基于GNS3的ASA 5520虛擬防火墻功能測(cè)試

目的：
測(cè)試基于GNS3的ASA 8.4(2)的部分功能配置：
1 內(nèi)網(wǎng)客戶端訪問(wèn)外網(wǎng);
2 外網(wǎng)訪問(wèn)內(nèi)網(wǎng)服務(wù)器;
3 Lan-to-Lan IPSEC ×××;

####################################################################################
實(shí)驗(yàn)拓?fù)洌?br/>

####################################################################################
一 內(nèi)網(wǎng)客戶端通過(guò)防火墻訪問(wèn)外網(wǎng)
PC：設(shè)置IP 192.168.1.2，gateway: 192.168.1.1
R1： F0/0 192.168.1.1/24
F1/0 192.168.2.1/24
Default gateway: ip route 0.0.0.0 0.0.0.0192.168.2.2

ASA-1:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
access-list in-2-out extended permit ip any any
access-group in-2-out in interface outside
nat (inside,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

測(cè)試：
PC-1> ping 172.16.1.3
84 bytes from 172.16.1.3 icmp_seq=1 ttl=254 time=269.845 ms
84 bytes from 172.16.1.3 icmp_seq=2 ttl=254 time=101.949 ms
84 bytes from 172.16.1.3 icmp_seq=3 ttl=254 time=159.903 ms
84 bytes from 172.16.1.3 icmp_seq=4 ttl=254 time=181.896 ms
84 bytes from 172.16.1.3 icmp_seq=5 ttl=254 time=208.890 ms

R1#ssh -l root 172.16.1.3
Password:
R3>

#####################################################################################
二 外網(wǎng)訪問(wèn)內(nèi)網(wǎng)服務(wù)器
前面配置不變，添加如下配置：
object network 172.16.1.10
host 172.16.1.10 #公網(wǎng)地址
object network 2.1_telnet
host 192.168.2.1 #內(nèi)網(wǎng)地址
nat (inside,outside) static 172.16.1.10 service tcp telnet telnet #映射地址
注：外部接口的端口映射始終無(wú)法做通，嘗試了不同方法，
1 添加policy；
2 添加策略。
始終不行，懷疑是防火墻版本或者虛擬機(jī)的問(wèn)題，其余配置如下：
object network 2.1_ssh
host 192.168.2.1
nat (inside,outside) static interface service tcp ssh ssh

測(cè)試結(jié)果：
R3#telnet 172.16.1.10
Trying 172.16.1.10 ... Open
User Access Verification
Username: root
Password:
R1>en

##################################################################################
三 L2L IPSEC ×××
前面配置不變，添加如下配置：
object network inside
subnet 192.168.1.0 255.255.255.0 #定義本端網(wǎng)絡(luò)地址

object network remote-site-address #定義遠(yuǎn)端網(wǎng)絡(luò)地址
subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source static inside inside destination static remote-site-address remote-site-address # 設(shè)置感興趣流避免NAT

crypto ipsec ikev1 transform-set test esp-3des esp-md5-hmac
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 172.16.1.2
crypto map crymap 10 set ikev1 transform-set test
crypto map crymap interface outside
crypto ikev1 enable outside #定義 crypto map參數(shù)并應(yīng)用到外網(wǎng)接口，172.16.1.2為對(duì)端公網(wǎng)
地址。

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400 #定義 IPSEC第一階段加密參數(shù)

tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
ikev1 pre-shared-key ***** #定義隧道類型并設(shè)置第一階段共享密碼

測(cè)試：
PC-1> ping 192.168.4.2
192.168.4.2 icmp_seq=1 timeout
192.168.4.2 icmp_seq=2 timeout
84 bytes from 192.168.4.2 icmp_seq=3 ttl=62 time=229.871 ms
84 bytes from 192.168.4.2 icmp_seq=4 ttl=62 time=400.765 ms
84 bytes from 192.168.4.2 icmp_seq=5 ttl=62 time=91.948 ms
注意：由于剛開始隧道還沒有建議，因此會(huì)有幾個(gè)丟包，正常！

對(duì)端PING
PC-2> ping 192.168.1.2
84 bytes from 192.168.1.2 icmp_seq=1 ttl=62 time=350.800 ms
84 bytes from 192.168.1.2 icmp_seq=2 ttl=62 time=228.867 ms
84 bytes from 192.168.1.2 icmp_seq=3 ttl=62 time=206.881 ms
84 bytes from 192.168.1.2 icmp_seq=4 ttl=62 time=299.828 ms
84 bytes from 192.168.1.2 icmp_seq=5 ttl=62 time=284.829 ms

################################################################################
ASA部分診斷命令如下：
show run nat
show run object-network
show run object-group
show nat detail
show xlate
show conn
show nat pool
debug nat 255