Shulou(Shulou.com)06/01 Report--

Topology:

In (R1)-(inside) ASA 5520 (outside)-Out (R2) ASA configuration: ASA Version 8.4 (2) hostname ciscoasa enable password rQETR98wpSI1Lpr9 encrypted passwd rQETR98wpSI1Lpr9 encrypted names interface GigabitEthernet0 nameif inside security-level 100 ip address 192.168.1.4 255.255.255.0! Interface GigabitEthernet1 nameif dmz security-level 50 no ip address! Interface GigabitEthernet2 nameif outside security-level 0 ip address 10.254.1.1 255.255.255.0! Ftp mode passive object network test host 192.168.1.5 pager lines 24 logging enable logging asdm informational logging debug-trace mtu inside 1500 mtu dmz 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400! Object network test nat (inside Outside) dynamic 10.254.1.10-dynamic NAT dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ca trustpoint _ SmartCallHome_ServerCA crl configure telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept web*** anyconnect-essentials username netemu password QTbvAEdn30mERkZb encrypted privilege 15! Class-map inspection_default match default-inspection-traffic!! Policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h423 h325 inspect h423 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error! Service-policy global_policy global prompt hostname context call-home reporting anonymous call-home profile CiscoTAC-1 no active crashinfo save disable Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6: end NAT conversion hit counter: ciscoasa# show nat detail address translation Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic test 10.254.1.10 translate_hits = 126, untranslate_hits = 90 Source-Origin: 192.168.1.5 source dynamic test 32 Translated: 10.254.1.10 Translated 32 during the experiment, it was found that the configuration under the inspection engine had been deleted and the following configuration should be manually added: policy-map global_policy

Class inspection_default

There is a detailed explanation on inspect icmp! Inside router configuration: In#show running-config Building configuration... Current configuration: 959 bytes! Version 12.4 service timestamps debug datetime msec service timestamps log datetime msec ip domain name lab.local ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3! Interface FastEthernet0/0 ip address 192.168.1.5 255.255.255.0 duplex auto speed auto! Interface FastEthernet0/1 no ip address shutdown duplex auto speed auto! Ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.4 line con 0 exec-timeout 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 privilege level 15 logging synchronous line vty 0 4 login end Outside router configuration: Out#show runn Building configuration... Current configuration: 1006 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption! Hostname Out no ip domain lookup ip domain name lab.local ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 username admin password 0 cisco interface FastEthernet0/0 ip address 10.254.1.5 255.255.255.0 duplex auto speed auto ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.254.1.1-default route points to inside network line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 Exec-timeout 0 privilege level 15 logging synchronous line vty 0 4 password cisco login end We need to understand ASA's definition of inbound and outbound: high security level-> low security level outbound low security level-> high security level inbound default: outbound traffic is allowed (see below for special cases) inbound traffic is prohibited, that is, from high to low direction is allowed It can also be returned. But not directly from low to high. ACL can prohibit or allow traffic in both directions.

Extracted from the ASA840 configuration manual, it talks about the detection mechanism of the inspection engine for some specific protocol traffic.

ACL return traffic rules:

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA).

Cisco official document explanation is still quite powerful need us to pay homage to!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.