa(config)# show int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset administratively down up
GigabitEthernet1 unassigned YES unset administratively down up
GigabitEthernet2 unassigned YES unset administratively down up
GigabitEthernet3 unassigned YES unset administratively down up

3、配置2個管理組,2個管理IP地址:
ciscoasa(config)# interface bvi 1 //bvi:Bridge Virtual Interface 網橋虛擬接口
ciscoasa(config-if)# ip add 100.1.1.100 255.255.255.0

ciscoasa(config)# interface bvi 2
ciscoasa(config-if)# ip add 200.1.1.200 255.255.255.0

4、將G0、G2、G4接口分別定義為Outside、DMZ、Inside,綁定管理組,定義安全級別:
ciscoasa(config)# int g0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif B1.outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# bridge-group 1

ciscoasa(config)# int g2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif B1.dmz
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# bridge-group 1

ciscoasa(config)# int g4
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif B1.inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# bridge-group 1

ciscoasa(config)# int g1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif B2.outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# bridge-group 2

ciscoasa(config)# int g3
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif B2.inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# bridge-group 2
驗證:
ciscoasa(config)# show int ip bri
Interface IP-Address OK? Method Status Protocol
BVI1 100.1.1.100 YES unset up up
BVI2 200.1.1.200 YES unset up up
GigabitEthernet0 100.1.1.100 YES unset up up
GigabitEthernet1 200.1.1.200 YES unset up up
GigabitEthernet2 100.1.1.100 YES unset up up
GigabitEthernet3 200.1.1.200 YES unset up up
GigabitEthernet4 100.1.1.100 YES unset up up
5、ASA PingR1~R5路由器都可以通:
ciscoasa# ping 100.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ciscoasa# ping 100.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ciscoasa# ping 100.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.5, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/8/10 ms
ciscoasa# ping 200.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ciscoasa# ping 200.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.4, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

6、R3遠程Telnet登錄R1,反過來登錄,查看ARP,部署ACL:
R5#telnet 100.1.1.1
Trying 100.1.1.1 ... Open
User Access Verification
Username: aa
Password:
R1>

R1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 100.1.1.5 0 cc05.0750.0000 ARPA FastEthernet0/0
Internet 100.1.1.1 - cc01.16d4.0000 ARPA FastEthernet0/0

ciscoasa(config)# access-list tel permit tcp host 100.1.1.1 host 100.1.1.5 eq 23
ciscoasa(config)# access-group tel in interface B1.outside
驗證:
R1#telnet 100.1.1.5
Trying 100.1.1.5 ... Open
User Access Verification
Username: aa
Password:
R5>

24-思科防火墻:ASA透明防火墻實驗