Shulou(Shulou.com)06/01 Report--

Lab Topology:

Experimental requirements:

1. DMZ publishes Web server, and Client2 can access Server3

2. Use the command show conn detail to view the Conn table

3. View the routing tables of ASA and AR respectively

4. Configure ACL to prohibit Client3 from accessing Server2

5. What is the principle of stateful firewall?

6. What is the default rule to follow when interfaces with different security levels on ASA access each other?

7. What is the purpose of configuring ACL on ASA?

The steps of the experiment:

First, configure IP gateway and security level values for Port 0, Port 1 and Port 2 respectively.

Port 0:

Ciscoasa (config) # interface gigabitEthernet 0

Ciscoasa (config-if) # nameif inside

Ciscoasa (config-if) # ip address 192.168.1.254 255.255.255.0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # security-level 100

Port 1:

Ciscoasa (config) # interface gigabitEthernet 1

Ciscoasa (config-if) # nameif outside

Ciscoasa (config-if) # ip address 192.168.254 255.255.255.0

Ciscoasa (config-if) # no shutdowu

Ciscoasa (config-if) # security-level 0

Port 2:

Ciscoasa (config) # interface gigabitEthernet 2

Ciscoasa (config-if) # nameif DMZ

Ciscoasa (config-if) # ip address 192.168.3.254 255.255.225.0

Ciscoasa (config-if) # no shutdown

Ciscoasa (config-if) # security-level 50

2. Configure the IP address for the router ports G0UniPax 0, G0UniPax 1, and G0UniPax 2, respectively:

G0/0/0:

[R1] interface GigabitEthernet 0/0/0

[R1-GigabitEthernet0/0/0] ip address 192.168.1.1 255.255.255.0

[R1-GigabitEthernet0/0/0] undo shutdown

G0/0/1:

[R1] interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1] ip address 10.1.1.254 255.255.255.0

[R1-GigabitEthernet0/0/1] undo shutdown

G0/0/2:

[R1] interface GigabitEthernet 0/0/2

[R1-GigabitEthernet0/0/2] ip address 10.2.2.1 255.255.255.0

[R1-GigabitEthernet0/0/2] undo shutdown

Third, configure static routes for firewalls and default routes for routers.

Firewall:

Ciscoasa (config) # route inside 10.1.1.0 255.255.255.0 192.168.1.1

Ciscoasa (config) # route inside 10.2.2.0 255.255.255.0 192.168.1.1

Router:

[R1] ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

The above configuration enables Client 1 to access Server 2 and Server 3

As shown in the figure:

Client 1 accesses Server 2

Client 1 accesses Server 3

4. Client 2 visits Server 3

Ciscoasa (config) # access-list out-to-DMZ permit ip host 192.168.8.1 host 192.168.3.100

Ciscoasa (config) # access-group out-to-DMZ in interface outside

As shown in the figure:

5. View the conn table:

As shown in the figure:

6. View the routing tables of ASA and AR:

ASA:

As shown in the figure:

AR:

As shown in the figure:

Configure ACL to prohibit Client 3 from accessing Server 2

Configuration commands:

Ciscoasa (config) # access-list DMZ-to-out deny ip host 192.168.3.1 host 192.168.8.100

Ciscoasa (config) # access-group DMZ-to-out in interface DMZ

Verify as shown in the following figure:

What is the principle of stateful firewall?

Stateful firewalls maintain a connection table about user information, called the Conn table

9. What is the default rule to follow when interfaces with different security levels on ASA access each other?

Allow outbound (outbound) connections

Disable inbound (inbound) connections

Prohibit communication between interfaces with the same security level

What is the purpose of configuring ACL on ASA?

1. In order to enable low security level to access high security level

2. Control traffic (route switching)

The above operation configuration shows that:

1. Client 2 can access Server 3.

As shown in the figure:

2. Client 3 cannot access Server 2.

As shown in the figure:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.