Function Test of ASA 5520 Virtual Firewall based on GNS3 02/05 Update SLTechnology News&Howtos

Function Test of ASA 5520 Virtual Firewall based on GNS3

2025-02-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Objective:

Test some of the functional configurations of GNS3-based ASA 8.4 (2):

1. The intranet client accesses the public network.

2 the external network accesses the intranet server

3 Lan-to-Lan IPSEC × × ×

Lab Topology:

An intranet client accesses the external network through a firewall

PC: set IP 192.168.1.2 dint gateway: 192.168.1.1

R1: F0/0 192.168.1.1/24

F1/0 192.168.2.1/24

Default gateway: ip route 0.0.0.0 0.0.0.0192.168.2.2

ASA-1:

Interface GigabitEthernet0

Nameif inside

Security-level 100

Ip address 192.168.2.2 255.255.255.0

Interface GigabitEthernet1

Nameif outside

Security-level 0

Ip address 172.16.1.1 255.255.255.0

Access-list in-2-out extended permit ip any any

Access-group in-2-out in interface outside

Nat (inside,outside) source dynamic any interface

Route outside 0.0.0.0 0.0.0.0 172.16.1.2 1

Route inside 192.168.1.0 255.255.255.0 192.168.2.1 1

Test:

PC-1 > ping 172.16.1.3

84 bytes from 172.16.1.3 icmp_seq=1 ttl=254 time=269.845 ms

84 bytes from 172.16.1.3 icmp_seq=2 ttl=254 time=101.949 ms

84 bytes from 172.16.1.3 icmp_seq=3 ttl=254 time=159.903 ms

84 bytes from 172.16.1.3 icmp_seq=4 ttl=254 time=181.896 ms

84 bytes from 172.16.1.3 icmp_seq=5 ttl=254 time=208.890 ms

R1#ssh-l root 172.16.1.3

Password:

R3 >

Second, the external network accesses the intranet server.

The previous configuration remains the same, and the following configuration is added:

Object network 172.16.1.10

Host 172.16.1.10 # Public Network address

Object network 2.1_telnet

Host 192.168.2.1 # Private network address

Nat (inside,outside) static 172.16.1.10 service tcp telnet telnet # mapped address

Note: the port mapping of the external interface can not be done all the time, different methods have been tried

1 add policy

2 add policies.

All the time, it is suspected that it is the firewall version or the virtual machine, and the rest of the configuration is as follows:

Object network 2.1_ssh

Host 192.168.2.1

Nat (inside,outside) static interface service tcp ssh ssh

Test results:

R3#telnet 172.16.1.10

Trying 172.16.1.10... Open

User Access Verification

Username: root

Password:

R1 > en

Three L2L IPSEC × × ×

The previous configuration remains the same, and the following configuration is added:

Object network inside

Subnet 192.168.1.0 255.255.255.0 # defines the local network address

Object network remote-site-address # defines the remote network address

Subnet 192.168.4.0 255.255.255.0

Nat (inside,outside) source static inside inside destination static remote-site-address remote-site-address # sets the stream of interest to avoid NAT

Crypto ipsec ikev1 transform-set test esp-3des esp-md5-hmac

Crypto map crymap 10 match address *

Crypto map crymap 10 set peer 172.16.1.2

Crypto map crymap 10 set ikev1 transform-set test

Crypto map crymap interface outside

Crypto ikev1 enable outside # defines crypto map parameters and applies them to the public network interface. 172.16.1.2 is the peer public network.

Address.

Crypto ikev1 policy 10

Authentication pre-share

Encryption 3des

Hash md5

Group 2

Lifetime 86400 # defines the encryption parameters of the first stage of IPSEC

Tunnel-group 172.16.1.2 type ipsec-l2l

Tunnel-group 172.16.1.2 ipsec-attributes

Ikev1 pre-shared-key * # defines the tunnel type and sets the first phase shared password

Test:

PC-1 > ping 192.168.4.2

192.168.4.2 icmp_seq=1 timeout

192.168.4.2 icmp_seq=2 timeout

84 bytes from 192.168.4.2 icmp_seq=3 ttl=62 time=229.871 ms

84 bytes from 192.168.4.2 icmp_seq=4 ttl=62 time=400.765 ms

84 bytes from 192.168.4.2 icmp_seq=5 ttl=62 time=91.948 ms

Note: since there is no suggestion for the tunnel at the beginning, there will be several packets lost, which is normal!

Peer PING

PC-2 > ping 192.168.1.2

84 bytes from 192.168.1.2 icmp_seq=1 ttl=62 time=350.800 ms

84 bytes from 192.168.1.2 icmp_seq=2 ttl=62 time=228.867 ms

84 bytes from 192.168.1.2 icmp_seq=3 ttl=62 time=206.881 ms

84 bytes from 192.168.1.2 icmp_seq=4 ttl=62 time=299.828 ms

84 bytes from 192.168.1.2 icmp_seq=5 ttl=62 time=284.829 ms

Some of the ASA diagnostic commands are as follows:

Show run nat

Show run object-network

Show run object-group

Show nat detail

Show xlate

Show conn

Show nat pool

Debug nat 255

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.