一、实验拓扑:
二、实验要求:
1、切换到多模式、路由模式,ASA多模式在接口下没法配IP地址(同理透明模式也一样),只能在子防火墙下配置;
2、ASA接口no shutdown,然后创建子防火墙:admin、vir;
3、创建子防火墙前要先创建管理类型的子防火墙admin;
4、ASA直接下载百度网盘里老师的文件夹,打开.vmx文件就可以,不然虚拟子防火墙是0。
三、命令部署:
1、路由器基本配置:
R1(config)#int lo0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#int f0/0
R1(config-if)#no shutdown
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R2(config)#int f0/0
R2(config-if)#no shutdown
R2(config-if)#ip add 202.100.1.2 255.255.255.0
R3(config)#int f0/0
R3(config-if)#no shutdown
R3(config-if)#ip add 192.168.1.3 255.255.255.0
R4(config)#int f0/0
R4(config-if)#no shutdown
R4(config-if)#ip add 10.1.1.4 255.255.255.0
2、ASA切换为多模式,防火墙:路由模式,删除原配置的admin.cfg:
ASA(config)# show firewall //如果不是路由模式,no firewall transparent搞定
Firewall mode: Router
ASA(config)# show mode
Security context mode: single
ASA(config)# mode multiple //ASA会删除一切配置,然后重启,等一会
ASA(config)# show flash: //查看之前是否有admin.cfg的配置,如有则删除
ASA(config)# delete flash:admin.cfg
Delete filename [admin.cfg]?
Delete disk0:/admin.cfg? [confirm]
验证:
ASA# show mode
Security context mode: multiple
ASA# show firewall
Firewall mode: Router
ASA# show flash: //无admin.cfg文件
3、先打开ASA中G0~G3接口:
ASA(config)# int g0
ASA(config-if)# no shutdown
ASA(config)# int g1
ASA(config-if)# no shutdown
ASA(config)# int g2
ASA(config-if)# no shutdown
ASA(config)# int g3
ASA(config-if)# no shutdown
4、首先创建管理类型的子防火墙admin:
ASA(config)# admin-context admin //创建名字为admin的管理子防火墙
给admin子防火墙分配接口:
ASA(config)# context admin //进入admin里边
ASA(config-ctx)# allocate-interface g0 // allocate英/'æləkeɪt/分配、指定
ASA(config-ctx)# allocate-interface g1
ASA(config-ctx)# allocate-interface g2
ASA(config-ctx)# config-url flash:/admin.cfg //定义存盘目录,把我们在虚拟子防火墙创建的配置都保存到这里
验证:
ASA(config-ctx)# show run context
admin-context admin
context admin
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/admin.cfg!
5、创建其它子防火墙名字为vir,并为其分配接口:
ASA(config)# context vir //创建名字为vir的子防火墙
ASA(config-ctx)# allocate-interface g1
ASA(config-ctx)# allocate-interface g2
ASA(config-ctx)# allocate-interface g3
ASA(config-ctx)# config-url flash:/vir.cfg //指定:子防火墙配置文件备份路径
6、配置子防火墙admin:
ASA(config)# changeto context admin //切换到admin子防火墙配置模式
ASA/admin(config)# show int ip bri //查看admin子防火墙分配了3个接口
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset up up
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
ASA/admin(config)# int g1
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif outside
ASA/admin(config-if)# security-level 0
ASA/admin(config-if)# ip add 202.100.1.10 255.255.255.0
ASA/admin(config)# int g0
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif dmz
ASA/admin(config-if)# security-level 50
ASA/admin(config-if)# ip add 172.16.1.10 255.255.255.0
ASA/admin(config)# int g2
ASA/admin(config-if)# no shutdown
ASA/admin(config-if)# nameif inside
ASA/admin(config-if)# security-level 100
ASA/admin(config-if)# ip add 192.168.1.10 255.255.255.0
admin子防火墙:访问R1的1.1.1.1,只能使用静态或者默认路由,多模式防火墙不能使用动态路由协议
ASA/admin(config-if)# route dmz 1.1.1.0 255.255.255.0 172.16.1.1
7、配置子防火墙vir:
ASA/admin(config)# changeto context vir //切换到vir子防火墙
ASA/vir(config)# show int ip bri //查看vir子防火墙分配了3个接口
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset up up
ASA/vir(config)# int g1
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif outside
ASA/vir(config-if)# security-level 0
ASA/vir(config-if)# ip add 202.100.1.20 255.255.255.0
ASA/vir(config)# int g3
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif dmz
ASA/vir(config-if)# security-level 50
ASA/vir(config-if)# ip add 10.1.1.20 255.255.255.0
ASA/vir(config)# int g2
ASA/vir(config-if)# no shutdown
ASA/vir(config-if)# nameif inside
ASA/vir(config-if)# security-level 100
ASA/vir(config-if)# ip add 192.168.1.20 255.255.255.0
验证:
ASA/vir(config)# show int ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 202.100.1.20 YES manual up up
GigabitEthernet2 192.168.1.20 YES manual up up
GigabitEthernet3 10.1.1.20 YES manual up up
8、转到物理防火墙并查看子防火墙配置:
ASA/vir(config)# changeto context sys
ASA(config)# show run
admin-context admin
context admin
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/admin.cfg!
context vir
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
allocate-interface GigabitEthernet3
config-url disk0:/vir.cfg!
