本帖最后由 碧云天 于 2020-2-4 21:04 编辑
一.测试拓扑
测试总结:
1.ASA透明模式下,RIP采用单播更新包不需要ACL放行,能够从低安全区抵达高安全区
--默认情况下,ASA只允许高安全区访问低安全区,不知道为什么RIP的单播报文居然能从低安全区穿越透明墙到高安全区,路由模式下测试不会这样。
2.ASA透明模式下,RIP组播更新需要两边都放到224.0.0.9的源目端口都为520的UDP报文
二.基本配置
1.R1路由器
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASAv防火墙
interface GigabitEthernet0/0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface GigabitEthernet0/1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置RIP
1.R1路由器
router rip
version 2
passive-interface l0
network 1.0.0.0
network 12.0.0.0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip rip authentication mode md5
ip rip authentication key-chain R1
2.R2路由器
router rip
version 2
passive-interface l0
network 2.0.0.0
network 12.0.0.0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip rip authentication mode md5
ip rip authentication key-chain R1
四.测试RIP单播更新能穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志
R2#debug ip
*Feb 4 06:42:48.067: %SYS-5-CONFIG_I: Configured from console by consolerip
R2#debug ip rip
RIP protocol debugging is on
*Feb 4 06:43:05.883: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb 4 06:43:05.883: RIP: build update entries
*Feb 4 06:43:05.883: 2.2.2.0/24 via 0.0.0.0, metric 3, tag 0
2.配置RIP单播更新
①R1路由器
router rip
passive-interface FastEthernet0/0
neighbor 12.1.1.2
R1配置完成后,可以在R2上面收到单播更新报文
R2#debug ip rip
RIP protocol debugging is on
*Feb 4 06:46:40.643: RIP: received packet with MD5 authentication
*Feb 4 06:46:40.643: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb 4 06:46:40.643: 1.1.1.0/24 via 0.0.0.0 in 1 hops
②R2路由器
router rip
passive-interface FastEthernet0/0
neighbor 12.1.1.1
R2配置完成后,居然可以在R1上面收到单播更新报文(R2是在Outside低安全区)
R1#debug ip rip
RIP protocol debugging is on
*Feb 4 06:49:36.155: RIP: received packet with MD5 authentication
*Feb 4 06:49:36.155: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb 4 06:49:36.155: 2.2.2.0/24 via 0.0.0.0 in 3 hops
3.RIP单播更新情况下,ASA透明墙不用放行策略,R1和R2都能正常收到对方路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/3] via 12.1.1.2, 00:00:05, FastEthernet0/0
R1#
R2#clear ip route *
R2#show ip route rip | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 12.1.1.1, 00:00:08, FastEthernet0/0
R2#
4.在R2上配置syslog服务器指向R1,syslog的UDP包不能从低安全区到高安全区
logging trap debugging
logging facility local1
logging 12.1.1.1
5.后面把防火墙设置成路由模式,单播RIP更新包如果从低安全区到高安全区需要ACL放行
①R1路由器
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 112.1.1.1 255.255.255.0 secondary
ip address 12.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.10
arp 112.1.1.2 5000.0008.0001 ARPA #防火墙Inside接口的mac
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Loopback0
network 1.0.0.0
network 12.0.0.0
neighbor 112.1.1.2
no auto-summary
②ASA防火墙
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 12.1.1.10 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 112.1.1.10 255.255.255.0
no shutdown
③R2路由器
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0 secondary
ip address 112.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 112.1.1.10
arp 12.1.1.1 5000.0008.0002 ARPA #防火墙Outside接口的mac
router rip
version 2
no validate-update-source
passive-interface FastEthernet0/0
passive-interface Loopback0
network 2.0.0.0
network 12.0.0.0
network 112.0.0.0
neighbor 12.1.1.1
no auto-summary
四.测试RIP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到RIP的组播更新的目标地址为224.0.0.9
2.防火墙放行策略
access-list Inside-rip extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip
access-list Outside-rip extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip
access-group Inside-rip in interface inside
access-group Outside-rip in interface outside
3.R1能通过RIP正常获取R2的路由
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:03, FastEthernet0/0
R1#
4.R2能通过RIP正常获取R2的路由
R2#show ip route rip | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 12.1.1.1, 00:00:20, FastEthernet0/0
R2#
5.防火墙ACL也能看到对应的匹配项
ASAv# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside-rip; 1 elements; name hash: 0xa0e6a5fa
access-list Inside-rip line 1 extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x36c515c8
access-list Outside-rip; 1 elements; name hash: 0xe2aeb4be
access-list Outside-rip line 1 extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x269e67f7
ASAv#
一.测试拓扑
测试总结:
1.ASA透明模式下,RIP采用单播更新包不需要ACL放行,能够从低安全区抵达高安全区
--默认情况下,ASA只允许高安全区访问低安全区,不知道为什么RIP的单播报文居然能从低安全区穿越透明墙到高安全区,路由模式下测试不会这样。
2.ASA透明模式下,RIP组播更新需要两边都放到224.0.0.9的源目端口都为520的UDP报文
二.基本配置
1.R1路由器
