我在配置 Cisco ASA 5510 的过程中需要帮助。我已设置了 4 个通过大型 LAN 互连的 Cisco ASA。每个 Cisco ASA 都连接有 3 或 4 个 LAN。IP 路由部分由 OSPF 负责。我的问题在另一个层面上。
连接到 ASA 的 LAN 之一的计算机可以毫无问题地与外界通信。外界是 ASA“之后”的任何东西。我的问题是,我完全无法让它们与连接到同一 ASA 的另一个 LAN 通信。换言之,我无法将流量从给定 ASA 的一个接口发送到同一 ASA 的另一个接口。
我的配置如下:
!
hostname Fuji
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0 no shutdown
!
interface Ethernet0/1
speed 100
duplex full
nameif cs4 no shutdown
security-level 100
ip address 10.1.4.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
no shutdown
!
interface Ethernet0/2.15 vlan 15
nameif cs5
security-level 100
ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/2.16 vlan 16
nameif cs6
security-level 100
ip address 10.1.6.1 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.6.0.252 255.255.255.0
!
access-list nat_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list nat_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list nat_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
!
access-list nat_outside extended permit ip any any
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0
!
nat (outside) 0 access-list nat_outside
nat (cs4) 0 access-list nat_cs4
nat (cs5) 0 access-list nat_cs5
nat (cs6) 0 access-list nat_cs6
!
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
!
static (cs4,outside) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs5) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs6) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
!
static (cs5,outside) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs4) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs6) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
!
static (cs6,outside) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs4) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs5) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
!
access-group acl_outside in interface outside
access-group acl_cs4 in interface cs4
access-group acl_cs5 in interface cs5
access-group acl_cs6 in interface cs6
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 1
network 10.1.4.0 255.255.255.0 area 1
network 10.1.5.0 255.255.255.0 area 1
network 10.1.6.0 255.255.255.0 area 1
log-adj-changes
!
这个配置没有什么复杂的。它只是从一个接口到另一个接口的 NAT,仅此而已。我尝试启用相同安全流量许可接口但这没有帮助。
因此,我肯定忽略了一些更复杂的东西。有人知道为什么我无法将流量从一个接口转发到另一个接口吗?
预先感谢您的帮助,
安托万
答案1
在您的配置中添加,same-security-traffic permit inter-interface
如果没有此命令,具有相同安全级别的接口就无法相互通信。
答案2
我终于解决了这个问题!我使用了太多 NAT。我停用了 nat-control,允许相同安全级别的通信,并删除了大部分 Nat 内容。
以下是我的工作配置。
!
hostname Fuji
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
no shutdown
!
interface Ethernet0/1
speed 100
duplex full
nameif cs4
no shutdown
security-level 100
ip address 10.1.4.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
no shutdown
!
interface Ethernet0/2.15
vlan 15
nameif cs5
security-level 100
ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/2.16
vlan 16
nameif cs6
security-level 100
ip address 10.1.6.1 255.255.255.0
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.6.0.252 255.255.255.0
!
same-security-traffic permit inter-interface
no nat-control
!
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
!
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0
!
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
!
access-group acl_outside in interface outside
access-group acl_cs4 in interface cs4
access-group acl_cs5 in interface cs5
access-group acl_cs6 in interface cs6
!
router ospf 1
network 10.0.0.0 255.255.255.0 area 1
network 10.1.4.0 255.255.255.0 area 1
network 10.1.5.0 255.255.255.0 area 1
network 10.1.6.0 255.255.255.0 area 1
log-adj-changes
!