Shulou(Shulou.com)06/01 Report--

one。 Overview: by default, neither Inside nor DMZ zones can access internal servers by mapping addresses or services from Inside or DMZ zones to Outside zones. After the ASA8.3 version, there is a new NAT called Twice-NAT, which can match both the source address and the destination address in a NAT statement, and can translate one to three parameters of the source address, destination address, port number, and three parameters. two。 Basic idea: mapping A.Inside zone to Outside zone ① Outside zone accessing the address mapped by Inside zone no problem ② Inside area accessing the address mapped by Inside zone, translating source address and destination address through Twice NAT-translating source address to Inside interface address, destination address to actual address of Inside device-if not source address, because the accessed data stream has different paths back and forth Unable to establish a session ③ DMZ zone to access the address mapped by the Inside zone, do destination address translation through Twice NAT-translate the destination address into the actual address of the Inside device-because both sides are actual addresses, so the Inside and DMZ need to have each other's route-- or do source address translation at the same time to translate the source address into Iniside interface address, which is not recommended for audit purposes.

Mapping the B.DMZ zone to the Outside zone ① Outside zone accessing the address mapped by the DMZ zone there is no problem that the ② Inside zone accesses the address mapped by the DMZ zone, and the destination address translation is done through Twice NAT-translating the destination address to the actual address of the device in the DMZ zone-because both sides are actual addresses, so Inside and DMZ need to have each other's route-you can also do source address translation to translate the source address into DMZ interface address. In order to facilitate the audit, it is not recommended to do this-actually test with the simulator, but it is found that the source address translation is not done, and the error of bad sequence number is often reported. I can't figure out why the sequence number error is reported. Even if the set connection random-sequence-number disable is set with MPF, it will only be alleviated, but it will occur occasionally. I think it may be because of the simulator that the ③ DMZ area accesses the address mapped by the DMZ area. Do source address and destination address translation through Twice NAT-convert the source address to the DMZ interface address, and the destination address to the actual address of the device in the DMZ area-if you do not use the source address, the session cannot be established because the accessed data stream has different back and forth paths. Test Topology: r 1 ASA--- SWMI-(Inside)-ASA--- (SWMI)-R 4 | R 2 R 3 (DMZ) IV. Test requirements: A. Map the TCP23 port of R2 to port 23 of ASA's Outside interface-R1~R4 is required to access port 23 of ASA's Outside interface to R2's port B. Map the TCP23 port of R3 to port 2323 of ASA's Outside interface-R1~R4 is required to access port 2323 of the Outside interface of ASA to port 23 of R3. Basic configuration: A.R1:interface FastEthernet0/0

Ip address 10.1.1.1 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10B.R2interface FastEthernet0/0

Ip address 10.1.1.2 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 10.1.1.10line vty 0 4

Password cisco

LoginC.ASA:interface GigabitEthernet0

Nameif Inside

Security-level 100

Ip address 10.1.1.10 255.255.255.0

No shutinterface GigabitEthernet1

Nameif DMZ

Security-level 50

Ip address 192.168.1.10 255.255.255.0

No shutinterface GigabitEthernet2

Nameif Outside

Security-level 0 ip address 202.100.1.10 255.255.255.0 no shutD.R3:interface FastEthernet0/0

Ip address 192.168.1.3 255.255.255.0 no shutip route 0.0.0.0 0.0.0.0 192.168.1.10line vty 0 4

Password cisco

LoginE.R4:interface FastEthernet0/0

Ip address 202.100.1.4 255.255.255.0 no shut5.ASA NAT and policy configuration: a. Dynamic PAT allows Inside and DMZ zones to access public network object network Inside-NET

Subnet 10.1.1.0 255.255.255.0 nat (Inside,Outside) dynamic interfaceobject network DMZ-NET

Subnet 192.168.1.0 255.255.255.0 nat (DMZ,Outside) dynamic interfaceB. Static PAT maps R2 and R3: object network Inside-R2 host 10.1.1.2

Nat (Inside,Outside) static interface service tcp 23 23

Object network DMZ-R3 host 192.168.1.3

Nat (DMZ,Outside) static interface service tcp 23 2323 C. Firewall Policy: ① enables icmp Review: policy-map global_policy

Class inspection_default

Inspect icmp ② Outside port release policy: access-list OUTSIDE extended permit tcp any object Inside-R2 eq telnet

Access-list OUTSIDE extended permit tcp any object DMZ-R3 eq telnetaccess- group OUTSIDE in interface Outside ③ DMZ port release policy: access-list DMZ extended permit tcp any object Inside-R2 eq telnetaccess-list DMZ extended permit icmp any anyaccess-list DMZ extended deny ip any object Inside-NETaccess-list DMZ extended permit ip any anyaccess-group DMZ in interface DMZ--- Note: this is just a test. In fact, unless necessary, try not to release the access from DMZ to Inside. To release, you also need to release D. Test: ① Inside area and DMZ area can access the public network: R1#PING 202.100.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 4 80max msR2#ping 202.100.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 24 msR3#ping 67 msR3#ping 202.100.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.100.1.4, timeout is 2 seconds:

!

