ASAicmp检测和内网NAT转化

 拓扑结构 :

创新互联的团队成员不追求数量、追求质量。我们经验丰富并且专业,我们之间合作时就好像一个人,协同一致毫无保留。创新互联建站珍视想法,同时也看重过程转化带来的冲击力和影响力,在我们眼中,任何细节都不容小觑。一直致力于为企业提供从申请域名、网站策划、网站设计、成都商城网站开发、网站推广、网站优化到为企业提供个性化软件开发等基于互联网的全面整合营销服务。

 

In(R1) ---- (inside)ASA 5520(outside) --- Out(R2)
 
 
 
 
ASA配置 :
 
 
ASA Version 8.4(2)
hostname ciscoasa
enable password rQETR98wpSI1Lpr9 encrypted
passwd rQETR98wpSI1Lpr9 encrypted
names
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet1
nameif dmz
security-level 50
no ip address
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 10.254.1.1 255.255.255.0
!
ftp mode passive
object network test
host 192.168.1.5
pager lines 24
logging enable
logging asdm informational
logging debug-trace
mtu inside 1500
mtu dmz 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network test
nat (inside,outside) dynamic 10.254.1.10   ----动态NAT
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
web***
anyconnect-essentials
username netemu password QTbvAEdn30mERkZb encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect DNS preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h423 h325
inspect h423 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
 
crashinfo save disable
Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6
: end
 
 
 
NAT转化击中计数器 :
ciscoasa# show nat detail      去往Outside地址段的地址转换
 
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic test 10.254.1.10
translate_hits = 126, untranslate_hits = 90
Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32
 
 
在实验过程中发现inspection引擎下的配置删除掉了 需手动加上
并加上以下配置:
policy-map global_policy
class inspection_default
inspect icmp
网上有详细解释!
 
 
 
Inside 路由器配置 :
In#show running-config
Building configuration...
 
Current configuration : 959 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.4
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
 
 
 
Outside 路由器配置 :
Out#show runn
Building configuration...
 
Current configuration : 1006 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Out
no ip domain lookup
ip domain name lab.local
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
 
username admin password 0 cisco
interface FastEthernet0/0
ip address 10.254.1.5 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.254.1.1   ----- 默认路由 指向Inside端网络
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
password cisco
login
end
 
 
我们需要了解ASA对于inbound和outbound的定义 :
高安全级别  ----> 低安全级别   outbound
低安全级别  ----> 高安全级别   inbound
 
默认情况 :出站流量是允许的 (特例请见下文)
           进流量是禁止的  
 
也就是从高到低方向是允许的,也可以返回的。但不可以直接从低到高。
 
ACL可以禁止或允许这两个方向的流量
 

 摘自 ASA840 配置手册 讲的是inspection引擎对于一些特定协议流量的检测机制 

ACL返回流量规则:  

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectionalsessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine.The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specifyecho-reply(0) (ASA to host)orecho(8) (host to ASA).

 

思科官方文档解释还是蛮给力的  需要我们好好膜拜! 


当前文章:ASAicmp检测和内网NAT转化
当前路径:http://azwzsj.com/article/igsgop.html