вторник, 4 сентября 2012 г.

Увидеть ASA через tracert

По началу не мог понять, куда же АСА прячется из трассы. Вот оно как.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace


Make the Firewall Show Up in a Traceroute in ASA/PIX

ciscoasa(config)#class-map class-default
ciscoasa(config)#match any


!--- This class-map exists by default.


ciscoasa(config)#policy-map global_policy


!--- This Policy-map exists by default.


ciscoasa(config-pmap)#class class-default


!--- Add another class-map to this policy.


ciscoasa(config-pmap-c)#set connection decrement-ttl


!--- Decrement the IP TTL field for packets traversing the firewall.
!--- By default, the TTL is not decrement hiding (somewhat) the firewall.


ciscoasa(config-pmap-c)#exit
ciscoasa(config-pmap)#exit
ciscoasa(config)#service-policy global_policy global


!--- This service-policy exists by default.

WARNING: Policy map global_policy is already configured as a service policy

ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5


!--- Adjust ICMP unreachable replies:
!--- The default is rate-limit 1 burst-size 1.
!--- The default will result in timeouts for the ASA hop:


ciscoasa(config)#access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert
ciscoasa(config)#access-list outside-in-acl extended permit icmp any any time-exceeded


!--- The access-list is for the far end of the ICMP traffic (in this case
!---the outside interface) needs to be modified in order to allow ICMP type 11 replies
!--- time-exceeded):

ciscoasa(config)#access-group outside-in-acl in interface outside


!--- Apply access-list to the outside interface.

ciscoasa(config)#

Example

Topology

31b.gif
Note: The IP address schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which were used in a lab environment.
Before you apply the policy change:
C:\>tracert -d www.yahoo.com.

Tracing route to www.yahoo-ht3.akadns.net [192.168.93.52]
over a maximum of 30 hops:

  1     1 ms    <1 172.16.2.1="172.16.2.1" i="i" ms="ms">
!--- First shown hop is Router 1
2 6 ms 6 ms 5 ms 192.168.100.101 (etc...)
After you apply the policy change:
C:\>tracert -d www.yahoo.com.

Tracing route to www.yahoo-ht3.akadns.net [192.168.93.52]
over a maximum of 30 hops:

  1    <1 172.16.2.254="172.16.2.254" i="i" ms="ms">
!--- First shown hop is ASA
2 <1 172.16.2.1="172.16.2.1" i="i" ms="ms"> !--- Router 1 is now second hop 3 6 ms 6 ms 6 ms 192.168.100.101 (etc...)

Комментариев нет:

Отправить комментарий