ASA 第四天实验

最新推荐文章于 2025-08-19 20:35:27 发布

转载最新推荐文章于 2025-08-19 20:35:27 发布 · 164 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：http://blog.51cto.com/skybird/615055

文章标签：

#网络

1、配置实例基于关键字“sh/run”，过滤
regex shrun“sh/run”
class-map type regex match-any A
match regex shrun
class-map type inspect http match-all http B
match request uri regex A

policy-map type inspect http control.http
class http B
drop-connection log

policy-map global_policy
class inspection_default
inspect http control.http

查看Service-policy
show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http control.http, packet 7392, drop 4,reset-drop 0

2、配置EBGP MD5穿越ASA
router bgp 65333
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
neighbor 2.2.2.2 remote-as 65333
neighbor 1.1.1.1 pass cisco
neighbor 2.2.2.2 update-source Lo0
no auto-summary

router bgp 65333
no synchronization
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
neighbor 1.1.1.1 remote-as 65333
neighbor 2.2.2.2 password cisco
neighbor 1.1.1.1 update-source Loopback0
no auto-summary

class-map BGP
match port tcp eq bgp

ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# class BGP
set connection random-sequence-number disable
ASA(config)# tcp-map forbgp
ASA(config-tcp-map)# tcp-options range 19 19 allow
ASA(config-pmap-c)# set connection advanced-options forbgp

Inside#sh ip bgp
BGP table version is 4, local router ID is 2.2.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
r>i1.1.1.1/32       1.1.1.1                  0    100      0 i
*> 2.2.2.2/32       0.0.0.0                  0         32768 i

Outside#sh ip bgp
BGP table version is 4, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       0.0.0.0                  0         32768 i
* i2.2.2.2/32       2.2.2.2                  0    100      0 i

三、限制FTP对文件名进行reset
ASA(config)# regex cisco "cisco"

ASA(config)# class-map type inspect ftp match-all class-ftp
ASA(config-cmap)# match filename regex cisco

ASA(config)# policy-map type inspect ftp policy-ftp
ASA(config-pmap-p)# class class-ftp
ASA(config-pmap-c)# reset log

ASA(config-pmap)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect ftp strict policy-ftp

ASA(config)# sh service-policy inspect ftp

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp strict policy-ftp, packet 144, drop 4, reset-drop 1
        class class-ftp
          reset log, packet 0

四、组播流量穿越透明防火墙

Outside
router os 1
net 1.1.1.0 0.0.0.255 ar 0
net 202.100.1.0 0.0.0.255 ar 0

Inside
router os 1
net 2.2.2.0 0.0.0.255 ar 0
net 202.100.1.0 0.0.0.255 ar 0

ASA配置
firewall transparent

interface Ethernet0/0
nameif outside
security-level 0

interface Ethernet0/1
nameif inside
security-level 100

ip add 202.100.1.100 255.255.255.0

access-list out_ospf permit ospf any any
access-list in_ospf permit ospf any any

access-group out_ospf in interface outside
access-group in_ospfin interface inside

注：必须放行内与外的组播流量，如果只放行外部流量，会造成 OSPF Flapping,单播只需要放行外部流量。

转载于:https://blog.51cto.com/skybird/615055