听了yeslab的秦珂老师的ASA的课程,讲到ASA对TCP的随机初始化序列号扰乱功能,于是搭建环境进行测试,发现其实不仅对TCP初始化的序列号进行扰乱,对后续的TCP包序列号也会进行扰乱。
二.基本思路和结论:
A.搭建环境在ASA两侧进行抓包测试
B.抓包软件显示的相对随机号,实际数据才是真正的序列号
C.ASA不仅仅对TCP初始化包进行序列号扰乱,对其他的包也进行序列号扰乱
D.通过policy-map可以禁止让ASA对序列号进行扰乱
三.测试拓扑:
四.基本配置:
A.Outside路由器:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
ip address 202.100.1.1 255.255.255.0
no shut
line vty 0 4
password cisco
login
password cisco
login
ip route 0.0.0.0 0.0.0.0 202.100.1.10
B.ASA842防火墙:
interface GigabitEthernet0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
interface GigabitEthernet2
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 192.168.1.10 255.255.255.0
interface GigabitEthernet2
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
C.Inside路由器:
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip address 10.1.1.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.10
五.TCP序列号扰乱测试:
A.没有NAT情况下,Inside路由器Telnet Outside路由器:
----从抓包的注释relative sequence number可以看到seq 0其实是相对值,真正的值为
---从两个图对比很容易看出,两边的syn包的序列号是不相同的,虽然相对值都是0
Inside路由器TCP第四个包:
outside路由器TCP第四个包:
A.配置policy-map并应用:
access-list telnet extended permit tcp any any eq telnet
class-map noseqrandom
match access-list telnet
policy-map noseqrandomclass noseq
set connection random-sequence-numberdisable
service-policy noseqrandom interface Inside
B.Inside路由器telnet Outside路由器并在两边抓包测试:
----抓包可以发现两边的序列号保持一致(截图略)
