有没有办法调试 ASA 防火墙规则应用程序?我创建了 2 条简单的访问规则:允许任何 ICMP 和允许任何 UDP。
第一个有效,我可以 ping 通。udp 不起作用。在 ASDM 中运行跟踪(模拟数据包)显示数据包被隐式拒绝规则丢弃,但我不明白为什么它与我的任何 UDP 规则都不匹配?我可以启用规则评估的日志记录吗?
以下是我认为相关的配置部分(抱歉,我不是思科专家,使用 ASDM):
access-list Split-tunnel-ACL standard permit 10.65.0.0 255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark test
access-list outside_access_in extended permit udp host x.x.x.x host y.y.y.y
我还尝试使用 any any 代替 xxxx 和 yyyy,没有什么不同。数据包跟踪表明数据包在访问检查阶段被隐式拒绝规则丢弃。icmp 规则正在运行。
更多数据:
Result of the command: "packet-tracer input outside udp x.x.x.x 5060 y.y.y.y 5060 detailed"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad31d370, priority=111, domain=permit, deny=true
hits=28380, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
命令结果:“show access-list”
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Split-tunnel-ACL; 1 elements; name hash: 0xaa04f5f3
access-list Split-tunnel-ACL line 1 standard permit xxx.xx5.0.0 255.255.0.0 (hitcnt=6240) 0x9439a34b
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x71af81e1
access-list outside_access_in line 2 remark test
access-list outside_access_in line 3 extended permit udp host x.x.x.x host y.y.y.y (hitcnt=0) 0x9fbf7dc7
access-list inside_nat0_outbound; 4 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip object City-network object Remote-mgmt-pool 0x1c53e4c4
access-list inside_nat0_outbound line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 192.168.2.0 255.255.255.248 (hitcnt=0) 0x1c53e4c4
access-list inside_nat0_outbound line 2 extended permit ip object City-network object City2-network 0x278c6c43
access-list inside_nat0_outbound line 2 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx2.0.0 255.255.0.0 (hitcnt=0) 0x278c6c43
access-list inside_nat0_outbound line 3 extended permit ip object City-network object City1-network 0x2b77c336
access-list inside_nat0_outbound line 3 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=0) 0x2b77c336
access-list inside_nat0_outbound line 4 extended permit ip object City-network object City3-network 0x9fdd4c28
access-list inside_nat0_outbound line 4 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x9fdd4c28
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City1-network 0x12693b9a
access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=265) 0x12693b9a
access-list inside_nat_outbound; 1 elements; name hash: 0xb64b365a
access-list inside_nat_outbound line 1 extended permit tcp object City-network any eq smtp 0x4c753adf
access-list inside_nat_outbound line 1 extended permit tcp xxx.xx5.0.0 255.255.0.0 any eq smtp (hitcnt=0) 0x4c753adf
access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip object City-network object City-network 0x4b257004
access-list outside_cryptomap_1 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x4b257004
access-list outside_cryptomap_2; 1 elements; name hash: 0x4e1c27f3
access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City4-network 0xa82be620
access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx3.0.0 255.255.0.0 (hitcnt=25) 0xa82be620
答案1
您的跟踪器返回是input_ifc=outside, output_ifc=outside
因为它没有目标地址的其他路由信息,并且您的outside_access_in
ACL 在两个条目上的命中数均为 0;ICMP 不起作用,至少不是通过这个 ACL 起作用。
肯定需要查看该 NAT 规则(如果它是策略 NAT,则需要查看关联的 ACL)。
它是否为此使用专用地址,还是防火墙的接口地址?目前还没有到这一步,但是,我们还想确认是否有正确的路由信息来将流量发送到后目的地地址;如果服务器与防火墙的内部接口位于同一子网中,这将是自动的。