溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
一.概述:
QQ群里面有網友討論ASA防火墻的policy-map的global和interface的執行順序,從字面意思可以看出這兩種的應用范圍是不一樣的,一個是全局調用,一個只在接口下調用,因此覺得是詳細的interface被優先調用,為了確認自己的想法,決定搭建環境驗證一下。
二.基本思路:
A.不相沖突的policy-map估計會被全局和接口的service-policy先后調用執行,看不出效果
B.只能用相沖突的policy-map,在全局和接口的service-policy中同時調用,看最終哪個生效
C.全局和接口的policy-map執行范圍是不一樣的,估計接口的policy-map會被優先調用執行,順序可能為:
①.先執行接口的service-policy,并調用對應的policy-map,如果被匹配,則不執行全局的service-policy
②.如果不被接口的policy-map所匹配,則會接著執行全局的service-policy,并調用對應的policy-map
----經過測試,發現跟想象的有點區別:如果被接口policy-map審查通過,是會送到全局policy-map的;除非被接口的class-map的ACL丟棄,或者被審查后丟棄。
三.測試拓撲:
10.1.1.0/24(Inside) 200.100.1.0/24(Outside)
PC1(.8)----------------------(.1)ASA842(.1)----------------------------(.8)PC2
web服務器端口為:2000
四.基本配置:
A.PC1:
IP:10.1.1.8/24 ,GW:10.1.1.1
B.ASA842防火墻:
①接口配置:
interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0
no shut
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
②動態PAT配置:
object network Inside.net
subnet 10.1.1.0 255.255.255.0
object network Inside.net
nat (Inside,Outside) dynamic interface
③靜態PAT配置:
object network Inside.pc1
host 10.1.1.8
object network Inside.pc1
nat (Inside,Outside) static interface service tcp 2000 2000
④策略設置:
access-list outside extended permit tcp any object Inside.pc1 eq 2000
access-group outside in interface Outside
五.測試步驟:
A.驗證此時外網是否能正常訪問內部web服務器:
----無法訪問,因為默認全局策略開啟了skinny審查
B.配置outside接口的policy-map并調用:
access-list web2000 extended permit tcp any object Inside_pc1 eq 2000
class-map web2000
match access-list web2000
policy-map web2000
class web2000
inspect http
service-policy web2000 interface Outside
C.驗證此時外網是否能正常訪問內部web服務器:
---仍然無法訪問
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
.....省略部分..................
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 4, drop 1, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
Service-policy: web2000
Class-map: web2000
Inspect: http, packet 4, drop 0, reset-drop 0
---可以看到,數據包雖然被接口下class-map審查合格后放行,但是卻被全局下的class-map丟棄。
D.調整outside接口的policy-map并調用:
access-list outside_skinny extended deny tcp any object Inside_pc1 eq 2000
access-list outside_skinny extended permit tcp any any eq 2000
class-map outside_skinny
match access-list outside_skinny
policy-map outside_skinny
class outside_skinny
inspect skinny
no service-policy web2000 interface outside
service-policy outside_skinny interface Outside
E.驗證此時外網是否能正常訪問內部web服務器:
---可以正常訪問
訪問之前,clear service-policy,訪問完成之后再查看:
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
.....省略部分..................
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
Service-policy: outside_skinny
Class-map: outside_skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
----可以發現訪問前后全局和接口的class-map都沒有被匹配
F.調整全局和接口policy-map:
①接口:
access-list outside_skinny extended permit tcp any any eq 2000
class-map outside_skinny
match access-list outside_skinny
policy-map outside_skinny
class outside_skinny
inspect skinny
service-policy outside_skinny interface Outside
②全局:
access-list global_skinny extended deny tcp any object Inside_pc1 eq 2000
access-list global_skinny extended permit tcp any any eq 2000
class-map global_skinny
match access-list global_skinny
policy-map global_policy
class inspection_default
no inspect skinny
class global_skinny
service-policy global_policy global
③測試:
----無法訪問,被outside接口的policy-map拒絕
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
........省略部分..............
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Class-map: global_skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
Service-policy: outside_skinny
Class-map: outside_skinny
Inspect: skinny , packet 4, drop 1, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
----可以看到,因為outside的ACL沒有明確拒絕流量,所以被匹配,并檢測到不是skinny流量而被丟棄
G.再次調整全局和接口的policy-map:
①接口:
access-list outside_skinny extended deny tcp any object Inside_pc1 eq 2000
access-list outside_skinny extended permit tcp any any eq 2000
class-map outside_skinny
match access-list outside_skinny
policy-map outside_skinny
class outside_skinny
inspect skinny
service-policy outside_skinny interface Outside
②全局:
access-list global_skinny extended permit tcp any any eq 2000
class-map global_skinny
match access-list global_skinny
policy-map global_policy
class global_skinny
inspect skinny
service-policy global_policy global
③測試:
----可以正常訪問
ciscoasa# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
.......省略部分....................
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Class-map: global_skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
Service-policy: outside_skinny
Class-map: outside_skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
----可以發現outside接口的ACL配置了拒絕后,不會去匹配全局的policy-map。
六.總結:
A.處理順序:先接口再全局
B.是否會送到全局:如果沒有被接口policy-map匹配,或被接口policy-map審查通過,會被送到全局
-----被ACL丟棄,或審查后被丟棄,都不會去匹配全局policy-map
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
