26-思科防火墻:多模式防火墻實驗
二、實驗要求:
1、切換到多模式、路由模式,ASA多模式在接口下沒法配IP地址(同理透明模式也一樣),只能在子防火墻下配置;
2、ASA接口no shutdown,然後創建子防火墻:admin、vir;
3、創建子防火墻前要先創建管理類型的子防火墻admin;
4、ASA直接下載百度網盤裏老師的文件夾,打開.vmx文件就可以,不然虛擬子防火墻是0。
三、命令部署:
1、路由器基本配置:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#no shutdown
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R2(config)#int f0/0
R2(config-if)#no shutdown
R2(config-if)#ip add 202.100.1.2 255.255.255.0
R3(config)#int f0/0
R3(config-if)#no shutdown
R3(config-if)#ip add 192.168.1.3 255.255.255.0
R4(config)#int f0/0
R4(config-if)#no shutdown
R4(config-if)#ip add 10.1.1.4 255.255.255.0
2、ASA切換為多模式,防火墻:路由模式,刪除原配置的admin.cfg:
ASA(config)# show firewall //如果不是路由模式,no firewall transparent搞定
ASA(config)# show mode
Security context mode: single
ASA(config)# mode multiple //ASA會刪除一切配置,然後重啟,等一會
ASA(config)# show flash: //查看之前是否有admin.cfg的配置,如有則刪除
ASA(config)# delete flash:admin.cfg
Delete filename [admin.cfg]?
Delete disk0:/admin.cfg? [confirm]
驗證:
ASA# show mode
Security context mode: multiple
Firewall mode: Router
ASA# show flash: //無admin.cfg文件
3、先打開ASA中G0~G3接口:
ASA(config)# int g0
ASA(config-if)# no shutdown
ASA(config)# int g1
ASA(config-if)# no shutdown
ASA(config)# int g2
ASA(config-if)# no shutdown
ASA(config)# int g3
ASA(config-if)# no shutdown
4、首先創建管理類型的子防火墻admin:
ASA(config)# admin-context admin //創建名字為admin的管理子防火墻
給admin子防火墻分配接口:
ASA(config)# context admin //進入admin裏邊
ASA(config-ctx)# allocate-interface g0 // allocate英/‘?l?ke?t/分配、指定
ASA(config-ctx)# allocate-interface g1
ASA(config-ctx)# allocate-interface g2
ASA(config-ctx)# config-url flash:/admin.cfg //定義存盤目錄,把我們在虛擬子防火墻創建的配置都保存到這裏
驗證:
ASA(config-ctx)# show run context
admin-context admin
context admin
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/admin.cfg!
5、創建其它子防火墻名字為vir,並為其分配接口:
ASA(config)# context vir //創建名字為vir的子防火墻
ASA(config-ctx)# allocate-interface g1
ASA(config-ctx)# allocate-interface g2
ASA(config-ctx)# allocate-interface g3
ASA(config-ctx)# config-url flash:/vir.cfg //指定:子防火墻配置文件備份路徑
6、配置子防火墻admin:
ASA(config)# changeto context admin //切換到admin子防火墻配置模式
ASA/admin(config)# show int ip bri //查看admin子防火墻分配了3個接口
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset up up
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
ASA/admin(config)# int g1
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif outside
ASA/admin(config-if)# security-level 0
ASA/admin(config-if)# ip add 202.100.1.10 255.255.255.0
ASA/admin(config)# int g0
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif dmz
ASA/admin(config-if)# security-level 50
ASA/admin(config-if)# ip add 172.16.1.10 255.255.255.0
ASA/admin(config)# int g2
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif inside
ASA/admin(config-if)# security-level 100
ASA/admin(config-if)# ip add 192.168.1.10 255.255.255.0
admin子防火墻:訪問R1的1.1.1.1,只能使用靜態或者默認路由,多模式防火墻不能使用動態路由協議
ASA/admin(config-if)# route dmz 1.1.1.0 255.255.255.0 172.16.1.1
7、配置子防火墻vir:
ASA/admin(config)# changeto context vir //切換到vir子防火墻
ASA/vir(config)# show int ip bri //查看vir子防火墻分配了3個接口
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset up up
ASA/vir(config)# int g1
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif outside
ASA/vir(config-if)# security-level 0
ASA/vir(config-if)# ip add 202.100.1.20 255.255.255.0
ASA/vir(config)# int g3
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif dmz
ASA/vir(config-if)# security-level 50
ASA/vir(config-if)# ip add 10.1.1.20 255.255.255.0
ASA/vir(config)# int g2
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif inside
ASA/vir(config-if)# security-level 100
ASA/vir(config-if)# ip add 192.168.1.20 255.255.255.0
驗證:
ASA/vir(config)# show int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 202.100.1.20 YES manual up up
GigabitEthernet2 192.168.1.20 YES manual up up
GigabitEthernet3 10.1.1.20 YES manual up up
8、轉到物理防火墻並查看子防火墻配置:
ASA/vir(config)# changeto context sys
ASA(config)# show run
admin-context admin
context admin
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/admin.cfg!
context vir
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
allocate-interface GigabitEthernet3
config-url disk0:/vir.cfg!