Success rate is 100 percent (5 ms 5), round-trip min/avg/max = 20 R4#TELNET 120 ms 204 the mapped port can only be accessed by the Outside zone: R4#TELNET 202.100.1.10 23

Trying 202.100.1.10... Open

User Access Verification

Password:

R2 > show users

Line User Host (s) Idle Location

0 con 0 idle 00:55:06

* 66 vty 0 idle 00:00:00 202.100.1.4

Interface User Mode Idle Peer Address

R2 >

R4#TELNET 202.100.1.10 2323

Trying 202.100.1.10, 2323... Open

User Access Verification

Password:

R3 > show users

Line User Host (s) Idle Location

0 con 0 idle 00:51:12

* 66 vty 0 idle 00:00:00 202.100.1.4

Interface User Mode Idle Peer Address

R3 > R1#telnet 202.100.1.10

Trying 202.100.1.10...

% Connection timed out; remote host not response VI. Twice NAT configuration of ASA: a. When the Inside area accesses the address mapped by the Inside area, it does both source address translation and destination address translation ① configuration object: object network Public-R2

Host 202.100.1.10

Object service tcp23

Service tcp destination eq telnet

② configures twice-NAT:nat (Inside,Inside) source static any interface destination static Public-R2 Inside-R2 service tcp23 tcp23 ③ to allow access to the same interface: same-security-traffic permit intra-interface--- needs this ④ test because it is accessed through both the Inside port and the Inside.

Trying 202.100.1.10... Open

User Access Verification

Password:

R2 > show users

Line User Host (s) Idle Location

0 con 0 idle 01:07:35

* 66 vty 0 idle 0000 idle 000010.1.1.10

Interface User Mode Idle Peer Address

R2 >

R2#telnet 202.100.1.10

Trying 202.100.1.10... Open

User Access Verification

Password:

R2 > show users

Line User Host (s) Idle Location

0 con 0 202.100.1.10 00:00:00

* 66 vty 0 idle 0000 idle 000010.1.1.10

Interface User Mode Idle Peer Address

b. So that when the Inside area accesses the address mapped by the DMZ area, only the destination address translation ① configuration object: object network Public-R3

Host 202.100.1.10object network DMZ-R3

Host 192.168.1.3

Object service tcp2323

Service tcp destination eq 2323 ② configuration twice-NAT:nat (Inside,DMZ) source static any any destination static Public-R3 DMZ-R3 service tcp2323 tcp23 ③ Test: R1#telnet 202.100.1.10 2323

Trying 202.100.1.10, 2323...

% Connection timed out; remote host not responding

R3#debug ip tcp packet port 23

TCP Packet debugging is on for port number 23

R3#

* Mar 1 13 seq 18 seq 25.648: tcp0: I LISTEN 10.1.1.1 seq 17155 192.168.1.3

OPTS 4 SYN WIN 4128

* Mar 1 13 seq 18 seq 25.652: tcp0: O SYNRCVD 10.1.1.1 seq 17155 192.168.1.3

OPTS 4 ACK 1568429505 SYN WIN 4128

* Mar 1 13 seq 18 seq 25.656: tcp0: I SYNRCVD 10.1.1.1 seq 17155 192.168.1.3

OPTS 4 SYN WIN 4128

* Mar 1 13 seq 18 seq 25.660: tcp0: O SYNRCVD 10.1.1.1 seq 17155 192.168.1.3

ACK 1568429505 WIN 4128

* Mar 1 13 bad seg from 18 len 25.660: TCP0: bad seg from 10.1.1.1-- bad sequence number: port 23 seq 4193850862 ack 0 rcvnxt 1568429505 rcvwnd 4128 len 0 ④ solution:-modify NAT, do source address translation nat (Inside,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23 ⑤ test again: R1#telnet 202.100.1.10 2323

Trying 202.100.1.10, 2323... Open

User Access Verification

Password:

R3 > show users

Line User Host (s) Idle Location

0 con 0 idle 00:02:15

* 66 vty 0 idle 00:00:00 192.168.1.10

Interface User Mode Idle Peer Address

R3 > R2#telnet 202.100.1.10 2323

Trying 202.100.1.10, 2323... Open

User Access Verification

Password:

R3 > show users

Line User Host (s) Idle Location

0 con 0 idle 00:03:13

66 vty 0 idle 00:00:58 192.168.1.10

* 67 vty 1 idle 00:00:00 192.168.1.10

Interface User Mode Idle Peer Address

R3 > C. When the DMZ area accesses the address mapped by the Inside area, only the destination address translation ① configuration object is done:-② configuration twice-NAT:nat (DMZ,Inside) source static any any destination static Public-R2 Inside-R2 service tcp23 tcp23 ③ test has been defined previously: R3#telnet 202.100.1.10

Trying 202.100.1.10... Open

User Access Verification

Password:

R2 > show users

Line User Host (s) Idle Location

0 con 0 202.100.1.10 00:02:49

* 66 vty 0 idle 0000 idle 0000192.168.1.3

Interface User Mode Idle Peer Address

R2 > D. When the DMZ area accesses the address mapped by the DMZ area, it does both source address translation and destination address translation ① configuration object:-② configuration twice-NAT:nat (DMZ,DMZ) source static any interface destination static Public-R3 DMZ-R3 service tcp2323 tcp23 ③ allows access to the same interface:-previously configured: same-security-traffic permit intra-interface ④ Test: R3#telnet 202.100.1.10 2323

Trying 202.100.1.10, 2323... Open

User Access Verification

Password:

R3 > show users

Line User Host (s) Idle Location

0 con 0 202.100.1.10 00:00:00

66 vty 0 idle 00:07:01 192.168.1.10

67 vty 1 idle 00:06:02 192.168.1.10

* 68 vty 2 idle 00:00:00 192.168.1.10

Interface User Mode Idle Peer Address

R3 >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.