CCNP_SEC_ASA 第七天作业
### 第一部分-透明墙 V4 LAB 考点###
实验一拓扑:
实验拓扑
EVE环境
环境描述:
本拓扑中包含五台路由器(Hostname 分别是 B1-Out,B2-Out,B1-In,B2-In,B1-DMZ),一台防火墙(Hostname:ASA),一台交换机(Hostname:SW)。
五台路由器的 E0/0口分别接入交换机的 E1/1 – 3和 E2/1 - 2接口,ASA防火墙的 G0/0 – 1接口分别接入交换机的 E0/0 – 1接口,交换机如图所示,为各台设备划分 VLAN,并在 ASA防火墙上配置 Bridege-group。
| Device | IP/Mask |
| B1.Out路由器E0/0 | 202.100.1.1/24 |
| B2.Out路由器E0/0 | 202.100.2.1/24 |
| B1.In路由器E0/0 | 202.100.1.2/24 |
| B2.In路由器E0/0 | 202.100.2.2.1/24 |
| B1.DMZ路由器E0/0 | 202.100.1.3/24 |
| SW交换机 | |
| E1/1 | VLAN11 |
| E1/2 | VLAN12 |
| E1/3 | VLAN13 |
| E2/1 | VLAN21 |
| E2/2 | VLAN22 |
| E0/0 | VLAN11,12,13 |
| E0/1 | VLAN21,22 |
| ASA Bridge-group1 | |
| b1-outside | VLAN11 |
| b1-intside | VLAN12 |
| b1-dmz | VLAN13 |
| BVI1 | 202.100.1.100/24 |
| ASA Bridge-group2 | |
| b2-outside | VLAN21 |
| b2-inside | VLAN22 |
| BVI2 | 202.100.2.100/24 |
实验一需求:
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
ASA
firewall transparent
!
interface GigabitEthernet0/0
no shutdown
!
interface GigabitEthernet0/0.11
vlan 11
nameif b1-out
bridge-group 1
security-level 0
!
interface GigabitEthernet0/0.12
vlan 12
nameif b1-in
bridge-group 1
security-level 100
!
interface GigabitEthernet0/0.13
vlan 13
nameif b1-dmz
bridge-group 1
security-level 50
!
interface GigabitEthernet0/1
no shutdown
!
interface GigabitEthernet0/1.21
vlan 21
nameif b2-out
bridge-group 2
security-level 0
!
interface GigabitEthernet0/1.22
vlan 22
nameif b2-in
bridge-group 2
security-level 100
!
interface BVI1
ip address 202.100.1.100 255.255.255.0
!
interface BVI2
ip address 202.100.2.100 255.255.255.0
SW
vlan 11,12,13,21,22
!
interface Ethernet0/0
switchport trunk allowed vlan 11-13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport trunk allowed vlan 21,22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet1/1
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface Ethernet1/2
switchport access vlan 12
switchport mode access
spanning-tree portfast
!
interface Ethernet1/3
switchport access vlan 13
switchport mode access
spanning-tree portfast
!
interface Ethernet2/1
switchport access vlan 21
switchport mode access
!
interface Ethernet2/2
switchport access vlan 22
switchport mode access
!
其他设备
| hostname B1.out | hostname B1.DMZ | hostname B1.in |
| ! | ! | ! |
| no ip domain lookup | no ip domain lookup | no ip domain lookup |
| ! | ! | ! |
| interface Ethernet0/0 | interface Ethernet0/0 | interface Ethernet0/0 |
| ip address 202.100.1.1 255.255.255.0 | ip address 202.100.1.3 255.255.255.0 | ip address 202.100.1.2 255.255.255.0 |
| ! | ! | ! |
| hostname B2.out | hostname B2.in | |
| ! | ! | |
| no ip domain lookup | no ip domain lookup | |
| ! | ! | |
| interface Ethernet0/0 | interface Ethernet0/0 | |
| mac-address 0001.0001.0001 | mac-address 0002.0002.0002 | |
| ip address 202.100.2.1 255.255.255.0 | ip address 202.100.2.2 255.255.255.0 | |
| ! | ! |
在ASA上放行ICMP和Telnet,并成功完成以下测试:
提示:需要看到如下输出信息
B1.Out#ping 202.100.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
B1.Out#telnet 202.100.1.2
Trying 202.100.1.2 ... Open
B2.Out#ping 202.100.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
B2.Out#telnet 202.100.2.2
Trying 202.100.2.2 ... Open
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
access-list b1-out-in extended permit tcp host 202.100.1.1 host 202.100.1.2 eq telnet
access-list b1-out-in extended permit icmp host 202.100.1.1 host 202.100.1.2
access-group b1-out-in in interface b1-out
access-list b2-out-in extended permit tcp host 202.100.2.1 host 202.100.2.2 eq telnet
access-list b2-out-in extended permit icmp host 202.100.2.1 host 202.100.2.2
