По началу не мог понять, куда же АСА прячется из трассы. Вот оно как.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace
2 6 ms 6 ms 5 ms 192.168.100.101
(etc...)http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#asatrace
Make the Firewall Show Up in a Traceroute in ASA/PIX
ciscoasa(config)#class-map class-default ciscoasa(config)#match any !--- This class-map exists by default. ciscoasa(config)#policy-map global_policy !--- This Policy-map exists by default. ciscoasa(config-pmap)#class class-default !--- Add another class-map to this policy. ciscoasa(config-pmap-c)#set connection decrement-ttl !--- Decrement the IP TTL field for packets traversing the firewall. !--- By default, the TTL is not decrement hiding (somewhat) the firewall. ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy global_policy global !--- This service-policy exists by default. WARNING: Policy map global_policy is already configured as a service policy ciscoasa(config)#icmp unreachable rate-limit 10 burst-size 5 !--- Adjust ICMP unreachable replies: !--- The default is rate-limit 1 burst-size 1. !--- The default will result in timeouts for the ASA hop: ciscoasa(config)#access-list outside-in-acl remark Allow ICMP Type 11 for Windows tracert ciscoasa(config)#access-list outside-in-acl extended permit icmp any any time-exceeded !--- The access-list is for the far end of the ICMP traffic (in this case !---the outside interface) needs to be modified in order to allow ICMP type 11 replies !--- time-exceeded): ciscoasa(config)#access-group outside-in-acl in interface outside !--- Apply access-list to the outside interface. ciscoasa(config)#
Example
Topology
Note: The IP address schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which were used in a lab environment.
Before you apply the policy change:
C:\>tracert -d www.yahoo.com.
Tracing route to www.yahoo-ht3.akadns.net [192.168.93.52]
over a maximum of 30 hops:
1 1 ms <1 172.16.2.1="172.16.2.1" i="i" ms="ms">
!--- First shown hop is Router 1
After you apply the policy change:
C:\>tracert -d www.yahoo.com.
Tracing route to www.yahoo-ht3.akadns.net [192.168.93.52]
over a maximum of 30 hops:
1 <1 172.16.2.254="172.16.2.254" i="i" ms="ms">
!--- First shown hop is ASA
2 <1 172.16.2.1="172.16.2.1" i="i" ms="ms">
!--- Router 1 is now second hop
3 6 ms 6 ms 6 ms 192.168.100.101
(etc...)
Комментариев нет:
Отправить комментарий