9、切换到admin、vir子防火墙并分别Ping,测试是否可通:
ASA(config)# changeto context admin
ASA/admin(config)# ping 1.1.1.1 //之前写过默认路由到1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/40 ms
ASA/admin(config)# ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms
ASA/admin(config)# ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ASA/admin(config)# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ASA/admin(config)# changeto context vir
ASA/vir(config)# ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
ASA/vir(config)# ping 10.1.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.4, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
ASA/vir(config)# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
测试1:
(Vir)子防火墙配置模式下:
1、将DMZ区域主机10.1.1.4静态NAT转换到Outside的地址为:202.100.1.4;
2、部署ACL放行任意流量可以远程Telnet登录10.1.1.4。
3、R2、R4都开启VTY,密码都为aa;
4、R2 远程telnet R4的202.100.1.4,然后show users,
5、R4写默认路由ip route 0.0.0.0 0.0.0.0 10.1.1.20(指向vir子防火墙的地址),反过来R4也可以远程Telnet R2地址202.100.1.2,然后show users
命令部署:
ASA/vir(config)# object network dmz-to-out
ASA/vir(config-network-object)# host 10.1.1.4
ASA/vir(config-network-object)# nat (dmz,outside) static 202.100.1.4
ASA/vir(config)# access-list out-tel permit tcp any host 10.1.1.4 eq
ASA/vir(config)# access-group out-tel in interface outside
R2(config)#line vty 0 4
R2(config-line)#password aa
R2(config-line)#login //必须有login不然对方可以直接登进来,不能是login local,这会调用本地的用户名密码,本地其实没有用户名的。
R4(config)#line vty 0 4
R4(config-line)#password aa
R4(config-line)#login
验证:
R2#telnet 202.100.1.4
Trying 202.100.1.4 ... Open
User Access Verification
Password:
R4>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:42
*130 vty 0 idle 00:00:00 202.100.1.2
R4(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.20 //必须要有默认路由,不然R4没法回包。
验证:
R4#telnet 202.100.1.2 //可以看到用的202.100.1.4的地址
Trying 202.100.1.2 ... Open
User Access Verification
Password:
R2>show users
Line User Host(s) Idle Location
0 con 0 idle 00:02:01
*130 vty 0 idle 00:00:00 202.100.1.4
测试2:admin nat+global
(admin)子防火墙配置模式: 做PAT
1、切换到admin:changeto context admin
2、R2补一条默认路由:ip route 0.0.0.0 0.0.0.0 202.100.1.10
R3补一条默认路由:ip route 0.0.0.0 0.0.0.0 192.168.1.10
问题:R3 Telnet R2,按理来讲是没有问题的,因为inside到outside,但实际是不通
为什么呢?我现在R3的网关都写到192.168.1.10了,但仍然过不去,可以show ip route查看。
R3#show ip route
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.1.10
原因:R3#show arp //可以看到192.168.1.10和192.168.1.20的mac地址一模一样,和ASA G2的MAC地址一样
R3#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.10 37 000c.2995.4efc ARPA FastEthernet0/0
Internet 192.168.1.3 - cc03.ee90.0000 ARPA FastEthernet0/0
Internet 192.168.1.20 34 000c.2995.4efc ARPA FastEthernet0/0
2: Ext: GigabitEthernet2 : address is 000c.2995.4efc, irq 0
ASA/vir(config)# changeto context admin
R2(config)#ip route 0.0.0.0 0.0.0.0 202.100.1.10
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.10
解决方法一:
1、ASA/admin:进入G2口,然后mac-address 写一个不一样的mac地址;
2、R3再去telnet 202.100.1.2可以通了,R3#show arp。
ASA(config)# changeto context admin
ASA/admin(config)# interface g2
ASA/admin(config-if)# mac-address 0000.0000.0001
解决方法二:
1、删掉刚才g2的物理地址,然后物理防火墙下配置自动解决;
ASA/admin(config)# changeto context sys
ASA(config)# mac-address auto
其实在没有敲上边的命令的时候,R2路由器上:202.100.1.10、202.100.1.20也有一样的mac地址的:
R2#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 202.100.1.10 46 000c.2995.4ef2 ARPA FastEthernet0/0
Internet 202.100.1.4 28 000c.2995.4ef2 ARPA FastEthernet0/0
Internet 202.100.1.2 - cc02.1bb4.0000 ARPA FastEthernet0/0
Internet 202.100.1.20 44 000c.2995.4ef2 ARPA FastEthernet0/0
如表:202.100.1.10、202.100.1.20都有相同的MAC地址
测试3:admin网管
(admin)子防火墙配置模式:
ASA(config)# changeto context admin
ASA/admin(config)# telnet 0 0 inside
R3#telnet 192.168.1.10 //登录admin后可以进行各种操作
Trying 192.168.1.10 ... Open
User Access Verification
Password: cisco
ASA/admin# show int ip bri
ASA/admin# conf t
ASA/admin(config)# route outside 0 0 202.100.1.2
ASA/admin(config)#
ASA/admin(config)# show route
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.2, outside
ASA/admin(config)# changeto context vir
ASA/vir(config)# conf t
ASA/vir(config)# exit
ASA/vir# changeto context sys
ASA# show run context
ASA/admin(config)# changeto context vir
ASA/vir(config)# telnet 0 0 inside
R3#telnet 192.168.1.20 //登陆后只能在vir操作,其它都会提示错误
Trying 192.168.1.20 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
ASA/vir> en
Password:
ASA/vir# changeto context sys
Command not valid in current execution space
ASA/vir# changeto context admin
Command not valid in current execution space
Cisco防火墙资源
连接数还是有用的,打——横岗是没有限制的,其实也不是无限的,其实会受到cpu资源、协议的最大数限制等,数值代表最大数32/100等: