Cisco-GNS3-pix防火墙三接口测试1

三接口测试

因为ACL配置问题一直未完成三接口（气急败坏.jpg），现在简化一下拓扑和流程，先测试一下
文中提到的acl问题如果大佬们遇到了或者是我理解错了麻烦ddddw

inside：13.0.1.0/24

dmz：14.0.1.0/24 服务器14.0.1.2

outside：15…0.1.0/24

配置

R1配置

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip routing
R1(config)#ip def
R1(config)#ip default-ga
R1(config)#ip default-gateway 13.0.1.1
R1(config)#int f0/0
R1(config-if)#ip address 13.0.1.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#
*Mar  1 00:02:16.951: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:02:17.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#end
R1#p
*Mar  1 00:03:26.063: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 13.0.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/217/1020 ms

R2配置

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int f0
% Incomplete command.

R2(config)#int f0/0
R2(config-if)#ip address 14.0.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#
*Mar  1 00:03:54.399: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:03:55.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#no ip routing
R2(config)#ip def
R2(config)#ip default-g
R2(config)#ip default-gateway 14.0.1.1
R2(config)#end
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#line vty 0 4
R2(config-line)#password zwish
R2(config-line)#end

R3配置

R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#no ip routing
R3(config)#ip def
R3(config)#ip default-g
R3(config)#ip default-gateway 15.0.1.1
R3(config)#int f0/0
R3(config-if)#ip address 15.0.1.2 255.255.255.0
R3(config-if)#no sh
R3(config-if)#
*Mar  1 00:04:53.459: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:04:54.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#end
*Mar  1 00:06:43.155: %SYS-5-CONFIG_I: Configured from console by console
R3#ping 15.0.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/216/1036 ms
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#line vty 0 4
R3(config-line)#password zwish
R3(config-line)#end
R3#

pix配置

pixfirewall> en
Password:
pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 13.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)# security-level 100
pixfirewall(config-if)# int e1
pixfirewall(config-if)# ip address 14.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pixfirewall(config-if)# security-level 50
pixfirewall(config-if)# int e2
pixfirewall(config-if)# ip address 15.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pixfirewall(config-if)# security-level 0
pixfirewall(config-if)# exit

因为PIX会默认处理tcp流量，所以现在telnet是可以使用的

R1 telent R3

然后配置inside能ping dmz和outside （问题就出在这里），这里发现我只能使用... permit icmp any any才能生效，指定网段或主机host时就无法生效。。一直卡在这里，这里还是先用any any

pixfirewall(config)# nat (inside) 1 13.0.1.0 255.255.255.0
pixfirewall(config)# global (outside) 1 15.0.1.3-15.0.1.6 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 14.0.1.3-14.0.1.6 netmask 255.255.255.0
pixfirewall(config)# access-list test1 permit icmp any any
pixfirewall(config)# access-group test1 in int outside
pixfirewall(config)# access-group test1 in int dmz
#将dmz里的14.0.1.2静态映射到15.0.1.7
pixfirewall(config)# static (dmz,outside) 15.0.1.7 14.0.1.2
#允许outside的15.0.1.2 telnet dmz里的14.0.1.2(15.0.1.7)
pixfirewall(config)# access-list test2 permit tcp host 15.0.1.2 host 15.0.1.7 eq telnet
pixfirewall(config)# access-group test2 in int outside
#允许outside的15.0.1.2 ping 15.0.1.7
pixfirewall(config)# access-list test2 extended permit icmp host 15.0.1.2 host 15.0.1.7
pixfirewall(config)# access-group test2 in int outside

配置test2的前后对照

15.0.1.2 ping 15.0.1.7

15.0.1.2 telnet 15.0.1.7

更新：上面的any any问题解决了，之前还是没有理解好acces-list

假如我们inside里有一台主机192.168.1.2 ；outside里有一台主机13.0.1.2；想要让前者ping通后者

就需要给192.168.1.2设置一个全局地址，并且在outside接口允许icmp的echo-reply包通过

static (inside,outside) 192.168.1.2 13.0.1.3
access-list test1 permit icmp host 13.0.1.2 host 13.0.1.3 echo-reply
access-group test1 in int outside