ASA基于用户的MPF 、高级访问控制和地址转换_05

2024-12-31 技术教程

基于用户的MPF

usernameuser1passwordciscousernameuser2passwordcisco!!创建两个账号给用户认证用object-groupusergroup1！！创建一个对象组userLocal\user1！！匹配本地数据的用户，也可以是ACS。object-groupusergroup2userLocal\user2access-list100extendedpermittcpanyanyeq80！！匹配流量aaaauthenticationmatch100insideLOCAL！！只要是这些流量都做认证，认证数据库为本地access-listfilter-shrunpermittcpobject-group-usergroup1anyanyeqwww!!匹配流量，并且是用户1的。access-listfilter-whopermittcpobject-group-usergroup2anyanyeqwwwregexwho"who"！！配置正则表达式，有”who”关键字的regexshrun"sh/run"class-mapclass1matchaccess-listfilter-shrun!!匹配流量class-mapclass2matchaccess-listfilter-whopolicy-maptypeinspecthttppolicy-map1!!注意，这是5-7层parametersmatchrequesturiregexshrun！！当这个流量中，有正则表达式里的关键字时drop-connectionlog！！丢弃并且做logpolicy-maptypeinspecthttppolicy-map2parametersmatchrequesturiregexwhoresetpolicy-mapglobal_policyclassclass1inspecthttppolicy-map1!!深度过滤classclass2inspecthttppolicy-map2

Botnet Traffic Filter

ASDM自行添加即可

NAT

Object NAT:只能转换源或目的IP

Twice NAT:在满足策略下转换源和目IP

静态（常用于指定服务器对外端口转换），PAT（动态地址加端口转换），identity NAT（旁路部分地址）

一个网段转换一个地址范围

配置动态NATobjectnetworkinnetsubnet192.168.17.0255.255.255.0objectnetworkoutnetrange192.168.16.60192.168.16.70objectnetworkinnetnat(inside,outside)dynamicoutnet查看ASA(config)#showxlate1inuse,1mostusedFlags:D-DNS,e-extended,I-identity,i-dynamic,r-portmap,s-static,T-twice,N-net-to-netNATfrominside:192.168.17.100tooutside:192.168.16.65flagsiidle0:01:03timeout3:00:00ASA(config)#showrunning-confignat!objectnetworkinnetnat(inside,outside)dynamicoutnetASA(config)#showrunning-configobjectnetworkobjectnetworkinnetsubnet192.168.17.0255.255.255.0objectnetworkoutnetrange192.168.16.60192.168.16.70ASA(config)#showrunning-configtimeouttimeoutxlate3:00:00timeoutpat-xlate0:00:30..更改nat超时时间ASA(config)#timeoutxlate1:0:0清除转换表ASA(config)#clearxlate

静态nat

把动态的object中的网段范围换成host再改静态就可以了

一个范围转换一个地址不同端口

PAT!objectnetworkinnetnat(inside,DMZ)dynamic192.168.12.110//直接指向一个地址即可ASA#showxlate1inuse,2mostusedFlags:D-DNS,e-extended,I-identity,i-dynamic,r-portmap,s-static,T-twice,N-net-to-netTCPPATfrominside:192.168.17.100/49526toDMZ:192.168.12.110/49526flagsriidle0:01:15timeout0:00:30

先动态转换，地址池用尽再切换PAT

objectnetworkoutpoolrange192.168.16.119192.168.16.120objectnetworkinnetsubnet7.7.7.0255.255.255.0!objectnetworkinnetnat(inside,outside)dynamicoutpoolinterface//若地址池用尽就用接口的ip做pat

ASA#showx4inuse,4mostusedFlags:D-DNS,e-extended,I-identity,i-dynamic,r-portmap,s-static,T-twice,N-net-to-netICMPPATfrominside:7.7.7.1/14toDMZ:192.168.12.139/14flagsriidle0:00:04timeout0:00:30NATfrominside:7.7.7.3toDMZ:192.168.12.119flagsiidle0:00:08timeout1:00:00NATfrominside:7.7.7.2toDMZ:192.168.12.120flagsiidle0:00:06timeout1:00:00ICMPPATfrominside:7.7.7.7/15toDMZ:192.168.12.139/15flagsriidle0:00:01timeout0:00:30

