防火牆基礎小實驗(1)

防火牆基礎小實驗(1)




務 實驗需求:
配置路由器和ASA的接口,實現網絡互通
配置路由
驗證R1可以 Telnet到R2和R3,R3可以Telnet到R2但是不能Telnet R1,R2不能Telnet到R1和R3
使用命令show conn detail 查看Conn表
分別查看ASA和RR的路由表
配置ACL禁止在R3上Telnet 到R2
實驗拓撲:
防火牆基礎小實驗(1)







驟 第一步:配置ASA防火牆對應端口的IP並設置端口名與優先級
enable
tedu.cn
configuration terminal
hostname ASA
enable password 123
passwd 123 (遠程密碼)
clear configure all
interface gigabitEthernet 0
nameif inside (端口名內部)
security-level 100 (優先級最高)
no shutdown
ip address 10.1.1.254 255.255.255.0
exit
interface gigabitEthernet 1
nameif outside(端口名外部)
security-level 0(優先級最低)
no shutdown
ip address 172.16.1.254 255.255.255.0
exit
interface gigabitEthernet 2
nameif dmz(端口名隔離區)
security-level 50(優先級比outside要高比inside的要低)
no shutdown
ip address 192.168.1.254 255.255.255.0
exit

第二步:配置R1 R3 R2 各對應端口的IP地址關閉路由關閉 RR配置
對應端口的IP地址開啓路由功能,並驗證網絡是否互通
R1:
enable
configuration terminal
hostname R1
interface fastEthernet 0/0
no shutdown
ip address 10.1.1.1 255.255.255.0
exit
no ip routing (關閉路由功能)
ip default-gateway 10.1.1.254(設置網關)
end
ping 10.1.1.254 (驗證到網關是否互通)

R3:
enable
configuration terminal
hostname R3
interface fastEthernet 0/0
no shutdown
ip address 192.168.1.1 255.255.255.0
exit
no ip routing (關閉路由功能)
ip default-gateway 192.168.1.254(設置網關)
end
ping 192.168.1.254 (驗證到網關是否互通)

RR:
enable
configuration terminal
hostname RR
ip routing (開啓路由功能)
interface fastEthernet 0/0
no shutdown
ip address 4.4.4.254 255.255.255.0
exit
interface fastEthernet 1/0
no shutdown
ip address 172.16.1.1 255.255.255.0
end
ping 172.16.1.254 (驗證到網關是否互通)

R2:
enable
configuration terminal
hostname R2
interface fastEthernet 0/0
no shutdown
ip address 4.4.4.1 255.255.255.0
exit
no ip routing (關閉路由功能)
ip default-gateway 4.4.4.254(設置網關)
end
ping 4.4.4.254 (驗證到網關是否互通)

第三步:
(1)因爲ASA上沒有4.4.4.0 的路由,因此要添加一個默認路由
route outside 0.0.0.0 0.0.0.0 172.16.1.1 (按流量走向配置
指定端口爲outside)
(2)因爲RR上沒有R1的路由,因此要添加一個more路由
ip route 0.0.0.0 0.0.0.0 172.16.1.254

第四步:在R1 R2 R3 配置遠程功能及密碼

R1:
enable
configuration terminal
enable password 123
line vty 0
password 123
end

R2:
enable
configuration terminal
enable password 123
line vty 0
password 123
end

R3:
enable
configuration terminal
enable password 123
line vty 0
password 123
end

第五步:驗證在R1上遠程R2 R3 ,R3遠程R1 R2 ,R2遠程R1 R3
R1:
telnet 4.4.4.1
Trying 4.4.4.1 ... Open

User Access Verification

Password:
R2>
exit

telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
R3>
exit

R2:
telnet 10.1.1.1
Connection timed out; remote host not responding(連接
超時;遠程主機沒有響應)【因爲接口的安全級別高的可以訪問低的
而低級別的不可以訪問高級別的】
telnet 192.168.1.1
Connection timed out; remote host not responding(連接
超時;遠程主機沒有響應)

R3:
telnet 4.4.4.1
Trying 4.4.4.1 ... Open

User Access Verification

Password:
R2>
exit

telnet 10.1.1.1
Connection timed out; remote host not responding(連接
超時;遠程主機沒有響應)

第五步:因爲ASA防火牆在流量訪問時先看conn表然後再看acl表然
後再看優先級
所以需要配置ACL禁止R3遠程訪問R2
在ASA上配置
enable
configuration terminal
access-list 333 deny tcp host 192.168.1.1 host 4.4.4.1
eq telnet (拒絕192.168.1.1遠程訪問4.4.4.1)
access-group 333 in interface dmz(配置在對應的接口)




證 驗證與測試
第一步:
在R3遠程R2
R3:
telnet 4.4.4.1
Connection refused by remote host(拒絕由遠程主機連接)

第二步在R1遠程R2時,在ASA查看conn表
show conn detail

1 in use, 1 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting
outside ACK to SYN,
B - initial SYN from outside, b - TCP state-
bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F

  • outside FIN, f - inside FIN,
    G - group, g - MGCP, H - H.323, h - H.225.0, I -
    inbound data,
    i - incomplete, J - GTP, j - GTP data, K - GTP
    t3-response
    k - Skinny media, M - SMTP data, m - SIP media, n
  • GUP
    O - outbound data, P - inside back connection, p
  • Phone-proxy TFTP connection,
    q - SQL*Net data, R - outside acknowledged FIN,
    R - UDP SUNRPC, r - inside acknowledged FIN, S -
    awaiting inside SYN,
    s - awaiting outside SYN, T - SIP, t - SIP
    transient, U - up,
    V - *** orphan, W - WAAS,
    X - inspected by service module
    TCP outside:4.4.4.1/23 inside:10.1.1.1/46179,
    flags UIO, idle 2s, uptime 2s, timeout 1h0m, bytes
    90

第三步在ASA與RR上查看路由表
ASA路由表:
show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M -
mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA -
OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
external type 2
E1 - OSPF external type 1, E2 - OSPF external
type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-
2, ia - IS-IS inter area

    • candidate default, U - per-user static route,
      o - ODR
      P - periodic downloaded static route

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected,
outside
C 10.1.1.0 255.255.255.0 is directly connected,
inside
C 192.168.1.0 255.255.255.0 is directly connected,
dmz
S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside

在RR上查看路由表
show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B

  • BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA -
    OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA
    external type 2
    E1 - OSPF external type 1, E2 - OSPF external
    type 2
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-
    1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U -
    per-user static route
    o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.1.254 to network
0.0.0.0

 4.0.0.0/24 is subnetted, 1 subnets

C 4.4.4.0 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected,
FastEthernet1/0
S* 0.0.0.0/0 [1/0] via 172.16.1.254





析 ICMP在默認情況下是不能允許通過的
優先級小的不能直接訪問優先級大的
ASA先檢查conn表再檢查acl表再檢查優先級

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章