access-group b2-out-in in interface b2-out
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
在B1.Out路由器(Loopback0:1.1.1.1)和B1.In路由器(Loopback0:2.2.2.2)上运行EIGRP(AS为90),使得Loopback口可以相互Ping通。
提示:需要看到如下输出信息
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
access-list b1-out-in extended permit eigrp host 202.100.1.1 host 202.100.1.2
access-list b1-out-in extended permit eigrp host 202.100.1.1 host 224.0.0.10
access-list b1-out-in extended permit icmp host 1.1.1.1 host 2.2.2.2
access-group b1-out-in in interface b1-out
access-list b1-in-in extended permit eigrp host 202.100.1.2 host 202.100.1.1
access-list b1-in-in extended permit eigrp host 202.100.1.2 host 224.0.0.10
access-list b1-in-in extended permit icmp host 2.2.2.2 host 1.1.1.1
access-group b1-in-in in interface b1-in
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
router eigrp 90
network 1.1.1.1 0.0.0.0
network 202.100.1.0
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
router eigrp 90
network 2.2.2.2 0.0.0.0
network 202.100.1.0
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
手动配置B2.Out路由器和B2.In路由器以太网接口的MAC地址,分别为0001.0001.0001和0002.0002.0002,在防火墙上启用ARP-Inspection功能分别测试一下NO-Flood和Flood特性。(每次测试前需要在路由器上clear arp)
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
不泛洪
ciscoasa(config)# arp-inspection b2-in enable no-flood
ciscoasa(config)# arp-inspection b2-out enable no-flood
泛洪
ASA(config)# arp-inspection b2-in enable flood
ASA(config)# arp-inspection b2-out enable flood
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
不泛洪
b2-in#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 202.100.2.1 0 Incomplete ARPA
Internet 202.100.2.2 - 0002.0002.0002 ARPA Ethernet0/0
b2-in#
泛洪正常
在Bridge-group2接口上静态添加MAC地址(b2-outside:0003.0003.0003;b2-inside:0004.0004.0004),并关闭自动MAC学习功能。
提示:需要看到如下输出信息
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
mac-address-table static b2-in 0004.0004.0004
mac-address-table static b2-out 0003.0003.0003
mac-address-table static b2-in 0002.0002.0002
mac-address-table static b2-out 0001.0001.0001
mac-learn b2-out disable
mac-learn b2-in disable
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
ASA# sh mac-learn
no mac-learn flood
interface mac learn
-------------------------------------------
b1-out enabled
b1-in enabled
b1-dmz enabled
b2-out disabled
b2-in disabled
ASA# sh mac-address-table
interface mac address type Age(min) bridge-group
----------------------------------------------------------------------------------------------------
b1-dmz aabb.cc00.2400 dynamic 3 1
b1-out aabb.cc00.4400 dynamic 5 1
b1-in aabb.cc00.6400 dynamic 5 1
b2-in 0004.0004.0004 static 2
b2-out 0003.0003.0003 static 2
b2-in 0002.0002.0002 static 2
b2-out 0001.0001.0001 static 2
### 第二部分-多模墙 V4 LAB 考点###
实验二拓扑:
环境描述:
本拓扑中包含五台路由器(Hostname 分别是 Outside,Adm-DMZ,Inside,Vir-DMZ),一台防火墙(Hostname:ASA),一台交换机(Hostname:SW)。
四台路由器的 E0/0口分别接入交换机的 E1/0 – 3,ASA防火墙的 G0/0 – 1接口分别接入交换机的 E0/0 – 1接口,交换机如图所示,为各台设备划分 VLAN。
| Device | IP/Mask |
| Outside路由器E0/0 | 202.100.1.1/24 |
| Inside路由器E0/0 | 192.168.1.1/24 |
| Adm-DMZ路由器E0/0 | 172.16.1.1/24 |
| Vir-DMZ路由器E0/0 | 10.1.1.1/24 |
| SW交换机 | |
| E1/0 | VLAN2 |
| E1/1 | VLAN3 |
| E1/2 | VLAN4 |
| E1/3 | VLAN5 |
| E0/0 | VLAN2 |
| E0/1 | VLAN3,4,5 |
| ASA Bridge-group1 | |
| b1-outside | VLAN11 |
| b1-intside | VLAN12 |
| b1-dmz | VLAN13 |
| BVI1 | 202.100.1.100/24 |
| ASA Bridge-group2 | |
| b2-outside | VLAN21 |
| b2-inside | VLAN22 |
| BVI2 | 202.100.2.100/24 |
实验二需求:
按照拓扑所示,初始化多模式防火墙,子墙名称分别为admin和Vir,其中在admin子墙中,所有接口不能出现接口类型,例如G0。(切换防火墙模式会死机,重启一下即可,可参考照教主视频)
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
ASA:
hostname FW
!