9、切換到admin、vir子防火墻並分別Ping,測試是否可通:
ASA(config)# changeto context admin
ASA/admin(config)# ping 1.1.1.1 //之前寫過默認路由到1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/40 ms
ASA/admin(config)# ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
ASA/admin(config)# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ASA/admin(config)# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ASA/admin(config)# changeto context vir
ASA/vir(config)# ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ASA/vir(config)# ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
ASA/vir(config)# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
測試1:
(Vir)子防火墻配置模式下:
1、將DMZ區域主機10.1.1.4靜態NAT轉換到Outside的地址為:202.100.1.4;
2、部署ACL放行任意流量可以遠程Telnet登錄10.1.1.4。
3、R2、R4都開啟VTY,密碼都為aa;
4、R2 遠程telnet R4的202.100.1.4,然後show users,
5、R4寫默認路由ip route 0.0.0.0 0.0.0.0 10.1.1.20(指向vir子防火墻的地址),反過來R4也可以遠程Telnet R2地址202.100.1.2,然後show users
命令部署:
ASA/vir(config)# object network dmz-to-out
ASA/vir(config-network-object)# host 10.1.1.4
ASA/vir(config-network-object)# nat (dmz,outside) static 202.100.1.4
ASA/vir(config)# access-list out-tel permit tcp any host 10.1.1.4 eq
ASA/vir(config)# access-group out-tel in interface outside
R2(config)#line vty 0 4
R2(config-line)#password aa
R2(config-line)#login //必須有login不然對方可以直接登進來,不能是login local,這會調用本地的用戶名密碼,本地其實沒有用戶名的。
R4(config)#line vty 0 4
R4(config-line)#password aa
R4(config-line)#login
驗證:
R2#telnet 202.100.1.4
Trying 202.100.1.4 ... Open
User Access Verification
Password:
R4>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:42
*130 vty 0 idle 00:00:00 202.100.1.2
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.20 //必須要有默認路由,不然R4沒法回包。
驗證:
R4#telnet 202.100.1.2 //可以看到用的202.100.1.4的地址
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:01
*130 vty 0 idle 00:00:00 202.100.1.4
測試2:admin nat+global
(admin)子防火墻配置模式: 做PAT
1、切換到admin:changeto context admin
2、R2補一條默認路由:ip route 0.0.0.0 0.0.0.0 202.100.1.10
R3補一條默認路由:ip route 0.0.0.0 0.0.0.0 192.168.1.10
問題:R3 Telnet R2,按理來講是沒有問題的,因為inside到outside,但實際是不通
為什麽呢?我現在R3的網關都寫到192.168.1.10了,但仍然過不去,可以show ip route查看。
R3#show ip route
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.10
原因:R3#show arp //可以看到192.168.1.10和192.168.1.20的mac地址一模一樣,和ASA G2的MAC地址一樣
R3#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.10 37 000c.2995.4efc ARPA FastEthernet0/0
Internet 192.168.1.3 - cc03.ee90.0000 ARPA FastEthernet0/0
Internet 192.168.1.20 34 000c.2995.4efc ARPA FastEthernet0/0
2: Ext: GigabitEthernet2 : address is 000c.2995.4efc, irq 0
ASA/vir(config)# changeto context admin
R2(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.10
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.10
解決方法一:
1、ASA/admin:進入G2口,然後mac-address 寫一個不一樣的mac地址;
2、R3再去telnet 202.100.1.2可以通了,R3#show arp。
ASA(config)# changeto context admin
ASA/admin(config)# interface g2
ASA/admin(config-if)# mac-address 0000.0000.0001
解決方法二:
1、刪掉剛才g2的物理地址,然後物理防火墻下配置自動解決;
ASA/admin(config)# changeto context sys
ASA(config)# mac-address auto
其實在沒有敲上邊的命令的時候,R2路由器上:202.100.1.10、202.100.1.20也有一樣的mac地址的:
R2#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 202.100.1.10 46 000c.2995.4ef2 ARPA FastEthernet0/0
Internet 202.100.1.4 28 000c.2995.4ef2 ARPA FastEthernet0/0
Internet 202.100.1.2 - cc02.1bb4.0000 ARPA FastEthernet0/0
Internet 202.100.1.20 44 000c.2995.4ef2 ARPA FastEthernet0/0
如表:202.100.1.10、202.100.1.20都有相同的MAC地址
測試3:admin網管
(admin)子防火墻配置模式:
ASA(config)# changeto context admin
ASA/admin(config)# telnet 0 0 inside
R3#telnet 192.168.1.10 //登錄admin後可以進行各種操作
Trying 192.168.1.10 ... Open
User Access Verification
Password: cisco
ASA/admin# show int ip bri
ASA/admin# conf t
ASA/admin(config)# route outside 0 0 202.100.1.2
ASA/admin(config)#
ASA/admin(config)# show route
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.2, outside
ASA/admin(config)# changeto context vir
ASA/vir(config)# conf t
ASA/vir(config)# exit
ASA/vir# changeto context sys
ASA# show run context
ASA/admin(config)# changeto context vir
ASA/vir(config)# telnet 0 0 inside
R3#telnet 192.168.1.20 //登陸後只能在vir操作,其它都會提示錯誤
Trying 192.168.1.20 ... Open
User Access Verification
Password:
Type help or ‘?‘ for a list of available commands.
ASA/vir> en
Password:
ASA/vir# changeto context sys
Command not valid in current execution space
ASA/vir# changeto context admin
Command not valid in current execution space
Cisco防火墻資源
連接數還是有用的,打——橫崗是沒有限制的,其實也不是無限的,其實會受到cpu資源、協議的最大數限制等,數值代表最大數32/100等:
26-思科防火墻:多模式防火墻實驗