ASA 5520 內網互訪實驗
ASA 5520內網端口互訪實驗
測試如何實現ASA5520不同內網端口同時安全級別不一樣額內網端口間的
互訪配置���。
測試如何實現ASA5520不同內網端口但是相同安全級別間的端口的互訪�。
實驗環境:基于GNS3的虛擬環境�,ASA版本為8.4(2)
試驗拓撲:
Router1 基本配置:
ip domain name test.com
username root secret 5 $1$/3e0$pTshnFze2RSAvILS1t6Ak/
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex half
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Router2基本配置
ip domain name test.com
username root password 0 root
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex half
ip route 0.0.0.0 0.0.0.0 192.168.2.1
line vty 0 4
login local
transport input telnet ssh
Router3基本配置:
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
duplex half
ip route 0.0.0.0 0.0.0.0 192.168.13.1
ASA5520基本配置:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside1
security-level 90
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet2
nameif outside
security-level 0
ip address 192.168.13.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.13.3 1
route inside 1.1.1.0 255.255.255.0 192.168.1.2 1
route inside1 2.2.2.0 255.255.255.0 192.168.2.2 1
測試<一>:
1 分別從router1和router2 PING Router3的地址:
R1#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
.....Success rate is 0 percent (0/5)
R2#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
.....Success rate is 0 percent (0/5)
2 分別從router1和router2 telnet Router3的地址:
R1#192.168.13.3
Trying 192.168.13.3 ... Open
User Access Verification
Username: root
Password:
R3>
R2#192.168.13.3
Trying 192.168.13.3 ... Open
User Access Verification
Username: root
Password:
R3>
結論:默認情況下�����,從高安全級別端口的網絡可以訪問低安全級別的網絡����,但是PING協議默認禁止��,需要另外打開�����,打開命令如下:
access-list outside permit icmp any any
access-group outside in interface outside
此時從 inside和inside1端口都可以PING通Router3的端口地址:
R1#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/70/144 ms
R2#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/50/132 ms
測試<二>:
1 從Router1 ping和telnet到Router2端口的地址:
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.....Success rate is 0 percent (0/5)
R1#192.168.2.2
Trying 192.168.2.2 ... Open
User Access Verification
Username: root
Password:
R2>
Ping不通����,但是telnet可以訪問��,這是因為inside端口的網絡安全級別高于inside1的網絡安全級別���,因此雖然ping默認不通�����,但是telnet就沒有問題���,符合測試一的結論�����。
我們添加命令讓PING可以通過:
access-list inside1 permit icmp any any
access-group inside1 in interface inside1
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/65/136 ms
為了能讓低級別的inside1訪問高級別的inside�,我們需要添加如下命令:
access-list inside1 extended permit tcp host 192.168.2.2 host 192.168.1.2 eq telnet log
access-list inside1 extended permit tcp host 192.168.2.2 host 192.168.1.2 eq ssh log
access-group inside1 in interface inside1
此時再測試:
R2#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Username: root
Password:
R1>exit
[Connection to 192.168.1.2 closed by foreign host]
R2#ssh -l root 192.168.1.2
Password:
R1>
發現從低級別的inside1已經可以訪問高級別的inside�。
結論:在內網安全級別不同的端口間訪問時���,從高級別安全端口訪問低級別安全端口除了PING默認禁止��,其余服務都可以訪問��,從低級別端口訪問到高級別端口時�,需要啟用訪問列表并應用在低級別端口的IN方向上���。
測試<三>:不同內網端口但是相同安全級別間的端口的互訪
刪除前面配置的訪問列表����,把inside和inside1配置成相同的安全級別100:
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside1
security-level 100
ip address 192.168.2.1 255.255.255.0
此時在R1上測試:
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
.....Success rate is 0 percent (0/5)
R1# 192.168.2.2
Trying 192.168.2.2 ...% Connection timed out; remote host not responding
都是不通的���,在R2上測試也是一樣的�����,不通����。
加上命令:same-security-traffic permit inter-interface�����,繼續在R1上測試:
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/95/240 ms
R1# 192.168.2.2
Trying 192.168.2.2 ... Open
User Access Verification
Username: root
Password:
R2>
可以看到訪問完全沒有任何問題:
結論:在相同安全級別間的訪問���,只需要使用命令就能實現����。
