CISCO ASA防火牆配置實驗

實驗要求：

分別劃分inside（內網），outside（外網），dmz（服務器區）三個區

配置PAT，直接使用outside接口的ip地址進行轉換

配置靜態NAT，發佈內網服務器

啓用NAT控制，配置NAT豁免，pc2訪問outside區中的主機時，不做NAT轉換

配置遠程管理ASA，配置telnet，只允許pc2使用telnet接入

配置ssh，允許pc2和outside區ssh接入

在GNS3模擬器上配置如下：

一、接口和路由配置

1）asa配置

ciscoasa>

ciscoasa> en

Password:

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)# ip add 192.168.1.2 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# int e0/1

ciscoasa(config-if)# ip add 192.168.2.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

ciscoasa(config-if)# security-level 50

ciscoasa(config-if)# int e0/2

ciscoasa(config-if)# ip add 200.0.0.1 255.255.255.0

ciscoasa(config-if)# no sh

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config)# enable password asa 設置特權密碼

ciscoasa(config)# passwd asa 設置遠程連接密碼

ciscoasa(config-if)# sh int ip bri

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 192.168.1.2 YES manual up up

Ethernet0/1 192.168.2.1 YES manual up up

Ethernet0/2 200.0.0.1 YES manual up up

Ethernet0/3 unassigned YES unset administratively down up

Ethernet0/4 unassigned YES unset administratively down up

Ethernet0/5 unassigned YES unset administratively down up

ciscoasa(config-if)# sh nameif

Interface Name Security

Ethernet0/0 inside 100

Ethernet0/1 dmz 50

Ethernet0/2 outside 0

ciscoasa(config)# route inside 0 0 192.168.1.1

ciscoasa(config)# route outside 172.16.16.0 255.255.255.0 200.0.0.2

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 200.0.0.0 255.255.255.0 is directly connected, outside

S 172.16.16.0 255.255.255.0 [1/0] via 200.0.0.2, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.2.0 255.255.255.0 is directly connected, dmz

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, inside

2）R3配置

R3>en

R3#

R3#conf t

R3(config)#int f0/0

R3(config-if)#ip add 10.0.0.1 255.255.255.0

R3(config-if)#no sh

R3(config-if)#int f1/0

R3(config-if)#ip add 10.1.1.1 255.255.255.0

R3(config-if)#no sh

R3(config-if)#int f2/0

R3(config-if)#ip add 192.168.1.1 255.255.255.0

R3(config-if)#no sh

R3(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3(config)#end

R3#sh ip int bri

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.0.0.1 YES manual up up

FastEthernet1/0 10.1.1.1 YES manual up up

FastEthernet2/0 192.168.1.1 YES manual up up

3）ISP配置

ISP(config)#int f0/0

ISP(config-if)#ip add 200.0.0.2 255.255.255.0

ISP(config-if)#no sh

ISP(config)#int f1/0

ISP(config-if)#ip add 172.16.16.1 255.255.255.0

ISP(config-if)#no sh

ISP(config)#ip route 0.0.0.0 0.0.0.0 200.0.0.1

4）pc配置

pc1(config)#int f0/0

pc1(config-if)#ip add 10.0.0.2 255.255.255.0

pc1(config-if)#no sh

pc1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1 （在模擬器上有路由模擬的pc，這條是配置網關）

pc2(config)#int f0/0

pc2(config-if)#ip add 10.1.1.2 255.255.255.0

pc2(config-if)#no sh

pc2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1

pc3(config)#int f0/0

pc3(config-if)#ip add 172.16.16.2 255.255.255.0

pc3(config-if)#no sh

pc3(config)#ip route 0.0.0.0 0.0.0.0 172.16.16.1

server(config)#int f0/0

server(config-if)#ip add 192.168.2.2 255.255.255.0

server(config-if)#no sh

server(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1

二、動態PAT配置

直接使用outside接口的ip地址進行轉換

ciscoasa(config)# nat-control 啓用NAT控制

ciscoasa(config)# nat (inside) 1 10.0.0.0 255.255.255.0 需要進行轉換的網段

ciscoasa(config)# global (outside) 1 interface

或者

nat（inside）1 10.0.0.0 255.255.255.0

global（outside）1 200.0.0.1

這時pc2訪問那臺主機都已不行，因爲啓用NAT控制，pc2發起連接不匹配NAT規則，所以禁止出站。

pc2#telnet 172.16.16.2

Trying 172.16.16.2 ...

