ASA icmp检测和内网NAT转化

拓扑结构 ：In（R1） ---- （inside）ASA 5520（outside） --- Out（R2）ASA配置 ：ASA Version 8.4(2)hostname ciscoasaen

.

 拓扑结构 ：

 

.In（R1） ---- （inside）ASA 5520（outside） --- Out（R2）.. .. .. .. ...ASA配置 ：.. .. ...ASA Version 8.4(2)..hostname ciscoasa..enable password rQETR98wpSI1Lpr9 encrypted..passwd rQETR98wpSI1Lpr9 encrypted..names..interface GigabitEthernet0..nameif inside..security-level 100..ip address 192.168.1.4 255.255.255.0..!..interface GigabitEthernet1..nameif dmz..security-level 50..no ip address..!..interface GigabitEthernet2..nameif outside..security-level 0..ip address 10.254.1.1 255.255.255.0..!..ftp mode passive..object network test..host 192.168.1.5..pager lines 24..logging enable..logging asdm informational..logging debug-trace..mtu inside 1500..mtu dmz 1500..mtu outside 1500..icmp unreachable rate-limit 1 burst-size 1..no asdm history enable..arp timeout 14400..!..object network test..nat (inside,outside) dynamic 10.254.1.10   ----动态NAT..dynamic-access-policy-record DfltAccessPolicy..user-identity default-domain LOCAL..http server enable..http 192.168.1.0 255.255.255.0 inside..snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart..crypto ca trustpoint _SmartCallHome_ServerCA..crl configure..telnet 192.168.1.0 255.255.255.0 inside..telnet timeout 5..ssh timeout 5..console timeout 0..threat-detection basic-threat..threat-detection statistics access-list..no threat-detection statistics tcp-intercept..web***..anyconnect-essentials..username netemu password QTbvAEdn30mERkZb encrypted privilege 15..!..class-map inspection_default..match default-inspection-traffic..!..!..policy-map type inspect dns preset_dns_map..parameters..message-length maximum client auto..message-length maximum 512..policy-map global_policy..class inspection_default..inspect dns preset_dns_map..inspect ftp..inspect h323 h225..inspect h323 ras..inspect ip-options..inspect netbios..inspect rsh..inspect rtsp..inspect skinny..inspect esmtp..inspect sqlnet..inspect sunrpc..inspect tftp..inspect sip..inspect xdmcp..inspect icmp..inspect icmp error..!..service-policy global_policy global..prompt hostname context..call-home reporting anonymous..call-home..profile CiscoTAC-1..no active.. ..crashinfo save disable..Cryptochecksum:bfa7c38d2288de6d8cb12bd5c4be8eb6..: end.. .. .. ..NAT转化击中计数器 ：..ciscoasa# show nat detail      去往Outside地址段的地址转换.. ..Auto NAT Policies (Section 2)..1 (inside) to (outside) source dynamic test 10.254.1.10 .. translate_hits = 126, untranslate_hits = 90.. Source - Origin: 192.168.1.5/32, Translated: 10.254.1.10/32.. .. ..在实验过程中发现inspection引擎下的配置删除掉了 需手动加上..并加上以下配置：..policy-map global_policy
class inspection_default
inspect icmp..网上有详细解释！.. .. .. ..Inside 路由器配置 ：...In#show running-config..Building configuration..... ..Current configuration : 959 bytes..!..version 12.4..service timestamps debug datetime msec..service timestamps log datetime msec..ip domain name lab.local..ip auth-proxy max-nodata-conns 3..ip admission max-nodata-conns 3..!..interface FastEthernet0/0..ip address 192.168.1.5 255.255.255.0..duplex auto..speed auto..!..interface FastEthernet0/1..no ip address..shutdown..duplex auto..speed auto..!..ip forward-protocol nd..ip route 0.0.0.0 0.0.0.0 192.168.1.4..line con 0..exec-timeout 0 0..privilege level 15..logging synchronous..line aux 0..exec-timeout 0 0..privilege level 15..logging synchronous..line vty 0 4..login..end.. .. .. ..Outside 路由器配置 ：...Out#show runn..Building configuration..... ..Current configuration : 1006 bytes..version 12.4..service timestamps debug datetime msec..service timestamps log datetime msec..no service password-encryption..!..hostname Out..no ip domain lookup..ip domain name lab.local..ip auth-proxy max-nodata-conns 3..ip admission max-nodata-conns 3.. ..username admin password 0 cisco..interface FastEthernet0/0..ip address 10.254.1.5 255.255.255.0..duplex auto..speed auto..ip forward-protocol nd..ip route 0.0.0.0 0.0.0.0 10.254.1.1   ----- 默认路由 指向Inside端网络..line con 0..exec-timeout 0 0..privilege level 15..logging synchronous..line aux 0..exec-timeout 0 0..privilege level 15..logging synchronous..line vty 0 4..password cisco..login..end.. ... ..我们需要了解ASA对于inbound和outbound的定义 ：..高安全级别  ----> 低安全级别   outbound..低安全级别  ----> 高安全级别   inbound.. ..默认情况 ：出站流量是允许的 （特例请见下文）..           进流量是禁止的  .. ..也就是从高到低方向是允许的，也可以返回的。但不可以直接从低到高。.. ..ACL可以禁止或允许这两个方向的流量.. ....

 摘自 ASA840 配置手册 讲的是inspection引擎对于一些特定协议流量的检测机制 

ACL 返回流量规则 ：  

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectionalconnections. For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions,

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection enginetreats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host)or echo (8) (host to ASA).

 

思科官方文档解释还是蛮给力的  需要我们好好膜拜！ 

.