R1(config)#in fas 0/0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.254
R1(config)#line vty 0 4
R1(config-line)#no login
R2(config)#in fas 0/0
R2(config-if)#ip address 20.0.0.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.254
R2(config)#line vty 0 4
R2(config-line)#no login
ASA(config)# interface Gi1
ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA(config-if)# ip address 10.0.0.254 255.255.255.0
ASA(config-if)# no shut
ASA(config-if)# interface Gi2
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# ip address 20.0.0.254 255.255.255.0
ASA(config-if)# no shut
ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1 inside 10.0.0.254 255.255.255.0 manual
GigabitEthernet2 outside 20.0.0.254 255.255.255.0 manual
ASA# show nameif
Interface Name Security
GigabitEthernet1 inside 100
GigabitEthernet2 outside 0
! Permit Same Security level Traffic
ASA(config)# same-security-traffic permit ?
inter-interface Permit communication between different interfaces with the same security level
intra-interface Permit communication between peers connected to the same interface
ASA(config)# same-security-traffic permit intra-interface
! Default Traffic allowed. 100 to 0 !
R1#telnet 20.0.0.2
Trying 20.0.0.2 ... Open
R2>
%ASA-6-302013: Built outbound TCP connection 2988 for outside:20.0.0.2/23 (20.0.0.2/23) to inside:10.0.0.1/44936 (10.0.0.1/44936)
%ASA-6-302016: Teardown UDP connection 2970 for outside:20.0.0.2/33435 to inside:10.0.0.1/49177 duration 0:02:01 bytes 0
%ASA-6-302016: Teardown UDP connection 2971 for outside:20.0.0.2/33436 to inside:10.0.0.1/49178 duration 0:02:01 bytes 0
R2#telnet 10.0.0.1
Trying 10.0.0.1 ...
% Connection timed out; remote host not responding
ASA(config)# show local-host all
Interface outside: 1 active, 1 maximum active, 0 denied
local host: <20.0.0.2>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 20.0.0.2:23 inside 10.0.0.1:52274, idle 0:00:04, bytes 110, flags UIO
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.0.0.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 20.0.0.2:23 inside 10.0.0.1:52274, idle 0:00:04, bytes 110, flags UIO
Interface management: 0 active, 0 maximum active, 0 denied
Interface NP Identity Ifc: 0 active, 2 maximum active, 0 denied
! Enable/disable icmp access
R1#ping 10.0.0.254
!!!!!
ASA(config)# icmp deny any inside
ASA(config)# icmp deny any outside
ASA(config)# show run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp deny any inside
icmp deny any outside
R1#ping 10.0.0.254
.....
ASA(config)# clear configure icmp
ASA(config)# show run icmp
icmp unreachable rate-limit 1 burst-size 1
R1#ping 10.0.0.254
!!!!!
! ICMP through ASA
R1#ping 20.0.0.2 re 1
.
! Enablde/Disable Logging On Console
ASA(config)# logging console 7
ASA(config)# logging on
%ASA-7-609001: Built local-host inside:10.0.0.1
%ASA-7-609001: Built local-host outside:20.0.0.2
%ASA-6-302020: Built outbound ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/16 laddr 10.0.0.1/16
%ASA-3-106014: Deny inbound icmp src outside:20.0.0.2 dst inside:10.0.0.1 (type 0, code 0)
%ASA-6-302021: Teardown ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/16 laddr 10.0.0.1/16
%ASA-7-609002: Teardown local-host inside:10.0.0.1 duration 0:00:02
%ASA-7-609002: Teardown local-host outside:20.0.0.2 duration 0:00:02
ASA(config)# no logging on
ASA(config)# show local-host all
Interface outside: 0 active, 1 maximum active, 0 denied
Interface inside: 0 active, 1 maximum active, 0 denied
Interface management: 0 active, 0 maximum active, 0 denied
Interface NP Identity Ifc: 0 active, 2 maximum active, 0 denied
R1#ping 20.0.0.2 re 10
..........
ASA(config)# show local-host all
Interface outside: 1 active, 1 maximum active, 0 denied
local host: <20.0.0.2>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
ICMP outside 20.0.0.2:0 inside 10.0.0.1:17, idle 0:00:01, bytes 72
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.0.0.1>,
TCP flow count/limit = 0/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
ICMP outside 20.0.0.2:0 inside 10.0.0.1:17, idle 0:00:01, bytes 72
Interface management: 0 active, 0 maximum active, 0 denied
Interface NP Identity Ifc: 0 active, 2 maximum active, 0 denied
R1#traceroute 20.0.0.2
1 * * *
2 * * *
ASA(config)# logging on
%ASA-6-302015: Built outbound UDP connection 2967 for outside:20.0.0.2/33436 (20.0.0.2/33436) to inside:10.0.0.1/49174 (10.0.0.1/49174)
%ASA-3-106014: Deny inbound icmp src outside:20.0.0.2 dst inside:10.0.0.1 (type 3, code 3)
ASA(config)# access-list OUT-IN permit ip host 20.0.0.2 host 10.0.0.1
ASA(config)# access-group OUT-IN in interface outside
R1#traceroute 20.0.0.2
1 20.0.0.2 76 msec * 32 msec
%ASA-6-302015: Built outbound UDP connection 2983 for outside:20.0.0.2/33434 (20.0.0.2/33434) to inside:10.0.0.1/49188 (10.0.0.1/49188)
%ASA-6-302020: Built inbound ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302015: Built outbound UDP connection 2985 for outside:20.0.0.2/33435 (20.0.0.2/33435) to inside:10.0.0.1/49189 (10.0.0.1/49189)
%ASA-6-302015: Built outbound UDP connection 2986 for outside:20.0.0.2/33436 (20.0.0.2/33436) to inside:10.0.0.1/49190 (10.0.0.1/49190)
%ASA-6-302020: Built inbound ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 20.0.0.2/0 gaddr 10.0.0.1/0 laddr 10.0.0.1/0
ASA(config)# no logging on
