当前位置：首页 > news >正文

ASA842配置内网DNS欺骗测试

news 来源：原创 2024/5/18 12:39:48

1.测试拓扑：

源需求贴：http://bbs.51cto.com/thread-939762-1.html
2.基本配置：
R1：
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
R2:
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
ASA842:
interface G0
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface G1
nameif outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
route outside 0 0 202.100.1.3
policy-map global_policy
class inspection_default
inspect icmp
3.R2路由器DNS服务器配置：
①配置成DNS服务器：
ip dns server
②配置解析条目：
ip host www.google.com 10.1.1.1
③测试：
R2(config)#ip domain lookup
R2(config)#exit
R2#ping www.google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/37/76 ms
R2#

4.ASA842的NAT配置：
①运行内网动态NAT出公网：
object network insidenet
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
②配置去公网的任意dns查询都去内网10.1.1.2：
object network inside-dns
host 10.1.1.2
object network outside-dns
subnet 0.0.0.0 0.0.0.0
object service dns
service udp destination eq domain
nat (inside,inside) source static insidenet insidenet destination static outside-dns inside-dns service dns dns
③开启防火墙相同接口不同主机允许通讯：
same-security-traffic permit intra-interface
5.效果测试：
①内网主机可以去公网：
R1#ping 202.100.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/46/88 ms
R1#
②内网主机设置任意的公网DNS服务器，都会去内网10.1.1.2上去查询：
R1(config)#ip domain lookup
R1(config)#ip name-server 8.8.8.8
R1(config)#do ping www.google.com

Translating "www.google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1(config)#