ASA842透明墙测试(V\P\N,ospf,DHCP)(实用)
路由器设置和使用涉及到一些技术和概念,如果您是新手,本文
ASA842透明墙测试(V\P\N,ospf,DHCP) 将为您提供易于理解的操作指南。
原标题:"ASA842透明墙测试(V\P\N,ospf,DHCP)"关于路由器的知识分享。 - 素材来源网络 编辑:kaka003。
一.概述: 测试透明墙的site-to-siteV\P\N及作用,并通过DHCP和OSPF来验证透明墙如何放策略。二.基本思路:A.透明墙的V\P\N只是为了进行管理墙用的,仅此而已B.arp是可以自动双方向穿越透明墙的,因此测试可以看到虽然ping不同透明墙相隔的对端的直连地址,arp表会有记录C.透明墙放行策略需要内网都放
----测试发现即使全局开启的ICMP审查,inside区要想ping通outside区的话,还需要inside接口ACL放行icmp,这与路由模式是由区别的。
三.测试拓扑:
四.基本配置:A.R1:interface Loopback0ip address 192.168.1.1 255.255.255.0interface Ethernet0/0ip address 202.100.1.1 255.255.255.0no shutB.R2:①接口配置:interface Ethernet0/0ip address 202.100.1.2 255.255.255.0ip nat outsideno shutinterface Ethernet0/1ip address 10.1.1.2 255.255.255.0ip nat insideno shutip route 0.0.0.0 0.0.0.0 202.100.1.1②动态PAT:ip access-list extended patpermit ip 10.1.1.0 0.0.0.255 anypermit ip 192.168.3.0 0.0.0.255 any③静态PAT:ip nat inside source static udp 10.1.1.10 500 interface Ethernet0/0 500ip nat inside source static udp 10.1.1.10 4500 interface Ethernet0/0 4500④OSPF配置:router ospf 1router-id 2.2.2.2network 10.1.1.0 0.0.0.255 area 0default-information originate alwaysC.ASA842:firewall transparentinterface GigabitEthernet0nameif Outsidebridge-group 1security-level 0no shutinterface GigabitEthernet1nameif Insidebridge-group 1security-level 100no shutinterface BVI1ip address 10.1.1.10 255.255.255.0route Outside 0.0.0.0 0.0.0.0 10.1.1.2D.R3:①接口配置interface Loopback0ip address 192.168.3.3 255.255.255.0interface Ethernet0/0ip address dhcpno shut②OSPF配置:router ospf 1router-id 3.3.3.3passive-interface defaultnetwork 10.1.1.0 0.0.0.255 area 0network 192.168.3.0 0.0.0.255 area 0no passive-interface e0/0五.V\P\N配置:A.R1:①第一阶段策略:crypto isakmp policy 10encr 3deshash md5authentication pre-sharegroup 2crypto isakmp key cisco address 202.100.1.2②第二阶段转换集:crypto ipsec transform-set transet esp-des esp-md5-hmac③配置感兴趣流:ip access-list extendedV\P\Npermit ip 192.168.1.0 0.0.0.255 host 10.1.1.10④配置crypto map并在接口调用:crypto map crymap 10 ipsec-isakmpset peer 202.100.1.2set transform-set transetmatch addressV\P\Nreverse-routeinterface Ethernet0/0crypto map crymapB.ASA842透明墙:①第一阶段策略:crypto ikev1 policy 10authentication pre-shareencryption 3deshash md5group 2tunnel-group 202.100.1.1 type ipsec-l2ltunnel-group 202.100.1.1 ipsec-attributesikev1 pre-shared-key cisco②第二阶段转换集:crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac③配置感兴趣流:access-listV\P\Nextended permit ip host 10.1.1.10 192.168.1.0 255.255.255.0④配置crypto map并在接口应用:crypto map crymap 10 match addressV\P\Ncrypto map crymap 10 set peer 202.100.1.1crypto map crymap 10 set ikev1 transform-set transetcrypto map crymap 10 set reverse-routecrypto map crymap interface Outside⑤在接口上启用ikeV1:crypto ikev1 enable Outside六.透明防火墙策略配置:A.开启icmp审查:policy-map global_policyclass inspection_defaultinspect icmpservice-policy global_policy globalaccess-list inside extended permit icmp any any---如果inside口没有配置ACL,仅需配置ICMP审查就可以,一旦配置了ACL,那么ACL中必须明确放行所有需要通过的流量,否则仅仅配置审查是没有用的。B.针对DHCP流量:access-list inside extended permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67access-list outside extended permit udp host 10.1.1.2 eq 67 host 255.255.255.255 eq 68---DHCP客户端发出的UDP包源端口为68,目标端口为67---DHCP服务器端回应的UDP包的源端口为67,目标端口为68C.针对OSPF流量:access-list outside extended permit ospf host 10.1.1.2 host 224.0.0.5access-list outside extended permit ospf host 10.1.1.2 10.1.1.0 255.255.255.0access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 224.0.0.5access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 10.1.1.2D.在两个方向应该策略:access-group outside in interface Outsideaccess-group inside in interface Inside七.验证:A.V\P\N:ASA开启telnettelnet 192.168.1.0 255.255.255.0 OutsideR1#telnet 10.1.1.10 /source-interface loopback 0Trying 10.1.1.10 ... OpenUser Access VerificationPassword:Type help or '?' for a list of available commands.ciscoasa> enPassword: *****ciscoasa#B.DHCP:R3(config-if)#*Mar 1 06:08:57.974: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.1.1, mask 255.255.255.0, hostname R3C.OSPF:R2#SHOW IP OSpf NEIghborNeighbor ID Pri State Dead Time Address Interface3.3.3.3 1 FULL/BDR 00:00:30 10.1.1.1 Ethernet0/1R3#SHOW ip ospf neighborNeighbor ID Pri State Dead Time Address Interface2.2.2.2 1 FULL/DR 00:00:33 10.1.1.2 Ethernet0/0
本文出自 “httpyuntianjxxll.spac..” 博客
~感谢您阅读本文,希望这些路由器设置和无线网络的技巧和方法能够帮助您更好地管理和使用您的网络。