interface Ethernet0
!
interface Ethernet1
!
interface Ethernet1.3
vlan 3
!
interface Ethernet1.4
vlan 4
!
interface Ethernet1.5
vlan 5
!
admin-context Admin
context Admin
allocate-interface Ethernet0
allocate-interface Ethernet1.3-Ethernet1.4
config-url disk0:/Admin.cfg
!
context Vir
allocate-interface Ethernet0 outside
allocate-interface Ethernet1.4 inside
allocate-interface Ethernet1.5 dmz
config-url disk0:/Vir.cfg
!
hostname Admin
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
!
interface Ethernet1.3
nameif dmz
security-level 50
ip address 172.16.1.10 255.255.255.0
!
interface Ethernet1.4
nameif inside
security-level 100
!
hostname Vir
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface outside
nameif outside
security-level 0
ip address 202.100.1.20 255.255.255.0
!
interface inside
nameif inside
security-level 100
ip address 192.168.1.20 255.255.255.0
!
interface dmz
nameif dmz
security-level 50
ip address 10.1.1.20 255.255.255.0
!
把HTTP服务器Admin.dmz(路由器)转换到外部202.100.100;把Telnet服务器Vir.dmz(路由器)转换到外部202.100.101;在Outside设备上测试并截图。
提示:需要看到如下输出信息
Outside#telnet 202.100.1.100 80
Trying 202.100.1.100, 80 ... Open
/GET
HTTP/1.1 400 Bad Request
Date: Sun, 18 Dec 2016 14:29:49 GMT
Server: cisco-IOS
Accept-Ranges: none
ASA/admin(config)# sh xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:172.16.1.1 80-80 to Outside:202.100.1.100 80-80
flags sr idle 0:20:19 timeout 0:00:00
Outside#telnet 202.100.1.101
Trying 202.100.1.101 ... Open
User Access Verification
Password:
Vir.DMZ>
ASA/Vir(config)# sh xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:10.1.1.1 23-23 to Outside:202.100.1.101 23-23
flags sr idle 0:20:19 timeout 0:00:00
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
Admin
object network dmz-to-outside
host 172.16.1.1
nat (dmz,outside) static 202.100.1.100
!
access-list out extended permit tcp any host 172.16.1.1 eq 80
access-group out in interface outside
Vir:
object network dmz-to-outside
host 10.1.1.1
nat (dmz,outside) static 202.100.1.101
!
access-list out extended permit tcp any host 10.1.1.1 eq telnet
access-group out in interface outside
!
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
在admin子墙上把内部网络192.168.1.0/24转换到外部接口(PAT),并从Inside设备上Telnet外部设备Outside路由器进行测试。
提示:需要看到如下输出信息
Inside#telnet 202.100.1.1
Trying 202.100.1.1 ... Open
User Access Verification
Password:
Outside>
ASA/admin(config)# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:172.16.1.1 80-80 to Outside:202.100.1.100 80-80
flags sr idle 0:01:17 timeout 0:00:00
TCP PAT from Inside:192.168.1.1/60754 to Outside:202.100.1.10/60754 flags ri idle 0:00:03 timeout 0:20:19
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
object network inside-net
subnet 192.168.1.0 255.255.255.0
nat (inside,Outside) dynamic interface
手动指派接口MAC地址
interface Ethernet1.4
mac-address 0001.0001.0001
interface inside
mac-address 0001.0002.0001
测试现象:
##此处展示实验需求的测试结果,可以粘贴文字,也可以粘贴截图##
为节约ASA的系统资源,在admin子墙上限制网管的Telnet数量为1,ASDM的数量为1;在Vir子墙上限制连接数为资源的50%,地址转换条目为20000条。
设备配置:
##此处展示各设备的配置,可以粘贴文字,也可以粘贴截图##
class Level1
limit-resource Telnet 1
limit-resource ASDM 1
!
class Level2
limit-resource Conns 50.0%
limit-resource Xlates 20000
!
context Admin
member Level1
!
context Vir
member Level2