我们刚刚收到了光纤上行链路,我正在尝试配置我们的 Cisco ASA 5505 以正确使用它。
提供商要求我们通过 PPPoE 进行连接,我设法将 ASA 配置为 PPPoE 客户端并建立连接。ASA 由 PPPoE 分配一个 IP 地址,我可以从 ASA ping 出到互联网,但我应该可以访问整个 /28 子网。我不知道如何在 ASA 上配置该子网,以便我可以将可用的公共地址路由或 NAT 到各个内部主机。
我分配的范围是:188.xx.xx.176/28 我通过 PPPoE 获得的地址是 188.xx.xx.177/32,根据我们的提供商的说法,这是我们的默认网关地址。他们声称子网在他们那边已正确路由到我们。
ASA 如何知道它在光纤接口上负责哪个范围?
我如何使用我范围内的地址?
为了澄清我的配置;ASA 当前配置为默认路由到端口 Ethernet0/0(接口 vlan2,昵称 Outside)上的 ADSL 上行链路。光纤连接到端口 Ethernet0/2(接口 vlan50,昵称 Fiber),因此我可以先对其进行配置和测试,然后再将其设为默认路由。一旦我清楚如何设置,我将完全用 Fiber 替换 Outside 接口。
我的配置(相当长):
: Saved
:
ASA Version 8.3(2)4
!
hostname gw
domain-name example.com
enable password ****** encrypted
passwd ****** encrypted
names
name 10.10.1.0 Inside-dhcp-network description Desktops and clients that receive their IP via DHCP
name 10.10.0.208 svn.example.com description Subversion server
name 10.10.0.205 marvin.example.com description LAMP development server
name 10.10.0.206 dns.example.com description DNS, DHCP, NTP
!
interface Vlan2
description Old ADSL WAN connection
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.252
!
interface Vlan10
description LAN vlan 10 Regular LAN traffic
nameif inside
security-level 100
ip address 10.10.0.254 255.255.0.0
!
interface Vlan11
description LAN vlan 11 Lab/test traffic
nameif lab
security-level 90
ip address 10.11.0.254 255.255.0.0
!
interface Vlan20
description LAN vlan 20 ISCSI traffic
nameif iscsi
security-level 100
ip address 10.20.0.254 255.255.0.0
!
interface Vlan30
description LAN vlan 30 DMZ traffic
nameif dmz
security-level 50
ip address 10.30.0.254 255.255.0.0
!
interface Vlan40
description LAN vlan 40 Guests access to the internet
nameif guests
security-level 50
ip address 10.40.0.254 255.255.0.0
!
interface Vlan50
description New WAN Corporate Internet over fiber
nameif fiber
security-level 0
pppoe client vpdn group KPN
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 10,11,30,40
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 50
speed 100
duplex full
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server dns.example.com
domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net
subnet 10.10.0.0 255.255.0.0
object network svn.example.com
host 10.10.0.208
object network marvin.example.com
host 10.10.0.205
object network lab-net
subnet 10.11.0.0 255.255.0.0
object network dmz-net
subnet 10.30.0.0 255.255.0.0
object network guests-net
subnet 10.40.0.0 255.255.0.0
object network dhcp-subnet
subnet 10.10.1.0 255.255.255.0
description DHCP assigned addresses on Vlan 10
object network Inside-vpnpool
description Pool of assignable addresses for VPN clients
object network vpn-subnet
subnet 10.10.3.0 255.255.255.0
description Address pool assignable to VPN clients
object network dns.example.com
host 10.10.0.206
description DNS, DHCP, NTP
object-group service iscsi tcp
description iscsi storage traffic
port-object eq 3260
access-list outside_access_in remark Allow access from outside to HTTP on svn.
access-list outside_access_in extended permit tcp any object svn.example.com eq www
access-list Insiders!_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list iscsi_access_in remark Prevent disruption of iscsi traffic from outside the iscsi vlan.
access-list iscsi_access_in extended deny tcp any interface iscsi object-group iscsi log warnings
!
snmp-map DenyV1
deny version 1
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor warnings
logging buffered warnings
logging history critical
logging asdm errors
logging flash-bufferwrap
logging flash-minimum-free 4000
logging flash-maximum-allocation 2000
mtu outside 1500
mtu inside 1500
mtu lab 1500
mtu iscsi 9000
mtu dmz 1500
mtu guests 1500
mtu fiber 1492
ip local pool DHCP_VPN 10.10.3.1-10.10.3.20 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpn-subnet vpn-subnet
!
object network inside-net
nat (inside,outside) dynamic interface
object network svn.example.com
nat (inside,outside) static interface service tcp www www
object network lab-net
nat (lab,outside) dynamic interface
object network dmz-net
nat (dmz,outside) dynamic interface
object network guests-net
nat (guests,outside) dynamic interface
access-group outside_access_in in interface outside
access-group iscsi_access_in in interface iscsi
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS2003 protocol radius
aaa-server SBS2003 (inside) host 10.10.0.204
timeout 5
key *****
aaa authentication enable console SBS2003 LOCAL
aaa authentication ssh console SBS2003 LOCAL
aaa authentication telnet console SBS2003 LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.0.207 community ***** version 2c
snmp-server location Server room
snmp-server contact [email protected]
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
vpdn group KPN request dialout pppoe
vpdn group KPN localname INSIDERS
vpdn group KPN ppp authentication pap
vpdn username INSIDERS password ***** store-local
dhcpd address 10.40.1.0-10.40.1.100 guests
dhcpd dns 8.8.8.8 8.8.4.4 interface guests
dhcpd update dns interface guests
dhcpd enable guests
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dns.example.com source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy Insiders! internal
group-policy Insiders! attributes
wins-server value 10.10.0.205
dns-server value 10.10.0.206
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Insiders!_splitTunnelAcl
default-domain value example.com
username martijn password ****** encrypted privilege 15
username marcel password ****** encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group Insiders! type remote-access
tunnel-group Insiders! general-attributes
address-pool DHCP_VPN
authentication-server-group SBS2003 LOCAL
default-group-policy Insiders!
tunnel-group Insiders! ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect mgcp
inspect netbios
inspect pptp
inspect rtsp
inspect snmp DenyV1
!
service-policy global-policy global
smtp-server 123.123.123.123
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a76bbcf8b19019771c6d3eeecb95c1ca
: end
asdm image disk0:/asdm-635.bin
asdm location svn.example.com 255.255.255.255 inside
asdm location marvin.example.com 255.255.255.255 inside
asdm location dns.example.com 255.255.255.255 inside
asdm history enable
答案1
ASA 如何知道它在光纤接口上负责哪个范围?
事实并非如此。您的 ISP 知道(希望如此)给定子网内的主机可通过 ASA 访问。如果 ASA 没有连接对等点(或其他适当的路由),则乒乓球将开始:ISP 将数据包发送到 ASA,ASA 通过其默认路由将其发回。这就是为什么我建议至少添加静态路由,说明您分配的子网可通过 Null 设备访问。
我如何使用我范围内的地址?
实际上有很多方法。例如,您可以将私有 IP 通过 NAT 转换为子网内的某个 IP。您可以进一步将其划分为子网,然后直接通过这些 IP 将某些主机连接到您的 ASA。