档案
日志
相册
视频
分享
2008-03-15 | PIX/ASA 7.2.1实验疑问
模拟环境:dynamips 0.2.8 + Pemu
PIX/ASA内核:7.02.1
网络拓扑图:
PIX配置如下:
pixfirewall# sh run
: Saved
:
PIX Version 7.2(1)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 172.16.8.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_acl extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp permit any dmz
no asdm history enable
arp timeout 14400
access-group outside_acl in interface outside
route inside 10.244.8.0 255.255.255.0 192.168.2.2 1
route outside 172.16.9.10 255.255.255.255 172.16.8.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
prompt hostname context
Cryptochecksum:772b0a92efddbc3263b5c3109c27f9f9
: end
LAN路由器配置如下:
LAN#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LAN
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.244.8.115 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
WAN路由器配置如下:
WAN#sh run
Building configuration...
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname WAN
!
memory-size iomem 15
ip subnet-zero
!
interface Loopback0
ip address 172.16.9.10 255.255.255.0 #创建一个回环接口,模拟一台PC
!
interface FastEthernet0/0
ip address 172.16.8.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.8.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
接在LAN路由器F0/1上的是本人真实PC网卡,网卡IP配置为:10.244.8.114/24。在真实PC上添加静态路由:
route add 192.168.2.0 mask 255.255.255.0 10.244.8.115 -p
route add 172.16.8.0 mask 255.255.255.0 10.244.8.115 -p
route add 172.16.9.0 mask 255.255.255.0 10.244.8.115 -p
现象:此时在真实PC上即可ping通WAN路由器上的F0/0(IP:172.16.8.10)和Loopback0(IP:172.16.9.10);同时从WAN路由器上也可ping通LAN路由器的F0/1(IP:10.244.8.115)和真实PC网卡(IP:10.244.8.114)见截图:
这样PIX不成了一台路由器嘛!!!没做任何的nat/global和static就可以实现高权限接口区域(inside)与低权限接口区域(outside)之间的相互通讯。不解不解!是不是模拟器的bug?
分享
评论
想第一时间抢沙发么?