Shulou(Shulou.com)06/01 Report--

one。 Overview:

Today, QQ received a friend for help, the following environment, check the configuration of ASA, the policy is all-pass, unexpectedly can not access, also feel confused.

If you build an environment test with GNS3 and grab packets on both sides of the firewall, it is found that the TCP three-way handshake is normal, but the http get packet sent by the client on the inside of the firewall is discarded by the firewall. Enter the keyword: ASA tcp 2000 with google and find the following link:

Http://blog.csdn.net/yangcage/article/details/1787558

Http://www.petenetlive.com/KB/Article/0000027.htm

Finally understand: because ASA regards the traffic accessing the external http tcp 2000 port as skinny protocol traffic, but it is actually http traffic, because the data structure of the two protocol traffic must be different, so when the TCP three-way handshake is completed, the packets of the subsequent http applications are discarded. If there are further tests, the tests are divided into three situations:

The first is that ports for external web applications are not included in the default review, such as TCP 8080

The second is that the ports of external web applications are under review, but there is no such traffic in practical applications, such as TCP 2000

The third is the case where the port of the external web application is on the review list and the protocol reviewed by default needs to be opened.

two。 Test the topology:

three。 Basic configuration:

A.PC1:

IP:10.1.1.8/24,GW:10.1.1.1

B.ASA842 Firewall:

Interface GigabitEthernet0

Nameif Inside

Security-level 100

Ip address 10.1.1.1 255.255.255.0

No shut

Interface GigabitEthernet1

Nameif Outside

Security-level 0

Ip address 202.100.1.1 255.255.255.0

No shut

Object network Inside-net

Subnet 10.1.1.0 255.255.255.0

Nat (Inside,Outside) dynamic interface

C.WebServer:

Set up two IP:202.100.1.100/24202.100.1.101/24 for a single network card

Run IIS on it.

four。 Test steps:

a. Ports for external web applications are not included in the default review, such as 8080

This situation does not require additional configuration of the firewall. According to the default access rules of the firewall, the PC1 of inside can directly access the WebServer server of outside through http://202.100.1.100:8080.

b. Ports for external web applications are included in the default review, but real-world applications do not have such traffic

For example, if the external web port is 2000, simply cancel the skinny protocol review of the default TCP 2000:

Policy-map global_policy

Class inspection_default

No inspect skinny

In this way, the PC1 of Inside can access either Outside's WebServer server through http://202.100.1.100:2000 or Outside's WebServer server through http://202.100.1.101:2000.

c. Ports for external web applications are included in the default review, and there is also this kind of traffic for practical applications.

For example, the external web port is TCP 2000, and the actual TCP 2000 skinny protocol traffic is also available, so you cannot simply kill the default skinny review.

The following methods of ① are not feasible:

Access-list tcp2000web permit tcp any host 202.100.1.101 eq 2000

Class-map tcp2000web_traffic

Match access-list tcp2000web

Class-map skinny_traffic

Match port tcp eq 2000

Policy-map global_policy

Class inspection_default

No inspect skinny

Class tcp2000web-traffic

Inspect http

Class skinny-traffic

Inspect skinny

-

Ciscoasa# show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

. Omit the part.

Class-map: web2000

Inspect: http, packet 4, drop 0, reset-drop 0

Class-map: global_skinny

Inspect: skinny, packet 4, drop 1, reset-drop 0

Tcp-proxy: bytes in buffer 0, bytes dropped 0

It seems that the execution relationship of the class-map before and after the same policy-map is a bit like the execution relationship between the interface and the global policy-map. If the review passes, it will be executed later: I visited the http package, and the previous Class-map: web2000 review passed, but was killed by the later Class-map: global_skinny.

② can be done in the following ways:

Access-list skinny extended deny tcp any host 202.100.1.100 eq 2000

Access-list skinny extended permit tcp any any eq 2000

Class-map skinny_traffic

Match access-list skinny

Policy-map global_policy

Classinspection_default

No inspect skinny

Class skinny_traffic

Inspect skinny

At this point, Inside's PC1 can access Outside's WebServer server through http://202.100.1.100:2000, but cannot pass http://202.100.1.101:2000 (because authentication this is skinny traffic).

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.