作业v4第六天答案

1、SEC-V4-FW第六天作业实验题一：透明墙注意:请把所有相关配置和测试过程粘贴到作业中一，拓扑各设备描述表一：表二：二，需求1，按照表一初始化单模路由模式的透明墙。2，按照表二初始化各路由器。3，在 ASA 上放行 ICMP 和net，进行 Outbound 和 Inbound 流量测试。4，在 B1.Out 和B1.In 路由器上运行 OSPF（进程 1，区域 0），使得 Loack 口互通。5，解决 Biidge-Group1 的 Outbound 方向的net 问题。6，手动配置 B2.Out 和 B2.In 路由器以太网接口的 MAC 地址分别为 0001.0001.0001 和00

2、02.0002.0002。在上启用 Arp-Inspection 功能并分别测试下 no-flood 和 flood特性。（注意每次测试前要在路由器上 clear arp）7，在 Bridge-Group2 接口上静态添加 MAC 地址，并关闭自动 MAC 学习功能。实验二：多模墙一，拓扑各设备描述表一：表二：二，需求1，按照表一初始化多模路由模式的，子墙名分别为 admin 和Vir。其中在 admin 子墙中，所有接口不能出现接口类型（如：E0/0）。2，按照表二初始化路由器和交换机。3，把 HTTP 服务器 admin.dmz 转换到外部 00把net 服务器 Vir.dmz 转换到外部

3、 01在 outside 设备上测试4，在 admin 子墙上把外部设备 outside 进网络 10.1.10/24，转换到外部接口（PAT），并从 inside 设备上试。解法实验题一：*ASA*erface BVI1ip address 00 !erface BVI2ip address 00 !erface GigabitEthernet0nameif B1.Outside bridge-group 1security-level 0!erface GigabitEthernet1nameif B1.Inside bridge-group 1security-level 100!erf

4、ace GigabitEthernet2nameif B2.Outside bridge-group 2security-level 0!erface GigabitEthernet3nameif B2.Inside bridge-group 2security-level 100*B1.Out*hostname B1.Out!erface Loack0ip address 55!erface FastEthernet0/0ip address duplex auto speed auto!ip route 00!line con 0exec-timeout 0 0 logging synch

5、ronous line aux 0line vty 0 4 password cisco login!*B1.In*hostname B1.In!erface Loack0ip address 55!erface FastEthernet0/0ip address duplex auto speed auto!ip route 00!line con 0exec-timeout 0 0 logging synchronous line aux 0line vty 0 4 password cisco login!*B2.Out*hostname B2.Out!erface FastEthern

6、et2/0ip address duplex auto speed auto!ip route 00!line con 0exec-timeout 0 0 logging synchronous line aux 0line vty 0 4 password cisco login*B2.In*hostname B2.In!erface FastEthernet3/0ip address duplex auto speed auto!ip route 00!line con 0exec-timeout 0 0 logging synchronous line aux 0line vty 0 4

7、 password cisco login*需求 3*acac ac acs-list out1 extended permit icmp any anys-list out1 extended permit tcp any any eq s-list out2 extended permit icmp any any s-list out2 extended permit tcp any any eqnetnetacacs-group out1 ins-group out2 inerface B1.Outsideerface B2.Outside测试：Bridge-Group1：Bridge

8、-Group2：*需求 4*ASA 配置：acac acs-list out1 extended permit ospf any anys-list in1 extended permit ospf any any s-list in1 extended permit icmp any anyacs-group in1 inerface B1.InsideB1.Out 配置：router ospf 1log-adjacency-changes network area 0network 55 area 0 B1.In 配置：router ospf 1log-adjacency-changes

9、network area 0network 55 area 0测试：*需求 5*未作配置前测试：acs-list in1 per tcp any any eq 23*需求 6* B2.Outerface FastEthernet2/0mac-address 0001.0001.0001ip address duplex auto speed auto B2.Inerface FastEthernet3/0mac-address 0002.0002.0002ip address duplex auto speed auto ASAarp-inspection B2.Outside enable

10、no-flood arp-inspection B2.Inside enable no-flood arp-inspection B2.Outside enable flood arp-inspection B2.Inside enable flood注意在测试的过程中，要在路由器上清除 ARP 后测试！*需求 7*mac-address-table sic B2.Inside 0002.0002.0002 mac-address-table sic B2.Outside 0001.0001.0001 mac-learn B2.Outside disablemac-learn B2.Insid

11、e disable实验二：*ASA 系统墙*:ASA Ver!9.0(1) hostname ASAenable password 8Ry2YjIyt7RRXU24 encrypted no mac-address auto!erface Ethernet0/0!erface Ethernet0/1!erface Ethernet0/1.3 vlan 3!erface Ethernet0/1.4 vlan 4!erface Ethernet0/2!erface Ethernet0/3 shutdown!erface Management0/0 shutdown!class defaultlim

12、it-resource All 0limit-resource Mac-addresses 65535limit-resource ASDM 5limit-resourSH 5limit-resourcenet 5!ftp mode passivepager lines 24 no failoverno asdm history enable arp timeout 14400no arp permit-nonconnectedconsole timeout 0admin-context admincontext adminallocate-allocate- allocate-erface

13、Ethernet0/0 outsideerface Ethernet0/1.3 DMZ erface Ethernet0/2 insideconfig-url disk0:/admin.cfg!context Virallocate- allocate- allocate-erface Ethernet0/0erface Ethernet0/1.4 erface Ethernet0/2config-url disk0:/Vir.cfg!*admin*!erface outside nameif outside security-level 0ip address 0 !erface DMZ n

14、ameif DMZ security-level 50ip address 0 !erface inside nameif inside security-level 100ip address 0 acacs-list out extended permit icmp any anys-group out inerface outside*Vir*!erface Ethernet0/0 nameif outside security-level 0ip address 0 !erface Ethernet0/1.4 nameif DMZsecurity-level 50ip address

15、0 !erface Ethernet0/2nameif inside security-level 100ip address 0 acacs-list out extended permit icmp any anys-group out inerface outside*SW*路由器的配置就不给出了*需求 3*admin 子墙配置：object network DMZ.Address host object network DMZ.Addressnat (DMZ,outside) sic 00 service tcp www wwwacs-list out extended permit tcp host host eq wwwVir 子墙配置：object network DMZ.Address host object network DMZ.Addressnat (DMZ,outside) sic 01 service tcpnetnetacs-list out