¶ 1.在不使用任何 ACL的前提下,使得 Inside路由器可以 Ping通 Outside路由器。
提示:需要看到如下输出信息。
Inside#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/10/20
设备配置:
policy-map global_policy
class inspection_default
inspect icmp
测试现象:
¶ 2.限制由 Outside接口进入的网管 ASA的 SSH流量,最大连接数为 1;限制由 Inside接口进入的网管 ASA的 Telnet和 ASDM的流量,最大连接数分别为 2和 3
设备配置:
class-map type management Inside-class
match port tcp eq telnet
class-map type management Outside-class
match port tcp eq ssh
class-map type management Inside-class1
match port tcp eq https
policy-map Inside-policy
class Inside-class
set connection conn-max 2 embryonic-conn-max 0
class Inside-class1
set connection conn-max 3 embryonic-conn-max 0
policy-map Outside-policy
class Outside-class
set connection conn-max 1 embryonic-conn-max 0
service-policy Inside-policy interface Inside
service-policy Outside-policy interface Outside
测试现象:
¶ 3.Outside路由器去往 DMZ路由器的 Telnet流量设置 idel timeout为 1小时,并启用DCD(Dead-connection detectio)
设备配置:
access-list Outside\_mpc line 1 extended permit tcp host 202.100.1.1 host 192.168.1.1 eq telnet
class-map Outside-class1
match access-list Outside\_mpc
policy-map Outside-policy
class Outside-class1
set connection timeout idle 1:00:00 reset dcd 0:00:15 5
service-policy Outside-policy interface Outside
测试现象:
¶ 4.当 Outside路由器通过 traceroute Inside路由器时,让 ASA的 Outside口地址出现在 traceroute中。
提示:需要看到如下两种输出。
Outside#traceroute 10.1.1.1 (配置前)
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.1 10 msec \* 5 msec
Outside#traceroute 10.1.1.1 (配置后)
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 202.100.1.10 3 msec 2 msec \*
2 10.1.1.1 5 msec 6 msec \*
设备配置:
access-list out-traceroute extended permit udp any any gt 33433
access-group out-traceroute in interface Outside
access-list Traceroute extended permit udp any any gt 33433
class-map Traceroute
match access-list Traceroute
policy-map global\_policy
set connection decrement-ttl
测试现象:
¶ 5.解决 Outside路由器和 Inside路由器之间 EBGP的MD5认证穿越防火墙的问题。
提示:手工输入以下预配
Outside路由器:
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 200
neighbor 10.1.1.1 password Cisc0123
neighbor 10.1.1.1 ebgp-multihop 255
neighbor 10.1.1.1 update-source GigabitEthernet1
ip route 10.1.1.0 255.255.255.0 202.100.1.10
Inside路由器:
interface loopback 0
ip address 1.1.1.1 255.255.255.0
router bgp 200
bgp log-neighbor-changes
neighbor 202.100.1.1 remote-as 100
neighbor 202.100.1.1 password Cisc0123
neighbor 202.100.1.1 ebgp-multihop 255
neighbor 202.100.1.1 update-source GigabitEthernet1
ip route 202.100.1.0 255.255.255.0 10.1.1.10
设备配置:
TCP 旁路
access-list global\_mpc line 1 extended permit tcp host 10.1.1.1 host 202.100.1.1 eq telnet
class-map global-class
match access-list global\_mpc
policy-map global\_policy
class global-class
set connection advanced-options tcp-state-bypass
BGP MD5 穿越ASA
class-map global-class
match port tcp eq bgp
policy-map global\_policy
class global-class
set connection random-sequence-number disable
测试现象:
¶ 6.位于 DMZ区域的 FTP服务器提供服务的端口为 TCP2121,在防火墙上监控 FTP流量。
设备配置:
class-map new-ftp
match port tcp eq 2121
policy-map global\_policy
class new-ftp
inspect ftp
access-list inside-ftp extended permit tcp any any eq 2121
access-group inside-ftp in interface Inside
测试现象:
