CML 실습
토폴로지
요구사항
- 기본 설정으로만 토폴로지 구성
- ASA에는 따로 ACL 정책 적용 X
- MPF를 구성하면 Inside와 DMZ로부터 Outside로의 Ping은 성공하지만, Outside에서 Inside 및 DMZ로의 Ping은 실패할 것
- 해당 행위가 성공하기 위해서는 ACL을 통해 정책을 만들어 주어야 함
Configuration
- 토폴로지를 따라 IP 할당
- RIP를 통해 라우팅
- CML에서 ASA를 처음 배치했을 때 인터페이스가 2개 밖에 나오지 않는다면, 기기의 동작을 완전 중지 및 설정 초기화를 마친 후에 기기가 꺼진 상태에서 Add Interface를 통해 추가 기가 이더넷 포트를 만들 수 있음
- 매니지먼트 포트는 아래와 같은 이유로 통신 목적을 위해 사용하지 않음
결과
- Ping Server 0 to Client 2 (DMZ to Outside)
- Ping Client 1 to Server 0 (Inside to Outside)
장비 실습
토폴로지 & 요구사항
Config
- <ASA 장비 실습(2) Configuration>
- ASA Config
ASA1
: Saved
:
: Serial Number: FCH2050J6RD
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.8(4)
!
hostname ASA1
enable password $sha512$5000$WHC7aA56nALRf2m4KStb7w==$GoEwYc6cOf52a+kAZzjeew== pbkdf2
names
no mac-address auto
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.230.40.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif DMZ1
security-level 50
ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ2
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network outside_DMZ1
subnet 192.168.0.0 255.255.255.0
object network outside_DMZ2
subnet 192.168.10.0 255.255.255.0
access-list inside_to_DMZ1 extended permit tcp 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 eq www
access-list DMZ2_to_outside_DMZ extended permit tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq www
pager lines 24
mtu outside 1500
mtu DMZ1 1500
mtu DMZ2 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network outside_DMZ1
nat (DMZ1,outside) dynamic interface
object network outside_DMZ2
nat (DMZ2,outside) dynamic interface
access-group inside_to_DMZ1 in interface outside
access-group DMZ2_to_outside_DMZ out interface outside
router rip
network 203.230.40.0
version 2
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 DMZ1
dhcpd option 3 ip 192.168.0.1 interface DMZ1
dhcpd enable DMZ1
!
dhcpd address 192.168.10.2-192.168.10.254 DMZ2
dhcpd option 3 ip 192.168.10.1 interface DMZ2
dhcpd enable DMZ2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspect_basic
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map basic_global
class inspect_basic
inspect http
!
service-policy basic_global global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:527bb284ae0d21066091dbb5f4158673
: end
- R1 Config
R1
Building configuration...
Current configuration : 4371 bytes
!
! Last configuration change at 11:09:49 UTC Thu Aug 8 2024
! NVRAM config last updated at 09:25:58 UTC Thu Aug 8 2024
! NVRAM config last updated at 09:25:58 UTC Thu Aug 8 2024
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name skills.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint CA
enrollment url http://203.230.0.2:80
serial-number
revocation-check crl
!
!
