ASA 5505 为具有动态分配 IP 的客户端提供外部访问,为具有静态 IP 的客户端提供外部访问

ASA 5505 为具有动态分配 IP 的客户端提供外部访问,为具有静态 IP 的客户端提供外部访问

我们配置了一个 ASA 来访问互联网,它对于具有由 DHCP 分配的 IP 地址的客户端来说运行良好,但对于具有手动分配 IP 的客户端则不起作用。

例如,如果将 DHCP 服务器配置为提供 172.16.101.1 和 172.16.101.10 之间的 IP 地址,则设备可能会获得 IP 地址 172.16.101.1。此机器将连接到互联网。

如果我们将 DHCPd 服务器范围配置为 172.16.101.2 至 172.16.101.10,并将 172.16.101.1 IP 静态分配给客户端,则客户端将无法访问互联网。但是,客户端可以访问内部网络和 VPN。

如果我尝试 ping 8.8.8.8,则会记录以下内容:

ASA 3 2013 年 2 月 8 日 15:51:01 8.8.8.8 xxx.xxx.xxx.100 拒绝入站 icmp src 外部:8.8.8.8 dst 服务器:xxx.xxx.xxx.100(类型 0,代码 0)

其中“servers”是发出请求的内部接口的名称,“xxx.xxx.xxx.100”是外部 IP。当客户端 IP 是静态分配时,DNAT 似乎不起作用。

有人见过这种行为吗?这让我很困惑!

运行配置:

ASA Version 8.2(5)

!

hostname hayes-fw

enable password XXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

names

name 212.xxx.xxx.2 DUNSTABLE

!

interface Ethernet0/0

description Internet

switchport access vlan 105

switchport trunk allowed vlan 100,109

switchport trunk native vlan 999

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/1

description Failover back-to-back

switchport access vlan 254

!

interface Ethernet0/2

description Internal

switchport trunk allowed vlan 100-106

switchport trunk native vlan 999

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/3

description unused

switchport trunk allowed vlan 100-104

!

interface Ethernet0/4

description temp-inside

switchport trunk allowed vlan 60

switchport trunk native vlan 60

switchport mode trunk

!

interface Ethernet0/5

description unused

switchport access vlan 253

shutdown

!

interface Ethernet0/6

description unused

switchport access vlan 253

shutdown

!

interface Ethernet0/7

description unused

switchport access vlan 100

!

interface Vlan60

nameif temp-inside

security-level 100

ip address 172.xx.60.253 255.255.255.0

!

interface Vlan100

description Mgmt

nameif mgmt

security-level 100

ip address 172.xx.100.253 255.255.255.0 standby 172.16.100.252

!

interface Vlan101

nameif servers

security-level 90

ip address 172.16.101.253 255.255.255.0 standby 172.16.101.252

!

interface Vlan102

description Warehouse

nameif office

security-level 80

ip address 172.16.102.253 255.255.255.0 standby 172.16.102.252

!

interface Vlan103

nameif warehouse-cameras

security-level 60

ip address 172.16.103.253 255.255.255.0 standby 172.16.103.252

!

interface Vlan104

description Office

nameif warehouse

security-level 70

ip address 172.16.104.253 255.255.255.0 standby 172.16.104.252

!

interface Vlan105

nameif voip

security-level 50

ip address 172.16.105.253 255.255.255.0

!

interface Vlan106

nameif guest

security-level 40

ip address 172.16.106.253 255.255.255.0

!

interface Vlan109

nameif outside

security-level 0

ip address 80.xxx.xx.100 255.255.255.248 standby 80.xxx.xx.101

!

interface Vlan254

description LAN Failover Interface

!

ftp mode passive

object-group network FELTHAM-NETWORKS

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object host 217.xxx.xxx.155

object-group network HAYES-NETWORKS

network-object 172.16.100.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

network-object 172.16.104.0 255.255.255.0

network-object host 192.168.1.253

network-object 80.xxx.xx.96 255.255.255.248

network-object 172.16.60.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

object-group network DUNSTABLE-NETWORKS

network-object 172.16.33.0 255.255.255.0

network-object host 212.xxx.xxx.3

access-list DUNSTABLE-VPN extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list FELTHAM-VPN extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

access-list Inbound extended permit icmp any interface voip

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

access-list outside_cryptomap extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list outside_cryptomap_1 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging buffered debugging

logging asdm informational

mtu temp-inside 1500

mtu mgmt 1500

mtu servers 1500

mtu office 1500

mtu warehouse-cameras 1500

mtu warehouse 1500

mtu voip 1500

mtu guest 1500

mtu outside 1500

ip local pool HAYES-POOL 172.16.104.25-172.16.104.50

failover

failover lan unit secondary

failover lan interface failover Vlan254

failover interface ip failover 192.168.254.9 255.255.255.252 standby 192.168.254.10

