Shulou(Shulou.com)06/01 Report--

Mutual access experiment of ASA 5520 Intranet Port

Test how to implement ASA5520 between different intranet ports and different security levels

Mutual access configuration.

Test how to achieve mutual access between ASA5520 ports with different intranet ports but with the same security level.

Experimental environment: GNS3-based virtual environment, ASA version 8.4 (2)

Experimental Topology:

Basic Router1 configuration:

Ip domain name test.com

Username root secret 5 $1 $/ 3e0 $pTshnFze2RSAvILS1t6Ak/

Interface Loopback0

Ip address 1.1.1.1 255.255.255.0

!

Interface FastEthernet0/0

Ip address 192.168.1.2 255.255.255.0

Duplex half

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

Basic configuration of Router2

Ip domain name test.com

Username root password 0 root

Interface Loopback0

Ip address 2.2.2.2 255.255.255.0

!

Interface FastEthernet0/0

Ip address 192.168.2.2 255.255.255.0

Duplex half

Ip route 0.0.0.0 0.0.0.0 192.168.2.1

Line vty 0 4

Login local

Transport input telnet ssh

Basic Router3 configuration:

Interface FastEthernet0/0

Ip address 192.168.13.3 255.255.255.0

Duplex half

Ip route 0.0.0.0 0.0.0.0 192.168.13.1

Basic ASA5520 configuration:

Interface GigabitEthernet0

Nameif inside

Security-level 100

Ip address 192.168.1.1 255.255.255.0

!

Interface GigabitEthernet1

Nameif inside1

Security-level 90

Ip address 192.168.2.1 255.255.255.0

!

Interface GigabitEthernet2

Nameif outside

Security-level 0

Ip address 192.168.13.1 255.255.255.0

Route outside 0.0.0.0 0.0.0.0 192.168.13.3 1

Route inside 1.1.1.0 255.255.255.0 192.168.1.2 1

Route inside1 2.2.2.0 255.255.255.0 192.168.2.2 1

Test:

1 from the addresses of router1 and router2 PING Router3:

R1#ping 192.168.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:

.success rate is 0 percent (0lap5)

R2#ping 192.168.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:

.success rate is 0 percent (0lap5)

2 from the addresses of router1 and router2 telnet Router3:

R1#192.168.13.3

Trying 192.168.13.3... Open

User Access Verification

Username: root

Password:

R3 >

R2#192.168.13.3

Trying 192.168.13.3... Open

User Access Verification

Username: root

Password:

R3 >

Conclusion: by default, a network with a low security level can be accessed from a network with a high security level, but the PING protocol forbids it by default and needs to be opened separately. The open command is as follows:

Access-list outside permit icmp any any

Access-group outside in interface outside

At this point, you can PING the port address of Router3 from both inside and inside1 ports:

R1#ping 192.168.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:

! Success rate is 100 percent (5 Success rate is 5), round-trip min/avg/max = 32 Universe 70 Universe 144 ms

R2#ping 192.168.13.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:

! Success rate is 100 percent (5 amp 5), round-trip min/avg/max = 12 Unix 50 max 132 ms

Test:

1 address from Router1 ping and telnet to Router2 port:

R1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

.success rate is 0 percent (0lap5)

R1#192.168.2.2

Trying 192.168.2.2... Open

User Access Verification

Username: root

Password:

R2 >

Ping cannot be accessed, but telnet can be accessed. This is because the network security level of inside port is higher than that of inside1, so although ping is disabled by default, telnet has no problem, which is in line with the conclusion of Test 1.

Let's add a command so that PING can pass:

Access-list inside1 permit icmp any any

Access-group inside1 in interface inside1

R1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

! Success rate is 100 percent (5amp 5), round-trip min/avg/max = 32 Universe 65 percent 136 ms

In order for low-level inside1 to access high-level inside, we need to add the following command:

Access-list inside1 extended permit tcp host 192.168.2.2 host 192.168.1.2 eq telnet log

Access-list inside1 extended permit tcp host 192.168.2.2 host 192.168.1.2 eq ssh log

Access-group inside1 in interface inside1

Test again at this time:

R2#telnet 192.168.1.2

Trying 192.168.1.2... Open

User Access Verification

Username: root

Password:

R1 > exit

[Connection to 192.168.1.2 closed by foreign host]

R2#ssh-l root 192.168.1.2

Password:

R1 >

It is found that the high-level inside1 can already be accessed from the low-level inside.

Conclusion: when accessing ports with different security levels in the internal network, access to low-level secure ports from high-level secure ports can be accessed by default except PING. When accessing from low-level ports to high-level ports, access lists need to be enabled and applied to the IN direction of low-level ports.

Test: mutual access between ports with different intranet ports but with the same security level

Delete the previously configured access list and configure inside and inside1 to the same security level 100:

Interface GigabitEthernet0

Nameif inside

Security-level 100

Ip address 192.168.1.1 255.255.255.0

!

Interface GigabitEthernet1

Nameif inside1

Security-level 100

Ip address 192.168.2.1 255.255.255.0

Test on R1 at this time:

R1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

.success rate is 0 percent (0lap5)

R1# 192.168.2.2

Trying 192.168.2.2...% Connection timed out; remote host not responding

It all doesn't work, and the test on R2 is the same.

Add the command: same-security-traffic permit inter-interface, continue to test on R1:

R1#ping 192.168.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

! Success rate is 100 percent (5Compact 5), round-trip min/avg/max = 28 Universe 95T 240 ms

R1# 192.168.2.2

Trying 192.168.2.2... Open

User Access Verification

Username: root

Password:

R2 >

You can see that there is no problem with the access at all:

Conclusion: access between the same security levels can be achieved only by using commands.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.