crypto pki certificate chain CA
certificate 03
30820204 3082016D A0030201 02020103 300D0609 2A864886 F70D0101 05050030
0D310B30 09060355 04031302 4341301E 170D3234 30383038 30373531 31355A17
0D323530 38303830 37353131 355A3032 31303012 06035504 05130B46 54583131
32354630 3733301A 06092A86 4886F70D 01090216 0D52312E 736B696C 6C732E63
6F6D3081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100B5
F2BC392F AB60AE2C 0633CE84 492C203A 92B9676E 4E5C265C 61D001A1 9F2DD8D4
5DAAF7B7 201D687F 3EEBB865 D1284129 2DAE698A D3788CF3 6C964339 1EF1A1AD
CAAFC681 23CE8BC5 E99B32E9 42ACDB17 877B0ED4 CBED2106 C66D6A9A 56786269
833618ED 9AF3A9F9 E36DBC01 ACD0A490 12B549E1 D27C68B3 5AF6C8F9 97852102
03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06 03551D23 04183016
80145FFC D76D8F05 08030638 31BD4411 95CF2D20 AEC8301D 0603551D 0E041604
142FB2D9 FEE0D942 0AA7AC93 912D1888 2F943276 BA300D06 092A8648 86F70D01
01050500 03818100 10901799 13370043 E7D73F04 EA9CE176 0D4E95D4 F4D2D8EF
DE55762D 2A246970 01716065 A5AA797E 3E5F88C7 9B3C002E 7C49D010 18B2513F
9107FC9D 6F3583BE 799698B1 4E32625F BDB55A4D 7CF8EE27 F4C0AA70 9167F000
3FB243B3 4408A382 E439CACB 5CEAAC38 457522D9 BBB4C262 87DCD07A 1943BE40
75D0CDD8 01017209
quit
certificate ca 01
308201F3 3082015C A0030201 02020101 300D0609 2A864886 F70D0101 04050030
0D310B30 09060355 04031302 4341301E 170D3234 30383038 30373230 34395A17
0D323730 38303830 37323034 395A300D 310B3009 06035504 03130243 4130819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008AB2 586C03DD
CFB84ED5 7613765A 1B73C5C5 148DBE4E 51496C0B 4DECF6A0 698D9341 6C729374
E23CBC06 58DEC64B 2E6D41C4 7BCDC9CC E9196C55 B0AE6165 247C572F 0D147D2C
F5DD644E 8DB94F52 68845C91 63C9CC93 AC7ADA46 26AA195C C050BF66 0517F6D3
129163FF DCB95C2B 2C70DAEC 21AB6720 16E559E0 3E5E3BAB 54090203 010001A3
63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404
03020186 301F0603 551D2304 18301680 145FFCD7 6D8F0508 03063831 BD441195
CF2D20AE C8301D06 03551D0E 04160414 5FFCD76D 8F050803 063831BD 441195CF
2D20AEC8 300D0609 2A864886 F70D0101 04050003 8181007F 6FFC230A F4EA562F
E65C4B14 D9F255DE 80AEACE0 9896AC6D 5CEDE011 3A6BA166 41B6C6F3 E772BF72
F8EB5F41 4B14FBB1 5FC56F6B 3D20EBC0 8A5D4459 749BBD2D B4F6A0A4 1D331BED
3BDF2384 26494D5D 7B5B20EC 844F0DB4 78E3579E B6643530 2059AFF4 4F807083
D8174B2D F4B59502 7D86BB19 A9C7B6CE 96DF98F4 CF1F4C
quit
!
!
license udi pid CISCO2821 sn FTX1125F073
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set trset esp-3des esp-sha-hmac
!
crypto map crmap 1 ipsec-isakmp
set peer 203.230.10.1
set transform-set trset
match address 100
!
!
!
!
!
!
interface Loopback0
ip address 2.2.1.1 255.255.255.0
!
interface Tunnel0
ip address 100.100.0.1 255.255.255.0
tunnel source Serial0/0/0
tunnel destination 203.230.10.1
!
interface GigabitEthernet0/0
ip address 203.230.40.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 203.230.0.1 255.255.255.0
no fair-queue
crypto map crmap
!
interface Serial0/0/1
ip address 203.230.20.1 255.255.255.0
!
router rip
version 2
network 203.230.0.0
network 203.230.20.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit gre host 203.230.0.1 host 203.230.10.1
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
ntp server 203.230.0.2
end
- R4 Config
R4>en
R4
R4
R4
R4
Building configuration...
Current configuration : 1291 bytes
!
! Last configuration change at 12:05:54 UTC Mon Jan 2 2006
! NVRAM config last updated at 12:06:33 UTC Mon Jan 2 2006
! NVRAM config last updated at 12:06:33 UTC Mon Jan 2 2006
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX1131A07S
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 203.230.20.2 255.255.255.0
clock rate 2000000
!
interface Serial0/0/1
ip address 203.230.30.2 255.255.255.0
clock rate 2000000
!
router rip
version 2
network 203.230.20.0
network 203.230.30.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
