« Back
in 安全 思科 read.

防火墙基本命令(3)

动态路由协议 RIP OSPF:
在同一个设备上面,只能同时启用两个OSPF进程

为什么要运行两个OSPF进程:
1.如果你的防火墙有多个接口使用相同的IP地址(NAT允许这些接口同时存在,但是OSPF不能允许这些地址重叠)
2.inside运行一个OSPF进程,outside运行一个OSPF进程,在两个进程之间重分发路由
3.用来分开私网和公网


RIP和OSPF不能同时运行,7.2以后两个路由协议可以同时启用。

OSPF配置:
ASA:
router ospf 1
  network 10.1.12.254 255.255.255.255 area 0
  neighbor 10.1.12.1
  log-adj-changes

接口明文认证
interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.1.12.254 255.255.255.0
  ospf network point-to-point non-broadcast 设置ospf网络类型,设成p2p non-broadcast后一定要指neighbor;注意对端如果是路由器接口网络类型设置成p2p,路由器上不需要指neighbor
  ospf authentication-key cisco 认证密钥
  ospf authentication 开启明文认证

接口md5认证
interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.1.12.254 255.255.255.0
  ospf network point-to-point non-broadcast
  ospf message-digest-key 1 md5
  ospf authentication message-digest

Router:
router ospf 1
  router-id 1.1.1.1
  log-adjacency-changes
  network 1.1.1.1 0.0.0.0 area 0
  network 10.1.12.1 0.0.0.0 area 0

接口明文认证
interface FastEthernet0/0
  ip address 10.1.12.1 255.255.255.0
  ip ospf authentication
  ip ospf authentication-key cisco
  ip ospf network point-to-point
end

接口md5认证
interface FastEthernet0/0
  ip address 10.1.12.1 255.255.255.0
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 cisco
  ip ospf network point-to-point
  duplex auto
  speed auto
End

区域认证:
ASA:
router ospf 1
  network 10.1.12.254 255.255.255.255 area 0
  area 0 authentication message-digest
  neighbor 10.1.12.1
  log-adj-changes
!
interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 10.1.12.254 255.255.255.0
  ospf network point-to-point non-broadcast
  ospf message-digest-key 1 md5

Router:
router ospf 1
  router-id 1.1.1.1
  log-adjacency-changes
  area 0 authentication message-digest
  network 1.1.1.1 0.0.0.0 area 0
  network 10.1.12.1 0.0.0.0 area 0

interface FastEthernet0/0
  ip address 10.1.12.1 255.255.255.0
  ip ospf message-digest-key 1 md5 cisco123
  ip ospf network point-to-point
end

show ospf neighbor:查看OSPF邻居
show ospf database:查看OSPF数据库
show ospf interface:查看运行OSPF接口的状态
clear ospf process:清除OSPF进程

RIP配置:
hostname(config)# router rip
hostname(config-router)# network 10.0.0.0
hostname(config-router)# version 2
hostname(config-router)# no auto-summary

hostname(config)# interface Gigabit0/3
hostname(config-if)# rip authentication mode md5
hostname(config-if)# rip authentication key thisismykey key_id 5

show rip database:查看RIP数据库
debug rip database
debug rip event