ASA#6_Cut-Through cơ bản_Phần 1
Sơ đồ:
Lưu ý: Sử dụng Cisco ASA chạy trên VMWare kết hợp Router chạy trên Cisco IOU hoặc GNS3.
Mô tả:
-
Thực hiện xác thực cho tất cả các dịch vụ hoạt động trên TCP cho các PC thuộc mạng 192.168.1.0/24. Dùng local database để thực hiện xác thực.
-
Những dịch vụ cho phép thực hiện xác thực:
-
HTTP (80)
-
HTTPS (443)
-
FTP (21)
-
TELNET (23)
-
Cấu hình:
Xác định luồng dữ liệu sẽ được xác thực, những luồng dữ liệu được cho phép trong ACL sẽ được xác thực:
FW-ASA-DTU(config)# access-list AUTHEN permit tcp 192.168.1.0 255.255.255.0 any
Lưu ý: Trong trường hợp ACL là permit ip hoặc permit udp, thì những dịch vụ yêu cầu sự phân giải qua DNS sẽ không hoạt động được, do đó cần thực hiện deny đối với dịch vụ DNS.
Cho phép echo-reply trở về:
FW-ASA-DTU(config)# access-list PING permit icmp any 192.168.1.0 255.255.255.0 echo-reply
FW-ASA-DTU(config)# access-group PING in interface outside
Tắt tính năng NAT (tùy chọn):
FW-ASA-DTU(config)# no nat-control
Định nghĩa local database:
FW-ASA-DTU(config)# username dtu password dtu@123
Kích hoạt khả năng Cut-through proxy cho tất cả các luồng dữ liệu xuất phát từ cổng inside mà so trùng với ACL:
FW-ASA-DTU(config)# aaa authentication match AUTHEN inside local
Cấu hình đầy đủ:
FW-ASA-DTU
FW-ASA-DTU# sh run
: Saved
:
: Serial Number: 9ABBHQ1E2G6
: Hardware: ASAv, 2048 MB RAM, CPU Xeon 5500 series 2394 MHz
:
ASA Version 9.2(1)
!
hostname FW-ASA-DTU
enable password hAPB9Mw30flcY4kz encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd r/GApwtPETElZ6aH encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
management-only
nameif quanly
security-level 100
ip address 192.168.20.100 255.255.255.0
!
ftp mode passive
access-list AUTHEN extended permit tcp 192.168.1.0 255.255.255.0 any
access-list PING extended permit icmp any 192.168.1.0 255.255.255.0 echo-reply
pager lines 23
mtu quanly 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group PING in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication match AUTHEN inside LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.20.0 255.255.255.0 quanly
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.20.0 255.255.255.0 quanly
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username dtu password 91ezoD62XNiM5vaU encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCES
ervice
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 1
subscribe-to-alert-group configuration periodic monthly 1
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f97ea56c9c447cedac25fd3d4e8cf00f
: end
FW-ASA-DTU#
GATEWAY
GATEWAY#sh run
Building configuration...
Current configuration : 1579 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GATEWAY
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
GATEWAY#