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (temp-inside) 0 access-list Nat0

nat (temp-inside) 1 172.16.60.0 255.255.255.0

nat (servers) 0 access-list Nat0

nat (servers) 1 172.16.101.0 255.255.255.0

nat (office) 0 access-list office_nat0_outbound

nat (office) 1 172.16.102.0 255.255.255.0

nat (warehouse) 0 access-list Nat0

nat (warehouse) 1 172.16.104.0 255.255.255.0

nat (outside) 0 access-list Nat0

nat (outside) 1 172.16.101.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 80.168.58.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization exec authentication-server

http server enable

http 172.16.33.0 255.255.255.0 warehouse

http 172.16.100.0 255.255.255.0 mgmt

http 172.16.30.0 255.255.255.0 warehouse

http 172.16.33.0 255.255.255.0 temp-inside

http 172.16.60.0 255.255.255.0 temp-inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp servers

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DM-HAYES 10 set transform-set ESP-AES-128-SHA

crypto dynamic-map DM-HAYES 10 set security-association lifetime seconds 288000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map CM-VPN 10 match address DUNSTABLE-VPN

crypto map CM-VPN 10 set pfs

crypto map CM-VPN 10 set peer 212.xxx.xxx.3

crypto map CM-VPN 10 set transform-set ESP-AES-128-SHA

crypto map CM-VPN 20 match address FELTHAM-VPN

crypto map CM-VPN 20 set pfs

crypto map CM-VPN 20 set peer 217.xxx.xxx.155

crypto map CM-VPN 20 set transform-set ESP-AES-128-SHA

crypto map CM-VPN 99 ipsec-isakmp dynamic DM-HAYES

crypto map outside_map2 10 match address outside_cryptomap_1

crypto map outside_map2 10 set pfs

crypto map outside_map2 10 set peer 217.xxx.xxx.155

crypto map outside_map2 10 set transform-set ESP-AES-128-SHA

crypto map outside_map2 20 match address outside_cryptomap

crypto map outside_map2 20 set pfs

crypto map outside_map2 20 set peer 212.xxx.xxx.3

crypto map outside_map2 20 set transform-set ESP-AES-128-SHA

crypto map outside_map2 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 172.16.60.0 255.255.255.0 temp-inside

ssh 172.16.100.0 255.255.255.0 mgmt

ssh 172.16.33.0 255.255.255.0 mgmt

ssh 172.16.33.0 255.255.255.0 warehouse

ssh timeout 60

ssh version 2

console timeout 0

management-access warehouse

dhcp-client update dns server both

dhcpd address 172.16.60.1-172.16.60.175 temp-inside

dhcpd dns 79.xxx.xxx.84 interface temp-inside

dhcpd domain hayes.com interface temp-inside

dhcpd enable temp-inside

!

dhcpd address 172.16.101.2-172.16.101.10 servers

dhcpd dns 79.xxx.xxx.84 interface servers

dhcpd domain hayes.com interface servers

dhcpd enable servers

!

dhcpd address 172.16.102.1-172.16.102.175 office

dhcpd dns 79.xxx.xxx.84 interface office

dhcpd domain hayes.com interface office

dhcpd enable office

!

dhcpd address 172.16.103.1-172.16.103.200 warehouse-cameras

dhcpd domain cameras.hayes.com interface warehouse-cameras

dhcpd enable warehouse-cameras

!

dhcpd address 172.16.104.1-172.16.104.175 warehouse

dhcpd dns 79.xxx.xxx.84 interface warehouse

dhcpd domain hayes.com interface warehouse

dhcpd enable warehouse

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.16.104.254 source warehouse

webvpn

group-policy HAYES-RAVPN-POLICY internal

group-policy HAYES-RAVPN-POLICY attributes

dns-server value 172.16.104.254 79.xxx.xxx.84

vpn-idle-timeout 1440

vpn-tunnel-protocol IPSec l2tp-ipsec

username admin password /f.QRufHe2ulQB/e encrypted privilege 15

tunnel-group HAYES type remote-access

tunnel-group HAYES general-attributes

address-pool HAYES-POOL

default-group-policy HAYES-RAVPN-POLICY

tunnel-group HAYES ipsec-attributes

pre-shared-key *

tunnel-group 212.xxx.xxx.3 type ipsec-l2l

tunnel-group 212.xxx.xxx.3 ipsec-attributes

pre-shared-key *

tunnel-group 217.xxx.xxx.155 type ipsec-l2l

tunnel-group 217.xxx.xxx.155 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http someAddress://butIcantPostLinks

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

答案1

您之所以收到拒绝,是因为您没有允许防火墙外部接口返回 ICMP ping 数据包。ICMP 是无状态的,因此您需要允许流量进出。类似这样的操作可以解决这个问题。

Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo
Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo-reply

如果没有你的配置副本,我无法告诉你更多信息,但我会说你的互联网访问问题与 NAT 有关。发布配置。

答案2

这不是 ASA 的问题,而是我们测试的服务器的问题。将 IP 设置为静态后,dhclient 继续运行。尝试续订租约时,它会失败,并且服务器会失去网络连接。

感谢您所有的帮助。

相关内容