PAT地址池

nat(inside,DMZ)dynamicpat-pooldmzpoolround-robin动态转换到dmzpool里的地址的不同端口round-robin表示轮询地址池里的地址

ASA(config-network-object)#showx4inuse,4mostusedFlags:D-DNS,e-extended,I-identity,i-dynamic,r-portmap,s-static,T-twice,N-net-to-netICMPPATfrominside:7.7.7.1/22toDMZ:192.168.12.119/22flagsriidle0:00:03timeout0:00:30ICMPPATfrominside:7.7.7.3/20toDMZ:192.168.12.119/20flagsriidle0:00:07timeout0:00:30ICMPPATfrominside:7.7.7.2/21toDMZ:192.168.12.120/21flagsriidle0:00:05timeout0:00:30ICMPPATfrominside:7.7.7.7/23toDMZ:192.168.12.120/23flagsriidle0:00:01timeout0:00:30

静态PAT

objectnetworkDMZ_Web_Serverhost192.168.12.100nat(DMZ,outside)staticinterfaceservicetcpwwwwww//ftp2121等等//注：有这句，能访问192.168.16.139，但不能访问192.168.12.100没有这句，能访问192.168.12.100access-listout-dmzextendedpermittcpanyobjectDMZ_Web_Servereqwwwaccess-groupout-dmzininterfaceoutside

ASA(config-network-object)#showx1inuse,4mostusedFlags:D-DNS,e-extended,I-identity,i-dynamic,r-portmap,s-static,T-twice,N-net-to-netTCPPATfromDMZ:192.168.12.10080-80tooutside:192.168.16.13980-80flagssridle0:02:40timeout0:00:00

outside 口抓包：

dmz口抓包：

Static NAT DNS Rewrite

注：在ASA上必须激活DNS inspection

objectnetworkInside-Web-Serverhost10.1.1.101objectnetworkInside-Web-Servernat(Inside,Outside)static202.100.1.101dns

篡改dns解析的地址，内网访问www.cisco.com实际上是访问内网的一台web服务器

Dynamic Identity NAT

Dynamic Identity NAT转换本地地址到相同的地址，到低安全级别的接口。（只能高到低）

Outbound流量会在转换表中产生一个临时的转换槽位。

StaticIdentity NAT

同上，不过是永久表项

Twice Nat

只有源目符合的才会被匹配转换，

若只从object nat 中旁路一些数据包（由此可见，twice nat 默认优先 object nat），可以把转换前后设置一致，类似identity nat，当然也可以设置其他（如***配置）

objectnetworkdst-1host1.1.1.1objectnetworkdst-202host202.100.1.1objectnetworkpat-1host202.100.1.101objectnetworkpat-2host202.100.1.102objectnetworkInside-Networksubnet10.1.1.0255.255.255.0objectservicetelnet23servicetcpdestinationeqtelnetobjectservicetelnet3032servicetcpdestinationeq3032nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032

Network Object NAT和Twice NAT的主要区别

object nat：nat是object的一个参数，实体为object，可以方便的被用于调用（如：ACL），只能改源或目

twice nat：object是nat的一个参数，可以添加自定义的object（或group），扩展性强，可以同时改源目

nat顺序

优先级一：

Twice NAT 敲入的顺序

Twice可以随意调整顺序
优先级二： Object NAT
静态转换优先于动态转换
如果类型相同，按照如下方式排序
1.地址范围
2.IP地址数字大小
4.Object名字排序

192.168.1.1/32(static)10.1.1.0/24(static)192.168.1.0/24(static)172.16.1.0/24(dynamic)(objectabc)172.16.1.0/24(dynamic)(objectdef)192.168.1.0/24(dynamic

优先级三： Twice NAT
after-auto

更改排序

默认twice nat优先object nat，当在twice nat加after-auto参数，就会放在object nat之后

nat(Inside,Outside)after-autosourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23

后敲的twice nat要排在前面，需要加 1

nat(Inside,Outside)1sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23

声明：本站所有文章资源内容，如无特殊说明或标注，均为采集网络资源。如若本站内容侵犯了原著者的合法权益，可联系本站删除。