ASA icmp检测和内网NAT转化

千家信息网最后更新 2025年02月01日ASA icmp检测和内网NAT转化

拓扑结构 ：

In（R1） ---- （inside）ASA 5520（outside） --- Out（R2） ASA配置 ： ASA Version 8.4(2) hostname ciscoasa enable password rQETR98wpSI1Lpr9 encrypted passwd rQETR98wpSI1Lpr9 encrypted names interface GigabitEthernet0 nameif inside security-level 100 ip address 192.168.1.4 255.255.255.0 ! interface GigabitEthernet1 nameif dmz security-level 50 no ip address ! interface GigabitEthernet2 nameif outside security-level 0 ip address 10.254.1.1 255.255.255.0 ! ftp mode passive object network test host 192.168.1.5 pager lines 24 logging enable logging asdm informational logging debug-trace mtu inside 1500 mtu dmz 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network test nat (inside,outside) dynamic 10.254.1.10 ----动态NAT dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ca trustpoint _SmartCallHome_ServerCA crl configure telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept web*** anyconnect-essentials username netemu password QTbvAEdn30mERkZb encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h423 h325 inspect h423 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context call-home reporting anonymous call-home profile CiscoTAC-1 no active crashinfo save disable Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6 : end NAT转化击中计数器 ： ciscoasa# show nat detail 去往Outside地址段的地址转换 Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic test 10.254.1.10 translate_hits = 126, untranslate_hits = 90 Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32 在实验过程中发现inspection引擎下的配置删除掉了 需手动加上 并加上以下配置： policy-map global_policy
class inspection_default
inspect icmp 网上有详细解释！ Inside 路由器配置 ： In#show running-config Building configuration... Current configuration : 959 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec ip domain name lab.local ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! interface FastEthernet0/0 ip address 192.168.1.5 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.1.4 line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login end Outside 路由器配置 ： Out#show runn Building configuration... Current configuration : 1006 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Out no ip domain lookup ip domain name lab.local ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 username admin password 0 cisco interface FastEthernet0/0 ip address 10.254.1.5 255.255.255.0 duplex auto speed auto ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.254.1.1 ----- 默认路由 指向Inside端网络 line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password cisco login end 我们需要了解ASA对于inbound和outbound的定义 ： 高安全级别 ----> 低安全级别 outbound 低安全级别 ----> 高安全级别 inbound 默认情况 ：出站流量是允许的 （特例请见下文） 进流量是禁止的 也就是从高到低方向是允许的，也可以返回的。但不可以直接从低到高。 ACL可以禁止或允许这两个方向的流量

摘自 ASA840 配置手册 讲的是inspection引擎对于一些特定协议流量的检测机制

ACL 返回流量规则 ：

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)or echo (8) (host to ASA).

思科官方文档解释还是蛮给力的 需要我们好好膜拜！