调试 ASA 防火墙规则(使用或不使用 ASDM)

tag-icon tag-icon firewall cisco cisco-asa
调试 ASA 防火墙规则(使用或不使用 ASDM)

有没有办法调试 ASA 防火墙规则应用程序?我创建了 2 条简单的访问规则:允许任何 ICMP 和允许任何 UDP。
第一个有效,我可以 ping 通。udp 不起作用。在 ASDM 中运行跟踪(模拟数据包)显示数据包被隐式拒绝规则丢弃,但我不明白为什么它与我的任何 UDP 规则都不匹配?我可以启用规则评估的日志记录吗?

以下是我认为相关的配置部分(抱歉,我不是思科专家,使用 ASDM):

access-list Split-tunnel-ACL standard permit 10.65.0.0 255.255.0.0 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark test
access-list outside_access_in extended permit udp host x.x.x.x host y.y.y.y

我还尝试使用 any any 代替 xxxx 和 yyyy,没有什么不同。数据包跟踪表明数据包在访问检查阶段被隐式拒绝规则丢弃。icmp 规则正在运行。

更多数据:

    Result of the command: "packet-tracer input  outside udp x.x.x.x    5060    y.y.y.y 5060 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad31d370, priority=111, domain=permit, deny=true
    hits=28380, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=outside, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

命令结果:“show access-list”

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Split-tunnel-ACL; 1 elements; name hash: 0xaa04f5f3
access-list Split-tunnel-ACL line 1 standard permit xxx.xx5.0.0 255.255.0.0 (hitcnt=6240) 0x9439a34b 
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x71af81e1 
access-list outside_access_in line 2 remark test
access-list outside_access_in line 3 extended permit udp host x.x.x.x host y.y.y.y (hitcnt=0) 0x9fbf7dc7 
access-list inside_nat0_outbound; 4 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip object City-network object Remote-mgmt-pool 0x1c53e4c4 
  access-list inside_nat0_outbound line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 192.168.2.0 255.255.255.248 (hitcnt=0) 0x1c53e4c4 
access-list inside_nat0_outbound line 2 extended permit ip object City-network object City2-network 0x278c6c43 
  access-list inside_nat0_outbound line 2 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx2.0.0 255.255.0.0 (hitcnt=0) 0x278c6c43 
access-list inside_nat0_outbound line 3 extended permit ip object City-network object City1-network 0x2b77c336 
  access-list inside_nat0_outbound line 3 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=0) 0x2b77c336 
access-list inside_nat0_outbound line 4 extended permit ip object City-network object City3-network 0x9fdd4c28 
  access-list inside_nat0_outbound line 4 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x9fdd4c28 
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City1-network 0x12693b9a 
  access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=265) 0x12693b9a 
access-list inside_nat_outbound; 1 elements; name hash: 0xb64b365a
access-list inside_nat_outbound line 1 extended permit tcp object City-network any eq smtp 0x4c753adf 
  access-list inside_nat_outbound line 1 extended permit tcp xxx.xx5.0.0 255.255.0.0 any eq smtp (hitcnt=0) 0x4c753adf 
access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip object City-network object City-network 0x4b257004 
  access-list outside_cryptomap_1 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x4b257004 
access-list outside_cryptomap_2; 1 elements; name hash: 0x4e1c27f3
access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City4-network 0xa82be620 
  access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx3.0.0 255.255.0.0 (hitcnt=25) 0xa82be620

答案1

您的跟踪器返回是input_ifc=outside, output_ifc=outside因为它没有目标地址的其他路由信息,并且您的outside_access_inACL 在两个条目上的命中数均为 0;ICMP 不起作用,至少不是通过这个 ACL 起作用。

肯定需要查看该 NAT 规则(如果它是策略 NAT,则需要查看关联的 ACL)。

它是否为此使用专用地址,还是防火墙的接口地址?目前还没有到这一步,但是,我们还想确认是否有正确的路由信息​​来将流量发送到后目的地地址;如果服务器与防火墙的内部接口位于同一子网中,这将是自动的。

相关内容