防火墙基础小实验(1)

防火墙基础小实验(1)

务 实验需求:

配置路由器和ASA的接口,实现网络互通

配置路由

验证R1可以 Telnet到R2和R3,R3可以Telnet到R2但是不能Telnet R1,R2不能Telnet到R1和R3

使用命令show conn detail 查看Conn表

分别查看ASA和RR的路由表

配置ACL禁止在R3上Telnet 到R2

实验拓扑:

骤 第一步:配置ASA防火墙对应端口的IP并设置端口名与优先级

enable

tedu.cn

configuration terminal

hostname ASA

enable password 123

passwd 123 (远程密码)

clear configure all

interface gigabitEthernet 0

nameif inside (端口名内部)

security-level 100 (优先级最高)

no shutdown

ip address 10.1.1.254 255.255.255.0

exit

interface gigabitEthernet 1

nameif outside(端口名外部)

security-level 0(优先级最低)

no shutdown

ip address 172.16.1.254 255.255.255.0

exit

interface gigabitEthernet 2

nameif dmz(端口名隔离区)

security-level 50(优先级比outside要高比inside的要低)

no shutdown

ip address 192.168.1.254 255.255.255.0

exit

第二步:配置R1 R3 R2 各对应端口的IP地址关闭路由关闭 RR配置

对应端口的IP地址开启路由功能,并验证网络是否互通

R1:

enable

configuration terminal

hostname R1

interface fastEthernet 0/0

no shutdown

ip address 10.1.1.1 255.255.255.0

exit

no ip routing (关闭路由功能)

ip default-gateway 10.1.1.254(设置网关)

end

ping 10.1.1.254 (验证到网关是否互通)

R3:

enable

configuration terminal

hostname R3

interface fastEthernet 0/0

no shutdown

ip address 192.168.1.1 255.255.255.0

exit

no ip routing (关闭路由功能)

ip default-gateway 192.168.1.254(设置网关)

end

ping 192.168.1.254 (验证到网关是否互通)

RR:

enable

configuration terminal

hostname RR

ip routing (开启路由功能)

interface fastEthernet 0/0

no shutdown

ip address 4.4.4.254 255.255.255.0

exit

interface fastEthernet 1/0

no shutdown

ip address 172.16.1.1 255.255.255.0

end

ping 172.16.1.254 (验证到网关是否互通)

R2:

enable

configuration terminal

hostname R2

interface fastEthernet 0/0

no shutdown

ip address 4.4.4.1 255.255.255.0

exit

no ip routing (关闭路由功能)

ip default-gateway 4.4.4.254(设置网关)

end

ping 4.4.4.254 (验证到网关是否互通)

第三步:

(1)因为ASA上没有4.4.4.0 的路由,因此要添加一个默认路由

route outside 0.0.0.0 0.0.0.0 172.16.1.1 (按流量走向配置

指定端口为outside)

(2)因为RR上没有R1的路由,因此要添加一个more路由

ip route 0.0.0.0 0.0.0.0 172.16.1.254

第四步:在R1 R2 R3 配置远程功能及密码

R1:

enable

configuration terminal

enable password 123

line vty 0

password 123

end

R2:

enable

configuration terminal

enable password 123

line vty 0

password 123

end

R3:

enable

configuration terminal

enable password 123

line vty 0

password 123

end

第五步:验证在R1上远程R2 R3 ,R3远程R1 R2 ,R2远程R1 R3

R1:

telnet 4.4.4.1

Trying 4.4.4.1 ... Open

User Access Verification

Password:

R2>

exit

telnet 192.168.1.1

Trying 192.168.1.1 ... Open

User Access Verification

Password:

R3>

exit

R2:

telnet 10.1.1.1

Connection timed out; remote host not responding(连接

超时;远程主机没有响应)【因为接口的安全级别高的可以访问低的

而低级别的不可以访问高级别的】

telnet 192.168.1.1

Connection timed out; remote host not responding(连接

超时;远程主机没有响应)

R3:

telnet 4.4.4.1

Trying 4.4.4.1 ... Open

User Access Verification

Password:

R2>

exit

telnet 10.1.1.1

Connection timed out; remote host not responding(连接

超时;远程主机没有响应)

第五步:因为ASA防火墙在流量访问时先看conn表然后再看acl表然

后再看优先级

所以需要配置ACL禁止R3远程访问R2

在ASA上配置

enable

configuration terminal

access-list 333 deny tcp host 192.168.1.1 host 4.4.4.1

eq telnet (拒绝192.168.1.1远程访问4.4.4.1)

access-group 333 in interface dmz(配置在对应的接口)

证 验证与测试

第一步:

在R3远程R2

R3:

telnet 4.4.4.1

Connection refused by remote host(拒绝由远程主机连接)

第二步在R1远程R2时,在ASA查看conn表

show conn detail

1 in use, 1 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting

outside ACK to SYN,

B - initial SYN from outside, b - TCP state-

bypass or nailed, C - CTIQBE media,

D - DNS, d - dump, E - outside back connection, F

outside FIN, f - inside FIN,

G - group, g - MGCP, H - H.323, h - H.225.0, I -

inbound data,

i - incomplete, J - GTP, j - GTP data, K - GTP

t3-response

k - Skinny media, M - SMTP data, m - SIP media, n

GUP

O - outbound data, P - inside back connection, p

Phone-proxy TFTP connection,

q - SQL*Net data, R - outside acknowledged FIN,

R - UDP SUNRPC, r - inside acknowledged FIN, S -

awaiting inside SYN,

s - awaiting outside SYN, T - SIP, t - SIP

transient, U - up,

V - VPN orphan, W - WAAS,

X - inspected by service module

TCP outside:4.4.4.1/23 inside:10.1.1.1/46179,

flags UIO, idle 2s, uptime 2s, timeout 1h0m, bytes

90

第三步在ASA与RR上查看路由表

ASA路由表:

show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M -

mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA -

OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA

external type 2

E1 - OSPF external type 1, E2 - OSPF external

type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-

2, ia - IS-IS inter area

candidate default, U - per-user static route,

o - ODR

P - periodic downloaded static route

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected,

outside

C 10.1.1.0 255.255.255.0 is directly connected,

inside

C 192.168.1.0 255.255.255.0 is directly connected,

dmz

S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.1.1, outside

在RR上查看路由表

show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B

BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA -

OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA

external type 2

E1 - OSPF external type 1, E2 - OSPF external

type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-

1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U -

per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.1.254 to network

0.0.0.0

4.0.0.0/24 is subnetted, 1 subnets

C 4.4.4.0 is directly connected, FastEthernet0/0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected,

FastEthernet1/0

S* 0.0.0.0/0 [1/0] via 172.16.1.254

析 ICMP在默认情况下是不能允许通过的

优先级小的不能直接访问优先级大的

ASA先检查conn表再检查acl表再检查优先级

本文转自 linuxpp 51CTO博客,原文链接:http://blog.51cto.com/13505118/2056090,如需转载请自行联系原作者

上一篇:Juniper 防火墙核心技术-Zone
下一篇:防火墙规则配置iptables