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
no shutdown
2.ASAv防火墙
interface GigabitEthernet0/0
bridge-group 1
nameif inside
security-level 100
no shutdown
interface GigabitEthernet0/1
bridge-group 1
nameif outside
security-level 0
no shutdown
interface BVI1
ip address 12.1.1.10 255.255.255.0
3.R2路由器
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
no shutdown
三.配置RIP
1.R1路由器
router rip
version 2
passive-interface l0
network 1.0.0.0
network 12.0.0.0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip rip authentication mode md5
ip rip authentication key-chain R1
2.R2路由器
router rip
version 2
passive-interface l0
network 2.0.0.0
network 12.0.0.0
no auto-summary
key chain R1
key 1
key-string Cisc0123
interface FastEthernet0/0
ip rip authentication mode md5
ip rip authentication key-chain R1
四.测试RIP单播更新能穿越透明墙
1.默认情况下组播流量无法穿越透明墙,所以在R2上面只看看到发出,没有接收的日志
R2#debug ip
*Feb 4 06:42:48.067: %SYS-5-CONFIG_I: Configured from console by consolerip
R2#debug ip rip
RIP protocol debugging is on
*Feb 4 06:43:05.883: RIP: sending v2 update to 224.0.0.9 via FastEthernet0/0 (12.1.1.2)
*Feb 4 06:43:05.883: RIP: build update entries
*Feb 4 06:43:05.883: 2.2.2.0/24 via 0.0.0.0, metric 3, tag 0
2.配置RIP单播更新
①R1路由器
router rip
passive-interface FastEthernet0/0
neighbor 12.1.1.2
R1配置完成后,可以在R2上面收到单播更新报文
R2#debug ip rip
RIP protocol debugging is on
*Feb 4 06:46:40.643: RIP: received packet with MD5 authentication
*Feb 4 06:46:40.643: RIP: received v2 update from 12.1.1.1 on FastEthernet0/0
*Feb 4 06:46:40.643: 1.1.1.0/24 via 0.0.0.0 in 1 hops
②R2路由器
router rip
passive-interface FastEthernet0/0
neighbor 12.1.1.1
R2配置完成后,居然可以在R1上面收到单播更新报文(R2是在Outside低安全区)
R1#debug ip rip
RIP protocol debugging is on
*Feb 4 06:49:36.155: RIP: received packet with MD5 authentication
*Feb 4 06:49:36.155: RIP: received v2 update from 12.1.1.2 on FastEthernet0/0
*Feb 4 06:49:36.155: 2.2.2.0/24 via 0.0.0.0 in 3 hops
3.RIP单播更新情况下,ASA透明墙不用放行策略,R1和R2都能正常收到对方路由
R1#clear ip route *
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/3] via 12.1.1.2, 00:00:05, FastEthernet0/0
R1#
R2#clear ip route *
R2#show ip route rip | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 12.1.1.1, 00:00:08, FastEthernet0/0
R2#
4.在R2上配置syslog服务器指向R1,syslog的UDP包不能从低安全区到高安全区
logging trap debugging
logging facility local1
logging 12.1.1.1
5.后面把防火墙设置成路由模式,单播RIP更新包如果从低安全区到高安全区需要ACL放行
①R1路由器
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 112.1.1.1 255.255.255.0 secondary
ip address 12.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.1.10
arp 112.1.1.2 5000.0008.0001 ARPA #防火墙Inside接口的mac
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Loopback0
network 1.0.0.0
network 12.0.0.0
neighbor 112.1.1.2
no auto-summary
②ASA防火墙
interface GigabitEthernet0/0
nameif Inside
security-level 100
ip address 12.1.1.10 255.255.255.0
no shutdown
interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 112.1.1.10 255.255.255.0
no shutdown
③R2路由器
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0 secondary
ip address 112.1.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 112.1.1.10
arp 12.1.1.1 5000.0008.0002 ARPA #防火墙Outside接口的mac
router rip
version 2
no validate-update-source
passive-interface FastEthernet0/0
passive-interface Loopback0
network 2.0.0.0
network 12.0.0.0
network 112.0.0.0
neighbor 12.1.1.1
no auto-summary
四.测试RIP组播穿越透明墙需要放行的ACL
1.通过抓包,可以看到RIP的组播更新的目标地址为224.0.0.9
2.防火墙放行策略
access-list Inside-rip extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip
access-list Outside-rip extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip
access-group Inside-rip in interface inside
access-group Outside-rip in interface outside
3.R1能通过RIP正常获取R2的路由
R1#show ip route rip | begin Gate
Gateway of last resort is not set
2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/1] via 12.1.1.2, 00:00:03, FastEthernet0/0
R1#
4.R2能通过RIP正常获取R2的路由
R2#show ip route rip | begin Gate
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
R 1.1.1.0 [120/1] via 12.1.1.1, 00:00:20, FastEthernet0/0
R2#
5.防火墙ACL也能看到对应的匹配项
ASAv# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Inside-rip; 1 elements; name hash: 0xa0e6a5fa
access-list Inside-rip line 1 extended permit udp host 12.1.1.1 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x36c515c8
access-list Outside-rip; 1 elements; name hash: 0xe2aeb4be
access-list Outside-rip line 1 extended permit udp host 12.1.1.2 eq rip host 224.0.0.9 eq rip (hitcnt=1) 0x269e67f7
ASAv#
