ASAicmp檢測和內(nèi)網(wǎng)NAT轉(zhuǎn)化

 拓?fù)浣Y(jié)構(gòu) :

創(chuàng)新互聯(lián)的團隊成員不追求數(shù)量、追求質(zhì)量。我們經(jīng)驗豐富并且專業(yè),我們之間合作時就好像一個人,協(xié)同一致毫無保留。創(chuàng)新互聯(lián)建站珍視想法,同時也看重過程轉(zhuǎn)化帶來的沖擊力和影響力,在我們眼中,任何細(xì)節(jié)都不容小覷。一直致力于為企業(yè)提供從申請域名、網(wǎng)站策劃、網(wǎng)站設(shè)計、成都商城網(wǎng)站開發(fā)、網(wǎng)站推廣、網(wǎng)站優(yōu)化到為企業(yè)提供個性化軟件開發(fā)等基于互聯(lián)網(wǎng)的全面整合營銷服務(wù)。

 

In(R1) ---- (inside)ASA 5520(outside) --- Out(R2)
 
 
 
 
ASA配置 :
 
 
ASA Version 8.4(2)
hostname ciscoasa
enable password rQETR98wpSI1Lpr9 encrypted
passwd rQETR98wpSI1Lpr9 encrypted
names
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet1
nameif dmz
security-level 50
no ip address
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 10.254.1.1 255.255.255.0
!
ftp mode passive
object network test
host 192.168.1.5
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network test
nat (inside,outside) dynamic 10.254.1.10   ----動態(tài)NAT
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web***
anyconnect-essentials
username netemu password QTbvAEdn30mERkZb encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect DNS preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
 
crashinfo save disable
Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6
: end
 
 
 
NAT轉(zhuǎn)化擊中計數(shù)器 :
ciscoasa# show nat detail      去往Outside地址段的地址轉(zhuǎn)換
 
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic test 10.254.1.10
translate_hits = 126, untranslate_hits = 90
Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32
 
 
在實驗過程中發(fā)現(xiàn)inspection引擎下的配置刪除掉了 需手動加上
并加上以下配置:
policy-map global_policy
class inspection_default
inspect icmp
網(wǎng)上有詳細(xì)解釋!
 
 
 
Inside 路由器配置 :
In#show running-config
Building configuration...
 
Current configuration : 959 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.4
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
 
 
 
Outside 路由器配置 :
Out#show runn
Building configuration...
 
Current configuration : 1006 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Out
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
 
username admin password 0 cisco
interface FastEthernet0/0
ip address 10.254.1.5 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.254.1.1   ----- 默認(rèn)路由 指向Inside端網(wǎng)絡(luò)
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
end
 
 
我們需要了解ASA對于inbound和outbound的定義 :
高安全級別  ----> 低安全級別   outbound
低安全級別  ----> 高安全級別   inbound
 
默認(rèn)情況 :出站流量是允許的 (特例請見下文)
           進流量是禁止的  
 
也就是從高到低方向是允許的,也可以返回的。但不可以直接從低到高。
 
ACL可以禁止或允許這兩個方向的流量
 

 摘自 ASA840 配置手冊 講的是inspection引擎對于一些特定協(xié)議流量的檢測機制 

ACL返回流量規(guī)則:  

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectionalsessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine.The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specifyecho-reply(0) (ASA to host)orecho(8) (host to ASA).

 

思科官方文檔解釋還是蠻給力的  需要我們好好膜拜! 

本文題目:ASAicmp檢測和內(nèi)網(wǎng)NAT轉(zhuǎn)化
文章轉(zhuǎn)載:http://bm7419.com/article8/igsgop.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站制作、電子商務(wù)用戶體驗、網(wǎng)站內(nèi)鏈、品牌網(wǎng)站建設(shè)、外貿(mào)建站

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)

手機網(wǎng)站建設(shè)