Cisco ASA:如何路由 PPPoE 分配的子网?

Cisco ASA:如何路由 PPPoE 分配的子网?

我们刚刚收到了光纤上行链路,我正在尝试配置我们的 Cisco ASA 5505 以正确使用它。

提供商要求我们通过 PPPoE 进行连接,我设法将 ASA 配置为 PPPoE 客户端并建立连接。ASA 由 PPPoE 分配一个 IP 地址,我可以从 ASA ping 出到互联网,但我应该可以访问整个 /28 子网。我不知道如何在 ASA 上配置该子网,以便我可以将可用的公共地址路由或 NAT 到各个内部主机。

我分配的范围是:188.xx.xx.176/28 我通过 PPPoE 获得的地址是 188.xx.xx.177/32,根据我们的提供商的说法,这是我们的默认网关地址。他们声称子网在他们那边已正确路由到我们。

ASA 如何知道它在光纤接口上负责哪个范围?

我如何使用我范围内的地址?


为了澄清我的配置;ASA 当前配置为默认路由到端口 Ethernet0/0(接口 vlan2,昵称 Outside)上的 ADSL 上行链路。光纤连接到端口 Ethernet0/2(接口 vlan50,昵称 Fiber),因此我可以先对其进行配置和测试,然后再将其设为默认路由。一旦我清楚如何设置,我将完全用 Fiber 替换 Outside 接口。

我的配置(相当长):

