中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

ASA8.4policy-map接口和全局執行的優先級測試:

發布時間:2020-06-03 07:05:12 來源:網絡 閱讀:1575 作者:碧云天 欄目:安全技術

一.概述:

   QQ群里面有網友討論ASA防火墻的policy-map的global和interface的執行順序,從字面意思可以看出這兩種的應用范圍是不一樣的,一個是全局調用,一個只在接口下調用,因此覺得是詳細的interface被優先調用,為了確認自己的想法,決定搭建環境驗證一下。

二.基本思路:

A.不相沖突的policy-map估計會被全局和接口的service-policy先后調用執行,看不出效果
B.只能用相沖突的policy-map,在全局和接口的service-policy中同時調用,看最終哪個生效
C.全局和接口的policy-map執行范圍是不一樣的,估計接口的policy-map會被優先調用執行,順序可能為:
①.先執行接口的service-policy,并調用對應的policy-map,如果被匹配,則不執行全局的service-policy
②.如果不被接口的policy-map所匹配,則會接著執行全局的service-policy,并調用對應的policy-map
----經過測試,發現跟想象的有點區別:如果被接口policy-map審查通過,是會送到全局policy-map的;除非被接口的class-map的ACL丟棄,或者被審查后丟棄。

三.測試拓撲:
        10.1.1.0/24(Inside)                  200.100.1.0/24(Outside)
PC1(.8)----------------------(.1)ASA842(.1)----------------------------(.8)PC2
                                                                     web服務器端口為:2000

四.基本配置:

A.PC1:

IP:10.1.1.8/24 ,GW:10.1.1.1

B.ASA842防火墻:

①接口配置:

interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.1 255.255.255.0

no shut

interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut

②動態PAT配置:

object network Inside.net
subnet 10.1.1.0 255.255.255.0
object network Inside.net
nat (Inside,Outside) dynamic interface

③靜態PAT配置:

object network Inside.pc1
host 10.1.1.8
object network Inside.pc1
nat (Inside,Outside) static interface service tcp 2000 2000

④策略設置:

access-list outside extended permit tcp any object Inside.pc1 eq 2000
access-group outside in interface Outside

五.測試步驟:

A.驗證此時外網是否能正常訪問內部web服務器:

----無法訪問,因為默認全局策略開啟了skinny審查

B.配置outside接口的policy-map并調用:

access-list web2000 extended permit tcp any object Inside_pc1 eq 2000

class-map web2000
match access-list web2000

policy-map web2000
class web2000
 inspect http
service-policy web2000 interface Outside

C.驗證此時外網是否能正常訪問內部web服務器:

---仍然無法訪問

ciscoasa# show service-policy
Global policy:
 Service-policy: global_policy
   Class-map: inspection_default
     .....省略部分..................
     Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
     Inspect: skinny , packet 4, drop 1, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
 Service-policy: web2000
   Class-map: web2000
     Inspect: http, packet 4, drop 0, reset-drop 0

---可以看到,數據包雖然被接口下class-map審查合格后放行,但是卻被全局下的class-map丟棄。

D.調整outside接口的policy-map并調用:

access-list outside_skinny extended deny tcp any object Inside_pc1 eq 2000
access-list outside_skinny extended permit tcp any any eq 2000

class-map outside_skinny
match access-list outside_skinny

policy-map outside_skinny
class outside_skinny
 inspect skinny  

no service-policy web2000 interface outside

service-policy outside_skinny interface Outside

E.驗證此時外網是否能正常訪問內部web服務器:

---可以正常訪問

訪問之前,clear  service-policy,訪問完成之后再查看:

ciscoasa# show service-policy
Global policy:
 Service-policy: global_policy
   Class-map: inspection_default
     .....省略部分..................

     Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
     Inspect: skinny , packet 0, drop 0, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
 Service-policy: outside_skinny
   Class-map: outside_skinny
     Inspect: skinny , packet 0, drop 0, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0

----可以發現訪問前后全局和接口的class-map都沒有被匹配

F.調整全局和接口policy-map:

接口:

access-list outside_skinny extended permit tcp any any eq 2000

class-map outside_skinny
match access-list outside_skinny

policy-map outside_skinny
class outside_skinny
 inspect skinny  
service-policy outside_skinny interface Outside

全局:

access-list global_skinny extended deny tcp any object Inside_pc1 eq 2000
access-list global_skinny extended permit tcp any any eq 2000
class-map global_skinny
match access-list global_skinny
policy-map global_policy
class inspection_default
 no inspect skinny
class global_skinny
service-policy global_policy global

③測試:

----無法訪問,被outside接口的policy-map拒絕

ciscoasa# show service-policy
Global policy:
 Service-policy: global_policy
   Class-map: inspection_default
     ........省略部分..............
     Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
   Class-map: global_skinny
     Inspect: skinny , packet 0, drop 0, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
 Service-policy: outside_skinny
   Class-map: outside_skinny
     Inspect: skinny , packet 4, drop 1, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0

----可以看到,因為outside的ACL沒有明確拒絕流量,所以被匹配,并檢測到不是skinny流量而被丟棄

G.再次調整全局和接口的policy-map:

①接口:

access-list outside_skinny extended deny tcp any object Inside_pc1 eq 2000

access-list outside_skinny extended permit tcp any any eq 2000
class-map outside_skinny
match access-list outside_skinny
policy-map outside_skinny
class outside_skinny
 inspect skinny  
service-policy outside_skinny interface Outside

全局:

access-list global_skinny extended permit tcp any any eq 2000

class-map global_skinny
match access-list global_skinny

policy-map global_policy

class global_skinny
 inspect skinny  
service-policy global_policy global

③測試:

----可以正常訪問

ciscoasa# show service-policy

Global policy:
 Service-policy: global_policy
   Class-map: inspection_default
     .......省略部分....................
     Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
   Class-map: global_skinny
     Inspect: skinny , packet 0, drop 0, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0
Interface Outside:
 Service-policy: outside_skinny
   Class-map: outside_skinny
     Inspect: skinny , packet 0, drop 0, reset-drop 0
              tcp-proxy: bytes in buffer 0, bytes dropped 0

----可以發現outside接口的ACL配置了拒絕后,不會去匹配全局的policy-map

六.總結:

A.處理順序:先接口再全局

B.是否會送到全局:如果沒有被接口policy-map匹配,或被接口policy-map審查通過,會被送到全局

-----被ACL丟棄,或審查后被丟棄,都不會去匹配全局policy-map






向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

玛多县| 子长县| 安顺市| 汝阳县| 阳新县| 邮箱| 五台县| 高尔夫| 赤峰市| 景谷| 闵行区| 东乌| 曲沃县| 大名县| 星座| 清流县| 莱州市| 仪征市| 阿拉善右旗| 喀喇| 岳阳县| 丰城市| 疏附县| 独山县| 如皋市| 乐都县| 玉环县| 财经| 梅河口市| 洱源县| 威宁| 哈尔滨市| 望谟县| 河津市| 瑞金市| 庆阳市| 浮山县| 金山区| 泰州市| 沾化县| 鲁山县|