CCNP_SEC_ASA 第四天作业
1. 在不使用任何 ACL的前提下,使得 Inside路由器可以 Ping通 Outside路由器。
提示:需要看到如下输出信息。
Inside#ping 202.100.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/10/20
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
policy-map global_policy
class inspection_default
inspect icmp
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
2. 限制由 Outside接口进入的网管 ASA的 SSH流量,最大连接数为 1;限制由 Inside接口进入的网管 ASA的 Telnet和 ASDM的流量,最大连接数分别为 2和 3
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
class-map type management Inside-class
match port tcp eq telnet
class-map type management Outside-class
match port tcp eq ssh
class-map type management Inside-class1
match port tcp eq https
policy-map Inside-policy
class Inside-class
set connection conn-max 2 embryonic-conn-max 0
class Inside-class1
set connection conn-max 3 embryonic-conn-max 0
policy-map Outside-policy
class Outside-class
set connection conn-max 1 embryonic-conn-max 0
service-policy Inside-policy interface Inside
service-policy Outside-policy interface Outside
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
3. Outside路由器去往 DMZ路由器的 Telnet流量设置 idel timeout为 1小时,并启用DCD(Dead-connection detectio)
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
access-list Outside_mpc line 1 extended permit tcp host 202.100.1.1 host 192.168.1.1 eq telnet
class-map Outside-class1
match access-list Outside_mpc
policy-map Outside-policy
class Outside-class1
set connection timeout idle 1:00:00 reset dcd 0:00:15 5
service-policy Outside-policy interface Outside
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
4. 当 Outside路由器通过 traceroute Inside路由器时,让 ASA的 Outside口地址出现在 traceroute中。
提示:需要看到如下两种输出。
Outside#traceroute 10.1.1.1 (配置前)
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.1 10 msec * 5 msec
Outside#traceroute 10.1.1.1 (配置后)
Type escape sequence to abort.
Tracing the route to 10.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 202.100.1.10 3 msec 2 msec *
2 10.1.1.1 5 msec 6 msec *
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
access-list out-traceroute extended permit udp any any gt 33433
access-group out-traceroute in interface Outside
access-list Traceroute extended permit udp any any gt 33433
class-map Traceroute
match access-list Traceroute
policy-map global_policy
set connection decrement-ttl
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
5. 解决 Outside路由器和 Inside路由器之间 EBGP的MD5认证穿越防火墙的问题。
提示:手工输入以下预配
Outside路由器:
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 200
neighbor 10.1.1.1 password Cisc0123
neighbor 10.1.1.1 ebgp-multihop 255
neighbor 10.1.1.1 update-source GigabitEthernet1
ip route 10.1.1.0 255.255.255.0 202.100.1.10
Inside路由器:
interface loopback 0
ip address 1.1.1.1 255.255.255.0
router bgp 200
bgp log-neighbor-changes
neighbor 202.100.1.1 remote-as 100
neighbor 202.100.1.1 password Cisc0123
neighbor 202.100.1.1 ebgp-multihop 255
neighbor 202.100.1.1 update-source GigabitEthernet1
ip route 202.100.1.0 255.255.255.0 10.1.1.10
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
TCP 旁路
access-list global_mpc line 1 extended permit tcp host 10.1.1.1 host 202.100.1.1 eq telnet
class-map global-class
match access-list global_mpc
policy-map global_policy
class global-class
set connection advanced-options tcp-state-bypass
BGP MD5 穿越ASA
class-map global-class
match port tcp eq bgp
policy-map global_policy
class global-class
set connection random-sequence-number disable
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
6. 位于 DMZ区域的 FTP服务器提供服务的端口为 TCP2121,在防火墙上监控 FTP流量。
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
class-map new-ftp
match port tcp eq 2121
policy-map global_policy
class new-ftp
inspect ftp
access-list inside-ftp extended permit tcp any any eq 2121
access-group inside-ftp in interface Inside
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
