一.概述:
测试透明墙的site-to-site ×××及作用,并通过DHCP和OSPF来验证透明墙如何放策略。
二.基本思路:
A.透明墙的×××只是为了进行管理墙用的,仅此而已
B.arp是可以自动双方向穿越透明墙的,因此测试可以看到虽然ping不同透明墙相隔的对端的直连地址,arp表会有记录
C.透明墙放行策略需要内网都放
----测试发现即使全局开启的ICMP审查,inside区要想ping通outside区的话,还需要inside接口ACL放行icmp,这与路由模式是由区别的。
三.测试拓扑:
四.基本配置:
A.R1:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
B.R2:
①接口配置:
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
ip nat outside
no shut
interface Ethernet0/1
ip address 10.1.1.2 255.255.255.0
ip nat inside
no shut
ip route 0.0.0.0 0.0.0.0 202.100.1.1
②动态PAT:
ip access-list extended pat
permit ip 10.1.1.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
③静态PAT:
ip nat inside source static udp 10.1.1.10 500 interface Ethernet0/0 500
ip nat inside source static udp 10.1.1.10 4500 interface Ethernet0/0 4500
④OSPF配置:
router ospf 1
router-id 2.2.2.2
network 10.1.1.0 0.0.0.255 area 0
default-information originate always
C.ASA842:
firewall transparent
interface GigabitEthernet0
nameif Outside
bridge-group 1
security-level 0
no shut
interface GigabitEthernet1
nameif Inside
bridge-group 1
security-level 100
no shut
interface BVI1
ip address 10.1.1.10 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 10.1.1.2
D.R3:
①接口配置
interface Loopback0
ip address 192.168.3.3 255.255.255.0
interface Ethernet0/0
ip address dhcp
no shut
②OSPF配置:
router ospf 1
router-id 3.3.3.3
passive-interface default
network 10.1.1.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
no passive-interface e0/0
五.vpn配置:
A.R1:
①第一阶段策略:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 202.100.1.2
②第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
③配置感兴趣流:
ip access-list extended vpn
permit ip 192.168.1.0 0.0.0.255 host 10.1.1.10
④配置crypto map并在接口调用:
crypto map crymap 10 ipsec-isakmp
set peer 202.100.1.2
set transform-set transet
match address vpn
reverse-route
interface Ethernet0/0
crypto map crymap
B.ASA842透明墙:
①第一阶段策略:
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
②第二阶段转换集:
crypto ipsec ikev1 transform-set transet esp-des esp-md5-hmac
③配置感兴趣流:
access-list ××× extended permit ip host 10.1.1.10 192.168.1.0 255.255.255.0
④配置crypto map并在接口应用:
crypto map crymap 10 match address ×××
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set ikev1 transform-set transet
crypto map crymap 10 set reverse-route
crypto map crymap interface Outside
⑤在接口上启用ikeV1:
crypto ikev1 enable Outside
六.透明防火墙策略配置:
A.开启icmp审查:
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
access-list inside extended permit icmp any any
---如果inside口没有配置ACL,仅需配置ICMP审查就可以,一旦配置了ACL,那么ACL中必须明确放行所有需要通过的流量,否则仅仅配置审查是没有用的。
B.针对DHCP流量:
access-list inside extended permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67
access-list outside extended permit udp host 10.1.1.2 eq 67 host 255.255.255.255 eq 68
---DHCP客户端发出的UDP包源端口为68,目标端口为67
---DHCP服务器端回应的UDP包的源端口为67,目标端口为68
C.针对OSPF流量:
access-list outside extended permit ospf host 10.1.1.2 host 224.0.0.5
access-list outside extended permit ospf host 10.1.1.2 10.1.1.0 255.255.255.0
access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 224.0.0.5
access-list inside extended permit ospf 10.1.1.0 255.255.255.0 host 10.1.1.2
D.在两个方向应该策略:
access-group outside in interface Outside
access-group inside in interface Inside
七.验证:
A.×××:
ASA开启telnet
telnet 192.168.1.0 255.255.255.0 Outside
R1#telnet 10.1.1.10 /source-interface loopback 0
Trying 10.1.1.10 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password: *****
ciscoasa#
B.DHCP:
R3(config-if)#
*Mar 1 06:08:57.974: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 10.1.1.1, mask 255.255.255.0, hostname R3
C.OSPF:
R2#SHOW IP OSpf NEIghbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/BDR 00:00:30 10.1.1.1 Ethernet0/1
R3#SHOW ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 1 FULL/DR 00:00:33 10.1.1.2 Ethernet0/0
