本文共 5201 字,大约阅读时间需要 17 分钟。
1.拓扑图
为了审计的需要,syslog的源地址必须设备实际地址,而因为其他方面原因,syslog服务器又不能放在内网。2.接口配置:R1: R1(config)#int f0/0 R1(config-if)#ip add 10.1.1.18 255.255.255.0 R1(config-if)#no shR2: R2(config)#int f0/0 R2(config-if)#ip add 10.1.1.28 255.255.255.0 R2(config-if)#no shR3: R3(config)#int f0/0 R3(config-if)#ip add 20.1.1.38 255.255.255.0 R3(config-if)#no shASA: interface Ethernet0/0 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 interface Ethernet0/1 nameif outside security-level 0 ip address 20.1.1.1 255.255.255.0 3.路由配置: R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1 R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.14.syslog配置:A.配置syslog接收服务器 R1(config)#logging 20.1.1.18 R2(config)#logging 20.1.1.18B.指定syslog源地址 R1(config)#logging source-interface FastEthernet0/0 R2(config)#logging source-interface f0/0C.设定日志级别 R1(config)#logging trap debugging R2(config)#logging trap debuggingD.开启syslog R1(config)#logging on R2(config)#logging on5.NAT配置:思路一:用NAT0(失败) ciscoasa(config)# access-list syslog permit udp any any eq syslog ciscoasa(config)# nat (inside) 0 access-list syslog ERROR: access-list has protocol or port 备注:说明nat0的access-list不能包含协议和端口。思路二:配置策略NAT,禁止syslog协议的数据流进行NAT ciscoasa(config)# access-list nat extended deny udp any any eq syslog ciscoasa(config)# access-list nat extended permit ip any any ciscoasa(config)# nat (inside) 1 access-list nat ERROR: Deny rules not supported in Policy Nat 备注:策略NAT不支持deny的规则。 既然不支持deny,修改access-list如下: ciscoasa(config)# access-list nat permit udp 10.1.1.0 255.255.255.0 any neq 514 ciscoasa(config)# access-list nat permit tcp 10.1.1.0 255.255.255.0 any测试:1).syslog地址没有在作NAT转换
2).tcp的连接作了NAT转换 R1#telnet 20.1.1.38 Trying 20.1.1.38 ... Open User Access Verification Password: R3>show users Line User Host(s) Idle Location 0 con 0 idle 00:02:43 * 66 vty 0 idle 00:00:00 20.1.1.1 Interface User Mode Idle Peer Address R3> R2#telnet 20.1.1.38 Trying 20.1.1.38 ... Open User Access Verification Password: R3>show users Line User Host(s) Idle Location 0 con 0 idle 00:03:46 66 vty 0 idle 00:01:02 20.1.1.1 * 67 vty 1 idle 00:00:00 20.1.1.1 Interface User Mode Idle Peer Address R3>3).udp的非514端口也作了地址转换(以dns做测试) R3配置成DNS服务器 R3(config)#ip dns server R3(config)#ip host www.yuntian.com 20.1.1.38 R1配置成R3的DNS客户端 R1(config)#ip domain lookup R1(config)#ip name-server 20.1.1.38 R1(config)#end R1# *Mar 1 02:15:16.139: %SYS-5-CONFIG_I: Configured from console by console R1上ping主机名 R1#ping www.yuntian.com Translating "www.yuntian.com"...domain server (20.1.1.38) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/104 ms R3上抓包确认已经作了地址转换 R3#debug ip udp UDP packet debugging is on R3# *Mar 1 00:45:40.487: UDP: rcvd src=20.1.1.1(1026), dst=20.1.1.38(53), length=41 *Mar 1 00:45:40.491: UDP: Random local port generated 54505, network 1 *Mar 1 00:45:40.491: Reserved port 54505 in Transport Port Agent for UDP IP type 1 *Mar 1 00:45:40.499: UDP: sent src=20.1.1.38(53), dst=20.1.1.1(1026), length=57 *Mar 1 00:45:40.603: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:45:40.703: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:45:40.727: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:45:40.759: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:45:40.779: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
4).icmp因为没有配置策略NAT,所以也没有转换,无法ping通(无路由) R1#ping 20.1.1.38 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1# R3#debug ip icmp *Mar 1 00:37:36.167: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18 R3# *Mar 1 00:37:38.167: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18 R3# *Mar 1 00:37:40.191: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18 R3# *Mar 1 00:37:42.143: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18 R3# *Mar 1 00:37:44.183: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.185).添加icmp协议也进行策略NAT,可以ping通也作了NAT ciscoasa(config)# access-list nat permit icmp 10.1.1.0 255.255.255.0 any R1#ping 20.1.1.38 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/132 ms R1# R3# *Mar 1 00:39:26.279: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:39:26.403: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:39:26.467: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:39:26.503: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1 *Mar 1 00:39:26.519: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.16).缺点 需要明确指定inside到outside的协议进行转换,如果没有指定就可能导致无法访问,因为除了tcp、udp、icmp之外还有其他协议。6.总结: A.nat0的access-list不能包含协议和端口。 B.策略NAT不支持deny的规则。 C.实际工程项目中,可能内网就不需要访问outside的syslog服务器器,因此可以采用NAT0方法把内网到达syslog服务器的流量进行nat免除。 ----syslog是实际应用中比较少有的单向通讯的udp数据流,syslog客户端只管发,syslog服务器只管收,不会给syslog客户端回复任何信息。
ciscoasa(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 host 20.1.1.18 ciscoasa(config)# nat (outside) 0 access-list nonat ciscoasa(config)# nat (inside) 1 0 0 ciscoasa(config)# global (outside) 1 interface
转载地址:http://yxmbo.baihongyu.com/