: Saved
:
ASA Version 8.3(2)4 
!
hostname gw
domain-name example.com
enable password ****** encrypted
passwd ****** encrypted
names
name 10.10.1.0 Inside-dhcp-network description Desktops and clients that receive their IP via DHCP
name 10.10.0.208 svn.example.com description Subversion server
name 10.10.0.205 marvin.example.com description LAMP development server
name 10.10.0.206 dns.example.com description DNS, DHCP, NTP
!
interface Vlan2
 description Old ADSL WAN connection
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.252 
!
interface Vlan10
 description LAN vlan 10 Regular LAN traffic
 nameif inside
 security-level 100
 ip address 10.10.0.254 255.255.0.0 
!
interface Vlan11
 description LAN vlan 11 Lab/test traffic
 nameif lab
 security-level 90
 ip address 10.11.0.254 255.255.0.0 
!
interface Vlan20
 description LAN vlan 20 ISCSI traffic
 nameif iscsi
 security-level 100
 ip address 10.20.0.254 255.255.0.0 
!
interface Vlan30
 description LAN vlan 30 DMZ traffic
 nameif dmz
 security-level 50
 ip address 10.30.0.254 255.255.0.0 
!
interface Vlan40
 description LAN vlan 40 Guests access to the internet
 nameif guests
 security-level 50
 ip address 10.40.0.254 255.255.0.0 
!
interface Vlan50
 description New WAN Corporate Internet over fiber
 nameif fiber
 security-level 0
 pppoe client vpdn group KPN
 ip address pppoe 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport trunk allowed vlan 10,11,30,40
 switchport trunk native vlan 10
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 50
 speed 100
 duplex full
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 20
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server dns.example.com
 domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net 
 subnet 10.10.0.0 255.255.0.0
object network svn.example.com 
 host 10.10.0.208
object network marvin.example.com 
 host 10.10.0.205
object network lab-net 
 subnet 10.11.0.0 255.255.0.0
object network dmz-net 
 subnet 10.30.0.0 255.255.0.0
object network guests-net 
 subnet 10.40.0.0 255.255.0.0
object network dhcp-subnet 
 subnet 10.10.1.0 255.255.255.0
 description DHCP assigned addresses on Vlan 10 
object network Inside-vpnpool 
 description Pool of assignable addresses for VPN clients  
object network vpn-subnet 
 subnet 10.10.3.0 255.255.255.0
 description Address pool assignable to VPN clients 
object network dns.example.com 
 host 10.10.0.206
 description DNS, DHCP, NTP 
object-group service iscsi tcp
 description iscsi storage traffic
 port-object eq 3260
access-list outside_access_in remark Allow access from outside to HTTP on svn.
access-list outside_access_in extended permit tcp any object svn.example.com eq www 
access-list Insiders!_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 
access-list iscsi_access_in remark Prevent disruption of iscsi traffic from outside the iscsi vlan.
access-list iscsi_access_in extended deny tcp any interface iscsi object-group iscsi log warnings 
!
snmp-map DenyV1
 deny version 1
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor warnings
logging buffered warnings
logging history critical
logging asdm errors
logging flash-bufferwrap
logging flash-minimum-free 4000
logging flash-maximum-allocation 2000
mtu outside 1500
mtu inside 1500
mtu lab 1500
mtu iscsi 9000
mtu dmz 1500
mtu guests 1500
mtu fiber 1492
ip local pool DHCP_VPN 10.10.3.1-10.10.3.20 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpn-subnet vpn-subnet
!
object network inside-net
 nat (inside,outside) dynamic interface
object network svn.example.com
 nat (inside,outside) static interface service tcp www www 
object network lab-net
 nat (lab,outside) dynamic interface
object network dmz-net
 nat (dmz,outside) dynamic interface
object network guests-net
 nat (guests,outside) dynamic interface
access-group outside_access_in in interface outside
access-group iscsi_access_in in interface iscsi
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS2003 protocol radius
aaa-server SBS2003 (inside) host 10.10.0.204
 timeout 5
 key *****
aaa authentication enable console SBS2003 LOCAL
aaa authentication ssh console SBS2003 LOCAL
aaa authentication telnet console SBS2003 LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.0.207 community ***** version 2c
snmp-server location Server room
snmp-server contact [email protected]
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
vpdn group KPN request dialout pppoe
vpdn group KPN localname INSIDERS
vpdn group KPN ppp authentication pap
vpdn username INSIDERS password ***** store-local
dhcpd address 10.40.1.0-10.40.1.100 guests
dhcpd dns 8.8.8.8 8.8.4.4 interface guests
dhcpd update dns interface guests
dhcpd enable guests
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dns.example.com source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy Insiders! internal
group-policy Insiders! attributes
 wins-server value 10.10.0.205
 dns-server value 10.10.0.206
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Insiders!_splitTunnelAcl
 default-domain value example.com
username martijn password ****** encrypted privilege 15
username marcel password ****** encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group Insiders! type remote-access
tunnel-group Insiders! general-attributes
 address-pool DHCP_VPN
 authentication-server-group SBS2003 LOCAL
 default-group-policy Insiders!
tunnel-group Insiders! ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
 match not request method head
 match not request method post
 match not request method get
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
policy-map global-policy
 class global-class
  inspect dns 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect mgcp 
  inspect netbios 
  inspect pptp 
  inspect rtsp 
  inspect snmp DenyV1 
!
service-policy global-policy global
smtp-server 123.123.123.123
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a76bbcf8b19019771c6d3eeecb95c1ca
: end
asdm image disk0:/asdm-635.bin
asdm location svn.example.com 255.255.255.255 inside
asdm location marvin.example.com 255.255.255.255 inside
asdm location dns.example.com 255.255.255.255 inside
asdm history enable

答案1

ASA 如何知道它在光纤接口上负责哪个范围?

事实并非如此。您的 ISP 知道(希望如此)给定子网内的主机可通过 ASA 访问。如果 ASA 没有连接对等点(或其他适当的路由),则乒乓球将开始:ISP 将数据包发送到 ASA,ASA 通过其默认路由将其发回。这就是为什么我建议至少添加静态路由,说明您分配的子网可通过 Null 设备访问。

我如何使用我范围内的地址?

实际上有很多方法。例如,您可以将私有 IP 通过 NAT 转换为子网内的某个 IP。您可以进一步将其划分为子网,然后直接通过这些 IP 将某些主机连接到您的 ASA。

相关内容