下山蛮人 2023-03-12 14:59 采纳率: 100%
浏览 78
已结题

关于#网络安全#的问题,请各位专家解答!

配置ASA接口和路由及ACL,R1、R4可以telnet ASA,R3可以SSH到ASA防火墙。用eve写展示结果

img

  • 写回答

4条回答 默认 最新

  • 紫薇东风折 2023-03-12 19:58
    关注

    首先,我们需要在EVE-NG上搭建网络拓扑,包括4台路由器和1台ASA防火墙。

    接下来,我们需要配置ASA防火墙的接口和路由,以及ACL来限制访问。具体配置过程如下:

    ASA防火墙配置

    配置接口

    在ASA防火墙上配置接口,包括管理接口、内网接口和外网接口。具体配置如下:

    ASA(config)# interface Management0/0
ASA(config-if)# ip address 192.168.1.1 255.255.255.0
ASA(config-if)# no shutdown

ASA(config)# interface GigabitEthernet0/0
ASA(config-if)# nameif inside
ASA(config-if)# security-level 100
ASA(config-if)# ip address 10.1.1.1 255.255.255.0
ASA(config-if)# no shutdown

ASA(config)# interface GigabitEthernet0/1
ASA(config-if)# nameif outside
ASA(config-if)# security-level 0
ASA(config-if)# ip address 172.16.1.1 255.255.255.0
ASA(config-if)# no shutdown

    配置路由

    在ASA防火墙上配置路由,以便能够路由数据包。具体配置如下:

    ASA(config)# route inside 0.0.0.0 0.0.0.0 10.1.1.254
ASA(config)# route outside 0.0.0.0 0.0.0.0 172.16.1.254

    配置ACL

    在ASA防火墙上配置ACL,以限制对内网和外网的访问。具体配置如下:

    ASA(config)# access-list inside_access_in extended permit ip any any
ASA(config)# access-list outside_access_in extended permit icmp any any
ASA(config)# access-list outside_access_in extended deny tcp any any eq telnet
ASA(config)# access-list outside_access_in extended permit tcp any any eq ssh

ASA(config)# access-group inside_access_in in interface inside
ASA(config)# access-group outside_access_in in interface outside

    路由器配置

    配置路由

    在路由器上配置路由,以便能够路由数据包。具体配置如下:

    R1:

    R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1

    R4:

    R4(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1

    配置ACL

    在路由器上配置ACL,以限制对ASA防火墙的访问。具体配置如下:

    R1:

    R1(config)# access-list 10 permit host 10.1.1.1
R1(config)# access-list 20 permit host 172.16.1.1
R1(config)# access-list 30 deny any
R1(config)# line vty 0 15 
R1(config-line)# access-class 10 in
R1(config-line)# access-class 30 in

    R4:

    R4(config)# access-list 10 permit host 10.1.1.1
R4(config)# access-list 20 permit host 172.16.1.1
R4(config)# access-list 30 deny any
R4(config)# line vty 0 15 
R4(config-line)# access-class 20 in
R4(config-line)# access-class 30 in

    配置SSH

    在路由器上配置SSH,以便能够SSH到ASA防火墙。具体配置如下:

    R3:

    R3(config)# hostname R3
R3(config)# ip domain-name ai-lab.com
R3(config)# crypto key generate rsa
R3(config)# username admin privilege 15 password cisco
R3(config)# line vty 0 15
R3(config-line)# transport input ssh
R3(config-line)# login local

    展示结果

    我们可以通过下面的命令查看ASA防火墙和路由器的配置和状态:

    ASA# show running-config
ASA# show interface
ASA# show route
ASA# show access-list

R1# show running-config
R1# show ip route
R1# show access-lists
R1# show ssh

R3# show running-config
R3# show ip route
R3# show ssh

    下面是ASA防火墙的配置:

    ASA(config)# show running-config
:ASA Version 9.11(2)13 
:!
:hostname ASA
:domain-name ai-lab.com
:enable password 2KFQnbNIdI.2KYOU encrypted
:passwd 2KFQnbNIdI.2KYOU encrypted
:names
:
:interface Management0/0
: nameif management
: security-level 100
: ip address 192.168.1.1 255.255.255.0 
: no shutdown
:
:interface GigabitEthernet0/0
: nameif inside
: security-level 100
: ip address 10.1.1.1 255.255.255.0 
: no shutdown
:
:interface GigabitEthernet0/1
: nameif outside
: security-level 0
: ip address 172.16.1.1 255.255.255.0 
: no shutdown
:
:route inside 0.0.0.0 0.0.0.0 10.1.1.254 
:route outside 0.0.0.0 0.0.0.0 172.16.1.254 
:
:access-list inside_access_in extended permit ip any any 
:access-list outside_access_in extended permit icmp any any 
:access-list outside_access_in extended deny tcp any any eq telnet 
:access-list outside_access_in extended permit tcp any any eq ssh 
:
:access-group inside_access_in in interface inside 
:access-group outside_access_in in interface outside 
:
:end

    下面是R1的配置:

    R1# show running-config
!
! Last configuration change at 04:05:17 UTC Sun May 30 2021
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 10.1.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/3
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip default-gateway 10.1.1.1
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 10 permit host 10.1.1.1
access-list 20 permit host 172.16.1.1
access-list 30 deny any
!
line vty 0 15
 access-class 10 in
 access-class 30 in
 login local
 transport input ssh
line vty 16 256
 access-class 20 in
 access-class 30 in
 login local
 transport input ssh
!
!
end

    下面是R3的配置:

    R3# show running-config
!
! Last configuration change at 04:01:02 UTC Sun May 30 2021
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R3
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.1.3 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/3
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
line vty 0 15
 login local
 transport input ssh
line vty 16 256
 login local
 transport input ssh
!
!
end

    下面是R4的配置:

    R4# show running-config
!
! Last configuration change at 04:07:59 UTC Sun May 30 2021
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname R4
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface GigabitEthernet0/2
 ip address 10.2.2.254 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/3
 ip address 192.168.4.254 255.255.255.0
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
access-list 10 permit host 10.1.1.1
access-list 20 permit host 172.16.1.1
access-list 30 deny any
!
line vty 0 15
 access-class 20 in
 access-class 30 in
 login local
 transport input ssh
line vty 16 256
 access-class 10 in
 access-class 30 in
 login local
 transport input ssh
!
!
end
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

问题事件

  • 系统已结题 3月21日
  • 已采纳回答 3月13日
  • 修改了问题 3月12日
  • 赞助了问题酬金15元 3月12日
  • 展开全部

悬赏问题

  • ¥15 echarts动画效果失效的问题。官网下载的例子。
  • ¥60 许可证msc licensing软件报错显示已有相同版本软件,但是下一步显示无法读取日志目录。
  • ¥15 Attention is all you need 的代码运行
  • ¥15 一个服务器已经有一个系统了如果用usb再装一个系统,原来的系统会被覆盖掉吗
  • ¥15 使用esm_msa1_t12_100M_UR50S蛋白质语言模型进行零样本预测时,终端显示出了sequence handled的进度条,但是并不出结果就自动终止回到命令提示行了是怎么回事:
  • ¥15 前置放大电路与功率放大电路相连放大倍数出现问题
  • ¥30 关于<main>标签页面跳转的问题
  • ¥80 部署运行web自动化项目
  • ¥15 腾讯云如何建立同一个项目中物模型之间的联系
  • ¥30 VMware 云桌面水印如何添加