原标题："ASA842透明墙测试（V\P\N,ospf,DHCP)"关于路由器的知识分享。 - 素材来源网络 编辑:kaka003。

一.概述: 测试透明墙的site-to-siteV\P\N及作用，并通过DHCP和OSPF来验证透明墙如何放策略。二.基本思路：A.透明墙的V\P\N只是为了进行管理墙用的，仅此而已B.arp是可以自动双方向穿越透明墙的，因此测试可以看到虽然ping不同透明墙相隔的对端的直连地址，arp表会有记录C.透明墙放行策略需要内网都放

----测试发现即使全局开启的ICMP审查，inside区要想ping通outside区的话，还需要inside接口ACL放行icmp，这与路由模式是由区别的。

三.测试拓扑：

四.基本配置：A.R1：interface Loopback0ip address 192.168.1.1 255.255.255.0interface Ethernet0/0ip address 202.100.1.1 255.255.255.0no shutB.R2：①接口配置：interface Ethernet0/0ip address 202.100.1.2 255.255.255.0ip nat outsideno shutinterface Ethernet0/1ip address 10.1.1.2 255.255.255.0ip nat insideno shutip route 0.0.0.0 0.0.0.0 202.100.1.1②动态PAT:ip access-list extended patpermit ip 10.1.1.0 0.0.0.255 anypermit ip 192.168.3.0 0.0.0.255 any③静态PAT:ip nat inside source static udp 10.1.1.10 500 interface Ethernet0/0 500ip nat inside source static udp 10.1.1.10 4500 interface Ethernet0/0 4500④OSPF配置：router ospf 1router-id 2.2.2.2network 10.1.1.0 0.0.0.255 area 0default-information originate alwaysC.ASA842：firewall transparentinterface GigabitEthernet0nameif Outsidebridge-group 1security-level 0no shutinterface GigabitEthernet1nameif Insidebridge-group 1security-level 100no shutinterface BVI1ip address 10.1.1.10 255.255.255.0route Outside 0.0.0.0 0.0.0.0 10.1.1.2D.R3：①接口配置interface Loopback0ip address 192.168.3.3 255.255.255.0interface Ethernet0/0ip address dhcpno shut②OSPF配置：router ospf 1router-id 3.3.3.3passive-interface defaultnetwork 10.1.1.0 0.0.0.255 area 0network 192.168.3.0 0.0.0.255 area 0no passive-interface e0/0五.V\P\N配置：A.R1：①第一阶段策略：crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key cisco address 202.100.1.2②第二阶段转换集：crypto ipsec transform-set transet esp-des esp-md5-hmac③配置感兴趣流：ip access-list extendedV\P\Npermit ip 192.168.1.0 0.0.0.255 host 10.1.1.10④配置crypto map并在接口调用：crypto map crymap 10 ipsec-isakmpset peer 202.100.1.2set transform-set transetmatch addressV\P\Nreverse-routeinterface Ethernet0/0crypto map crymapB.ASA842透明墙：①第一阶段策略：crypto ikev1 policy 10authentication pre-shareencryption 3deshash md5group 2tunnel-group 202.100.1.1 type ipsec-l2ltunnel-group 202.100.1.1 ipsec-attributesikev1 pre-shared-key cisco②第二阶段转换集：crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac③配置感兴趣流：access-listV\P\Nextended permit ip host 10.1.1.10 192.168.1.0 255.255.255.0④配置crypto map并在接口应用：crypto map crymap 10 match addressV\P\Ncrypto map crymap 10 set peer 202.100.1.1crypto map crymap 10 set ikev1 transform-set transetcrypto map crymap 10 set reverse-routecrypto map crymap interface Outside⑤在接口上启用ikeV1：crypto ikev1 enable Outside六.透明防火墙策略配置：A.开启icmp审查：policy-map global_policyclass inspection_defaultinspect icmpservice-policy global_policy globalaccess-list inside extended permit icmp any any---如果inside口没有配置ACL,仅需配置ICMP审查就可以，一旦配置了ACL，那么ACL中必须明确放行所有需要通过的流量，否则仅仅配置审查是没有用的。B.针对DHCP流量：access-list inside extended permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67access-list outside extended permit udp host 10.1.1.2 eq 67 host 255.255.255.255 eq 68---DHCP客户端发出的UDP包源端口为68，目标端口为67---DHCP服务器端回应的UDP包的源端口为67，目标端口为68C.针对OSPF流量：access-list outside extended permit ospf host 10.1.1.2 host 224.0.0.5access-list outside extended permit ospf host 10.1.1.2 10.1.1.0 255.255.255.0access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 224.0.0.5access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 10.1.1.2D.在两个方向应该策略：access-group outside in interface Outsideaccess-group inside in interface Inside七.验证：A.V\P\N:ASA开启telnettelnet 192.168.1.0 255.255.255.0 OutsideR1#telnet 10.1.1.10 /source-interface loopback 0Trying 10.1.1.10 ... OpenUser Access VerificationPassword:Type help or '?' for a list of available commands.ciscoasa> enPassword: *****ciscoasa#B.DHCP:R3(config-if)#*Mar 1 06:08:57.974: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.1.1, mask 255.255.255.0, hostname R3C.OSPF:R2#SHOW IP OSpf NEIghborNeighbor ID Pri State Dead Time Address Interface3.3.3.3 1 FULL/BDR 00:00:30 10.1.1.1 Ethernet0/1R3#SHOW ip ospf neighborNeighbor ID Pri State Dead Time Address Interface2.2.2.2 1 FULL/DR 00:00:33 10.1.1.2 Ethernet0/0

本文出自 “httpyuntianjxxll.spac..” 博客