% Connection refused by remote host

配置豁免

ciscoasa(config)# nat (inside) 0 10.1.1.2 255.255.255.255

WARNING: IP address <10.1.1.2> and netmask <255.255.255.255> inconsistent

nat 0 10.1.1.0 will be identity translated for outbound

或者

asa（config）#access-list nonat permit ip host10.1.1.2 host 172.16.16.2

asa（config）nat (inside) 0 access-list nonat

pc2#telnet 172.16.16.2

Trying 172.16.16.2 ... Open

User Access Verification

Username:

這樣就繞過了NAT規則。

ciscoasa(config)# sh xlate detail

2 in use, 3 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

TCP PAT from inside:10.0.0.2/11004 to outside:200.0.0.1/1024 flags ri

三，靜態NAT（發佈DMZ區的服務器）一對一的固定轉換

ciscoasa(config)# static (dmz,outside) 200.0.0.5 192.168.2.2

ciscoasa(config)#access-list out_to_dmz permit ip host 172.16.16.2 host 200.0.0.5

ciscoasa(config)# access-group out_to_dmz in int outside

注意：acl配置命令中的目的地址應配置爲映射地址200.0.0.5，而不是192.168.2.2

server(config)#ip http server 啓動http

pc3#telnet 200.0.0.5 80

Trying 200.0.0.5, 80 ... Open

ciscoasa(config)# sh xlate detail 查看NAT轉換表

3 in use, 3 most used

Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,

r - portmap, s - static

NAT from dmz:192.168.2.2 to outside:200.0.0.5 flags s

四，遠程管理ASA

1）配置允許telnet接入

ciscoasa(config)# username lijun password 123456

ciscoasa(config)# aaa authentication telnet console LOCAL

ciscoasa(config)# telnet 10.1.1.2 255.255.255.255 inside

只有pc2能telnet ASA防火牆

pc2#telnet 192.168.1.2

Trying 192.168.1.2 ... Open

User Access Verification

Username: lijun

Password: ******

Type help or '?' for a list of available commands.

ciscoasa>

pc1#telnet 192.168.1.2

Trying 192.168.1.2 ...

% Connection timed out; remote host not responding

pc1 是不能連接

2）配置ssh接入

ciscoasa(config)# host asa 配置主機名

asa(config)# username lihao password 123456

asa(config)# aaa authentication ssh console LOCAL

asa(config)# domain-name benet.com 配置域名

asa(config)# crypto key generate rsa modulus 1024 生成RSA密鑰對

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

asa(config)# ssh 10.1.1.2 255.255.255.255 inside 允許pc2 連接防火牆

asa(config)# ssh 0 0 outside 允許外部連接ASA 防火牆

pc2#SSH -L lihao 192.168.1.2

Password:

Type help or '?' for a list of available commands.

asa>

內部只有pc2可以使用ssh接入，外部任何主機

pc3#ssh -l lihao 200.0.0.1

Password:

Type help or '?' for a list of available commands.

asa>

（額外補充）端口映射命令

static (dmz,outside) tcp 200.0.0.5 80 192.168.2.2 80

access-list out_to_dmz permit ip host 172.16.2.2 host 200.0.0.5

access-group out_to_dmz in int outside

五，查詢命令

sh nameif 查詢區域

sh int ip bri 查詢ip配置

sh ssh 查看ssh配置信息

sh crypto key mypubkey rsa 查看產生的rsa密鑰值

crypto key zeroize

asa(config)# capture telnet interface outside 抓包排錯

ASA(config)# no capture telnet 關閉抓包

asa(config)# sh capture ssh

119 packets captured

1: 02:36:50.108057 172.16.16.2.11005 > 200.0.0.1.22: P 710551790:710551842(52) ack 856118752 win 3644

2: 02:36:50.108057 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551842 win 8192

3: 02:36:50.108041 200.0.0.1.22 > 172.16.16.2.11005: P 856118752:856118804(52) ack 710551842 win 8192

4: 02:36:50.139809 172.16.16.2.11005 > 200.0.0.1.22: . ack 856118804 win 4128

5: 02:36:51.418099 172.16.16.2.11005 > 200.0.0.1.22: P 710551842:710551894(52) ack 856118804 win 4128

6: 02:36:51.418099 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551894 win 8192

7: 02:36:51.418099 200.0.0.1.22 > 172.16.16.2.11005: P 856118804:856118856(52) ack 710551894 win 8192

8: 02:36:51.680583 172.16.16.2.11005 > 200.0.0.1.22: . ack 856118856 win 4076

9: 02:36:52.698755 172.16.16.2.11005 > 200.0.0.1.22: P 710551894:710551946(52) ack 856118856 win 4076

10: 02:36:52.698755 200.0.0.1.22 > 172.16.16.2.11005: . ack 710551946 win 8192