ASA icmp檢測和內網NAT轉化

 拓撲結構 ：

 

In（R1） ---- （inside） ASA 5520（outside） --- Out（R2）

 

 

 

 

ASA配置 ：

 

 

ASA Version 8.4(2)

hostname ciscoasa

enable password rQETR98wpSI1Lpr9 encrypted

passwd rQETR98wpSI1Lpr9 encrypted

names

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.4 255.255.255.0

!

interface GigabitEthernet1

nameif dmz

security-level 50

no ip address

!

interface GigabitEthernet2

nameif outside

security-level 0

ip address 10.254.1.1 255.255.255.0

!

ftp mode passive

object network test

host 192.168.1.5

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu inside 1500

mtu dmz 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network test

nat (inside,outside) dynamic 10.254.1.10   ----動態NAT

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

web***

anyconnect-essentials

username netemu password QTbvAEdn30mERkZb encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

 

crashinfo save disable

Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6

: end

 

 

 

NAT轉化擊中計數器 ：

ciscoasa# show nat detail      去往Outside地址段的地址轉換

 

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic test 10.254.1.10

translate_hits = 126, untranslate_hits = 90

Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32

 

 

在實驗過程當中發現inspection引擎下的配置刪除掉了 需手動加上

並加上如下配置：

policy-map global_policy
class inspection_default
inspect icmp

網上有詳細解釋！

 

 

 

Inside 路由器配置 ：

In#show running-config

Building configuration...

 

Current configuration : 959 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

interface FastEthernet0/0

ip address 192.168.1.5 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.4

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

end

 

 

 

Outside 路由器配置 ：

Out#show runn

Building configuration...

 

Current configuration : 1006 bytes

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Out

no ip domain lookup

ip domain name lab.local

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

 

username admin password 0 cisco

interface FastEthernet0/0

ip address 10.254.1.5 255.255.255.0

duplex auto

speed auto

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.254.1.1   ----- 默認路由 指向Inside端網絡

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

password cisco

login

end

 

 

咱們須要瞭解ASA對於inbound和outbound的定義 ：

高安全級別  ----> 低安全級別   outbound

低安全級別  ----> 高安全級別   inbound

 

默認狀況 ：出站流量是容許的 （特例請見下文）

           進流量是禁止的  

 

也就是從高到低方向是容許的，也能夠返回的。但不能夠直接從低到高。

 

ACL能夠禁止或容許這兩個方向的流量

 

 摘自 ASA840 配置手冊 講的是inspection引擎對於一些特定協議流量的檢測機制 

ACL 返回流量規則 ：  

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to  allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so  you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)or echo (8) (host to ASA).

 

思科官方文檔解釋仍是蠻給力的  須要咱們好好膜拜！