防火墙基本实验.doc

1、防火墙基本实验一、实验拓扑三、实验现象1、从外到内的ICMP 是不允许通过的r9(config)#do ping 10.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)PIX：ICMP echo request from inside:192.168.1.2 to outside:10.1.1.2 ID=5 seq=1 len=72ICMP echo request from in

2、side:192.168.1.2 to outside:10.1.1.2 ID=5 seq=2 len=72ICMP echo request from inside:192.168.1.2 to outside:10.1.1.2 ID=5 seq=3 len=72ICMP echo request from inside:192.168.1.2 to outside:10.1.1.2 ID=5 seq=4 len=72R10：*Mar 1 00:33:06.343: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=10.1.1.2 (Etherne

3、t0/0), routed via RIB*Mar 1 00:33:06.343: IP: s=192.168.1.2 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), len 100, rcvd 3收到来自 192.168.1.2 的 PING 包*Mar 1 00:33:06.343: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2*Mar 1 00:33:06.343: IP: tableid=0, s=10.1.1.2 (local), d=192.168.1.2 (Ethernet0/0), r

4、outed via FIB*Mar 1 00:33:06.347: IP: s=10.1.1.2 (local), d=192.168.1.2 (Ethernet0/0), len 100, sending（R10 做出回复）*Mar 1 00:33:08.343: IP: tableid=0, s=192.168.1.2 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), routed via RIB*Mar 1 00:33:08.343: IP: s=192.168.1.2 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), le

5、n 100, rcvd 3*Mar 1 00:33:08.343: ICMP: echo reply sent, src 10.1.1.2, dst 192.168.1.2*Mar 1 00:33:08.343: IP: tableid=0, s=10.1.1.2 (local), d=192.168.1.2 (Ethernet0/0), routed via FIB*Mar 1 00:33:08.347: IP: s=10.1.1.2 (local), d=192.168.1.2 (Ethernet0/0), len 100, sending但是 FW 不允许 PING 回应包通过2、从外网

6、 PING 内网 FW 默认是不允许起通过的r10(config)#do ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)定义列表 ICMP：access-list icmp permit icmp any any将列表 ICMP 应用到 INSIDE 接口：access-group icmp in interface outside 定义列表之后：（F

7、W 放通了回应包）r9#ping 10.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:!*Mar 1 01:22:35.155: IP: tableid=0, s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), routed via FIB*Mar 1 01:22:35.155: IP: s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), len 10

8、0, sending*Mar 1 01:22:35.243: IP: tableid=0, s=10.1.1.2 (Ethernet0/0), d=192.168.1.2 (Ethernet0/0), routed via RIB*Mar 1 01:22:35.243: IP: s=10.1.1.2 (Ethernet0/0), d=192.168.1.2 (Ethernet0/0), len 100, rcvd 3*Mar 1 01:22:35.247: IP: tableid=0, s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), route

9、d via FIB*Mar 1 01:22:35.247: IP: s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), len 100, sending*Mar 1 01:22:35.411: IP: tableid=0, s=10.1.1.2 (Ethernet0/0), d=192.168.1.2 (Ethernet0/0), routed via RIB*Mar 1 01:22:35.411: IP: s=10.1.1.2 (Ethernet0/0), d=192.168.1.2 (Ethernet0/0), len 100, rcvd 3*

10、Mar 1 01:22:35.415: IP: tableid=0, s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), routed via FIB*Mar 1 01:22:35.415: IP: s=192.168.1.2 (local), d=10.1.1.2 (Ethernet0/0), len 100, sending!Success rate is 100 percent (5/5), round-trip min/avg/max = 88/151/168 ms外网也能 PING 通内网（存在隐患）解决办法：开启深度检测：policy-

11、map global_policyPIX(config-pmap)# class inspection_defaultPIX(config-pmap-c)# inspect icmpPIX(config)# show conn1 in use, 6 most usedICMP out 172.16.1.2:0 in 192.168.1.2:14 idle 0:00:00 bytes 72现象：内网 PING 外网：ping 172.16.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.2,

12、timeout is 2 seconds:!*Mar 1 00:26:28.599: ICMP: echo reply rcvd, src 172.16.1.2, dst 192.168.1.2is 100 percent (5/5), round-trip min/avg/max = 92/153/172 msType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-tri

13、p min/avg/max = 84/149/168 ms外网 PING 内网现象：R10#ping 192.168.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)默认内网 TELNET 外网 FW 是允许其通过的：r9(config)#do telnet 10.1.1.2Trying 10.1.1.2 . Openr10r10r10enr10enable Password: Password: Password: % Bad passwordsr10enable Password: r10#conf t默认外网 TELNET 内网 FW 是不允许其通过的：（流量从低安全级别的区域流向高安全级别的区域默认是拒绝的）r10(config)#do telnet 192.168.1.2Trying 192.168.1.2 . % Connection timed out; remote host not responding