ASA icmp檢測和內網(wǎng)NAT轉化

發(fā)布時間：2020-06-07 15:22:05 來源：網(wǎng)絡閱讀：1526 作者：y450wang 欄目：安全技術

拓撲結構：

In（R1） ---- （inside）ASA 5520（outside） --- Out（R2）

ASA配置：

ASA Version 8.4(2)

hostname ciscoasa

enable password rQETR98wpSI1Lpr9 encrypted

passwd rQETR98wpSI1Lpr9 encrypted

names

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.4 255.255.255.0

interface GigabitEthernet1

nameif dmz

security-level 50

no ip address

interface GigabitEthernet2

nameif outside

security-level 0

ip address 10.254.1.1 255.255.255.0

ftp mode passive

object network test

host 192.168.1.5

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network test

nat (inside,outside) dynamic 10.254.1.10 ----動態(tài)NAT

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

web***

anyconnect-essentials

username netemu password QTbvAEdn30mERkZb encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h423 h325

inspect h423 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

crashinfo save disable

Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6

: end

NAT轉化擊中計數(shù)器：

ciscoasa# show nat detail 去往Outside地址段的地址轉換

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic test 10.254.1.10

translate_hits = 126, untranslate_hits = 90

Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32

在實驗過程中發(fā)現(xiàn)inspection引擎下的配置刪除掉了需手動加上

并加上以下配置：

policy-map global_policy
class inspection_default
inspect icmp

網(wǎng)上有詳細解釋！

Inside 路由器配置：

In#show running-config

Building configuration...

Current configuration : 959 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

interface FastEthernet0/0

ip address 192.168.1.5 255.255.255.0

duplex auto

speed auto

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.4

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

end

Outside 路由器配置：

Out#show runn

Building configuration...

Current configuration : 1006 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname Out

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

username admin password 0 cisco

interface FastEthernet0/0

ip address 10.254.1.5 255.255.255.0

duplex auto

speed auto

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.254.1.1 ----- 默認路由指向Inside端網(wǎng)絡

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

password cisco

end

我們需要了解ASA對于inbound和outbound的定義：

高安全級別 ----> 低安全級別 outbound

低安全級別 ----> 高安全級別 inbound

默認情況：出站流量是允許的（特例請見下文）

進流量是禁止的

也就是從高到低方向是允許的，也可以返回的。但不可以直接從低到高。

ACL可以禁止或允許這兩個方向的流量

摘自 ASA840 配置手冊講的是inspection引擎對于一些特定協(xié)議流量的檢測機制

ACL 返回流量規(guī)則 ：

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)or echo (8) (host to ASA).

思科官方文檔解釋還是蠻給力的需要我們好好膜拜！

向AI問一下細節(jié)

ASA icmp檢測和內網(wǎng)NAT轉化

猜你喜歡

最新資訊

相關推薦

相關標簽