三接口测试
因为ACL配置问题一直未完成三接口(气急败坏.jpg),现在简化一下拓扑和流程,先测试一下
文中提到的acl问题如果大佬们遇到了或者是我理解错了麻烦ddddw
inside:13.0.1.0/24
dmz:14.0.1.0/24 服务器14.0.1.2
outside:15…0.1.0/24
配置
R1配置
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no ip routing
R1(config)#ip def
R1(config)#ip default-ga
R1(config)#ip default-gateway 13.0.1.1
R1(config)#int f0/0
R1(config-if)#ip address 13.0.1.2 255.255.255.0
R1(config-if)#no sh
R1(config-if)#
*Mar 1 00:02:16.951: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:02:17.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#end
R1#p
*Mar 1 00:03:26.063: %SYS-5-CONFIG_I: Configured from console by console
R1#ping 13.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/217/1020 ms
R2配置
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int f0
% Incomplete command.
R2(config)#int f0/0
R2(config-if)#ip address 14.0.1.2 255.255.255.0
R2(config-if)#no sh
R2(config-if)#
*Mar 1 00:03:54.399: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:03:55.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#no ip routing
R2(config)#ip def
R2(config)#ip default-g
R2(config)#ip default-gateway 14.0.1.1
R2(config)#end
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#line vty 0 4
R2(config-line)#password zwish
R2(config-line)#end
R3配置
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#no ip routing
R3(config)#ip def
R3(config)#ip default-g
R3(config)#ip default-gateway 15.0.1.1
R3(config)#int f0/0
R3(config-if)#ip address 15.0.1.2 255.255.255.0
R3(config-if)#no sh
R3(config-if)#
*Mar 1 00:04:53.459: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:04:54.459: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#end
*Mar 1 00:06:43.155: %SYS-5-CONFIG_I: Configured from console by console
R3#ping 15.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/216/1036 ms
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#line vty 0 4
R3(config-line)#password zwish
R3(config-line)#end
R3#
pix配置
pixfirewall> en
Password:
pixfirewall# conf t
pixfirewall(config)# int e0
pixfirewall(config-if)# ip address 13.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
pixfirewall(config-if)# security-level 100
pixfirewall(config-if)# int e1
pixfirewall(config-if)# ip address 14.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
pixfirewall(config-if)# security-level 50
pixfirewall(config-if)# int e2
pixfirewall(config-if)# ip address 15.0.1.1 255.255.255.0
pixfirewall(config-if)# no sh
pixfirewall(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
pixfirewall(config-if)# security-level 0
pixfirewall(config-if)# exit
因为PIX会默认处理tcp流量,所以现在telnet是可以使用的
R1 telent R3
然后配置inside能ping dmz和outside (问题就出在这里),这里发现我只能使用... permit icmp any any
才能生效,指定网段或主机host时就无法生效。。一直卡在这里,这里还是先用any any
pixfirewall(config)# nat (inside) 1 13.0.1.0 255.255.255.0
pixfirewall(config)# global (outside) 1 15.0.1.3-15.0.1.6 netmask 255.255.255.0
pixfirewall(config)# global (dmz) 1 14.0.1.3-14.0.1.6 netmask 255.255.255.0
pixfirewall(config)# access-list test1 permit icmp any any
pixfirewall(config)# access-group test1 in int outside
pixfirewall(config)# access-group test1 in int dmz
#将dmz里的14.0.1.2静态映射到15.0.1.7
pixfirewall(config)# static (dmz,outside) 15.0.1.7 14.0.1.2
#允许outside的15.0.1.2 telnet dmz里的14.0.1.2(15.0.1.7)
pixfirewall(config)# access-list test2 permit tcp host 15.0.1.2 host 15.0.1.7 eq telnet
pixfirewall(config)# access-group test2 in int outside
#允许outside的15.0.1.2 ping 15.0.1.7
pixfirewall(config)# access-list test2 extended permit icmp host 15.0.1.2 host 15.0.1.7
pixfirewall(config)# access-group test2 in int outside
配置test2的前后对照
15.0.1.2 ping 15.0.1.7
15.0.1.2 telnet 15.0.1.7
更新:上面的any any问题解决了,之前还是没有理解好acces-list
假如我们inside里有一台主机192.168.1.2 ;outside里有一台主机13.0.1.2;想要让前者ping通后者
就需要给192.168.1.2设置一个全局地址,并且在outside接口允许icmp的echo-reply包通过
static (inside,outside) 192.168.1.2 13.0.1.3
access-list test1 permit icmp host 13.0.1.2 host 13.0.1.3 echo-reply
access-group test1 in int outside