请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 464|回复: 1

【原创】RIP穿越ASA透明墙测试

[复制链接]
发表于 2020-2-4 20:54:13 | 显示全部楼层 |阅读模式
本帖最后由 碧云天 于 2020-2-4 21:04 编辑

一.测试拓扑


测试总结:
1.ASA透明模式下,RIP采用单播更新包不需要ACL放行,能够从低安全区抵达高安全区
--默认情况下,ASA只允许高安全区访问低安全区,不知道为什么RIP的单播报文居然能从低安全区穿越透明墙到高安全区,路由模式下测试不会这样。
2.ASA透明模式下,RIP组播更新需要两边都放到224.0.0.9的源目端口都为520的UDP报文

二.基本配置
1.R1路由器

interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.1 255.255.255.0
    no shutdown
2.ASAv防火墙
interface GigabitEthernet0/0
    bridge-group 1
    nameif inside
    security-level 100
    no shutdown
interface GigabitEthernet0/1
    bridge-group 1
    nameif outside
    security-level 0
    no shutdown
interface BVI1
    ip address 12.1.1.10 255.255.255.0
3.R2路由器
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.2 255.255.255.0
    no shutdown
三.配置RIP
1.R1路由器

router rip
    version 2
    passive-interface l0
    network 1.0.0.0
    network 12.0.0.0
    no auto-summary
key chain R1
    key 1
      key-string Cisc0123
interface FastEthernet0/0
    ip rip authentication mode md5
    ip rip authentication key-chain R1
2.R2路由器
router rip
    version 2
     passive-interface l0
    network 2.0.0.0
    network 12.0.0.0
    no auto-summary
key chain R1
    key 1
      key-string Cisc0123
interface FastEthernet0/0
    ip rip authentication mode md5
    ip rip authentication key-chain R1

四.测试RIP单播更新能穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志

R2#debug ip
*Feb  4 06:42:48.067: %SYS-5-CONFIG_I: Configured from console by consolerip
R2#debug ip rip
RIP protocol debugging is on
*Feb  4 06:43:05.883: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb  4 06:43:05.883: RIP: build update entries
*Feb  4 06:43:05.883:   2.2.2.0/24 via 0.0.0.0, metric 3, tag 0
2.配置RIP单播更新
①R1路由器

router rip
     passive-interface FastEthernet0/0
     neighbor 12.1.1.2
R1配置完成后,可以在R2上面收到单播更新报文
R2#debug ip rip
RIP protocol debugging is on
*Feb  4 06:46:40.643: RIP: received packet with MD5 authentication
*Feb  4 06:46:40.643: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb  4 06:46:40.643:      1.1.1.0/24 via 0.0.0.0 in 1 hops
②R2路由器
router rip
     passive-interface FastEthernet0/0
     neighbor 12.1.1.1
R2配置完成后,居然可以在R1上面收到单播更新报文(R2是在Outside低安全区)
R1#debug ip rip
RIP protocol debugging is on
*Feb  4 06:49:36.155: RIP: received packet with MD5 authentication
*Feb  4 06:49:36.155: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb  4 06:49:36.155:      2.2.2.0/24 via 0.0.0.0 in 3 hops
3.RIP单播更新情况下,ASA透明墙不用放行策略,R1和R2都能正常收到对方路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/3] via 12.1.1.2, 00:00:05, FastEthernet0/0
R1#

R2#clear ip route *
R2#show ip route rip | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
R        1.1.1.0 [120/1] via 12.1.1.1, 00:00:08, FastEthernet0/0
R2#
4.在R2上配置syslog服务器指向R1,syslog的UDP包不能从低安全区到高安全区
logging trap debugging
logging facility local1
logging 12.1.1.1
5.后面把防火墙设置成路由模式,单播RIP更新包如果从低安全区到高安全区需要ACL放行
①R1路由器
interface Loopback0
    ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
    ip address 112.1.1.1 255.255.255.0 secondary
    ip address 12.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.10
arp 112.1.1.2 5000.0008.0001 ARPA   #防火墙Inside接口的mac
router rip
    version 2
    passive-interface FastEthernet0/0
    passive-interface Loopback0
    network 1.0.0.0
    network 12.0.0.0
    neighbor 112.1.1.2
    no auto-summary
②ASA防火墙
interface GigabitEthernet0/0
    nameif Inside
    security-level 100
    ip address 12.1.1.10 255.255.255.0
    no shutdown
interface GigabitEthernet0/1
    nameif Outside
    security-level 0
    ip address 112.1.1.10 255.255.255.0
    no shutdown
③R2路由器
interface Loopback0
    ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
    ip address 12.1.1.2 255.255.255.0 secondary
    ip address 112.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 112.1.1.10
arp 12.1.1.1 5000.0008.0002 ARPA   #防火墙Outside接口的mac
router rip
    version 2
    no validate-update-source
    passive-interface FastEthernet0/0
    passive-interface Loopback0
    network 2.0.0.0
    network 12.0.0.0
    network 112.0.0.0
    neighbor 12.1.1.1
    no auto-summary
四.测试RIP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到RIP的组播更新的目标地址为224.0.0.9


2.防火墙放行策略
access-list Inside-rip extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip
access-list Outside-rip extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip
access-group Inside-rip in interface inside
access-group Outside-rip in interface outside
3.R1能通过RIP正常获取R2的路由
R1#show ip route rip | begin Gate
Gateway of last resort is not set

      2.0.0.0/24 is subnetted, 1 subnets
R        2.2.2.0 [120/1] via 12.1.1.2, 00:00:03, FastEthernet0/0
R1#
4.R2能通过RIP正常获取R2的路由
R2#show ip route rip | begin Gate
Gateway of last resort is not set

      1.0.0.0/24 is subnetted, 1 subnets
R        1.1.1.0 [120/1] via 12.1.1.1, 00:00:20, FastEthernet0/0
R2#
5.防火墙ACL也能看到对应的匹配项
ASAv# show access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Inside-rip; 1 elements; name hash: 0xa0e6a5fa
access-list Inside-rip line 1 extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x36c515c8
access-list Outside-rip; 1 elements; name hash: 0xe2aeb4be
access-list Outside-rip line 1 extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x269e67f7
ASAv#

本帖子中包含更多资源

您需要 思科 CCO 登录 才可以下载或查看,没有帐号?思科 CCO 注册   

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2020-2-6 04:16:40 | 显示全部楼层
感谢楼主分享~
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-3-28 22:12 , Processed in 0.095394 second(s), 31 queries .

京ICP备11014401号-17

© 2020 思科系统.版权所有 重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表