这是我当前的设置:(可能需要重新设计):
- 2 个 LAN 网络 - 192.168.41.0、192.168.21.0
- 2 个公共 IP(通过指定 MAC 地址分配给我们 - 未划分子网)24.53.xx,另一个是 192.34.xx
- Netgear 路由器
- Linksys 路由器
- 带基本许可证的 ASA 5505
我会尽力绘制出最好的网络图。稍后当我能更好地使用工具时,我会对其进行改进。我已包含我的 ASA Run 配置:
- 电缆调制解调器 -> 交换机
- 交换机 -> Netgear 路由器和 ASA 5505 Netgear
- 路由器托管 192.168.41.0 网络,并分配有一个公有 IP
- ASA 5505 托管 192.168.21.0 网络,并分配了另一个公共 IP
- 我将交换机连接到每个网络后面(到路由器和 ASA)——所以总共有 3 个交换机
- 为了尝试连接这两个网络,我在 21.0 网络后面的交换机上添加了一个 Linksys 路由器,并为路由器分配了 21.0 网络上的地址 (192.168.21.254)。
- 然后,我将一条线路连接到 Linksys 路由器上的互联网端口,并为 WAN 分配 41.0 网络 (192.168.41.2) 上的 IP 地址。
- 在 41.0 路由器(Netgear 路由器)上,我通过 41.2 地址添加了到 21.0 网络的路由
- 在 21.0 网络的 ASA 上,我通过 21.254 地址添加了一条到 41.0 网络的路由。我还添加了几行 ACL 以允许流量以及相同的安全接口内。
以前,我能够让流量单向流动(21.0 可以访问 41.0,但不能反过来)。我假设这与我的结构逻辑或 nat 逻辑中的问题有关。目前,我可以从 21.0 网络 ping 41.0 网络,但尝试使用其他端口(如从端口 25 telnet smtp 服务器)失败。我希望,在您的支持下,我们可以从我这里的情况开始并开始排除故障。
ASA 配置
: Saved
:
ASA Version 8.2(1)
!
hostname lilprecious
domain-name mydomain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd lVYsshR/yoydoM2/ encrypted
no names
name 192.168.21.10 precious_private
name 192.168.21.1 asa_private
name 192.34.x.56 precious_public
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.34.x.56 255.255.252.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name mydomain.local
dns server-group PRECIOUS
name-server 192.168.21.10
domain-name mydomain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service exchange_server
service-object icmp
service-object tcp-udp eq www
service-object tcp eq 587
service-object tcp eq https
service-object tcp eq smtp
object-group service temp
service-object tcp-udp eq 64092
object-group service temp2
service-object tcp-udp eq 59867
access-list CASVPN_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
access-list CASVPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list CASVPN_splitTunnelAcl standard permit 192.168.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.21.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.41.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.21.0 255.255.255.0 192.168.41.0 255.255.255.0
access-list ping extended permit icmp any any echo-reply
access-list ping extended permit tcp any host 192.34.x.56 eq www
access-list ping extended permit object-group exchange_server any host 192.34.x.56
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_clients 192.168.20.100-192.168.20.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.21.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.21.10 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.21.10 https netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.21.10 587 netmask 255.255.255.255
access-group ping in interface outside
route outside 0.0.0.0 0.0.0.0 192.34.xx.1 1
route inside 192.168.41.0 255.255.255.0 192.168.21.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Precious protocol ldap
aaa-server Precious (inside) host 192.168.21.10
timeout 5
ldap-base-dn DC=mydomain,DC=local
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=aduser,CN=Users,DC=mydomain,DC=local
server-type auto-detect
http server enable
http 192.168.21.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.21.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 20
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CASVPN internal
group-policy CASVPN attributes
wins-server value 192.168.21.10
dns-server value 192.168.21.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CASVPN_splitTunnelAcl
default-domain value mydomain.local
tunnel-group CASVPN type remote-access
tunnel-group CASVPN general-attributes
address-pool vpn_clients
authentication-server-group Precious
default-group-policy CASVPN
tunnel-group CASVPN ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:3b181b87399ae99bb504d3cd42adc880
: end
答案1
您似乎遇到了非对称路由问题,如下例 B 所示:https://supportforums.cisco.com/docs/DOC-14491
此外,添加具有基本许可证的第三个接口可能对您没有帮助,因为 ASA5505 需要单独的 DMZ 或第三个 VLAN 许可证。这是来自 Cisco 的:
您的许可证的最大活动 VLAN 接口数 在路由模式下,您可以根据您的许可证配置以下 VLAN:
- 基础许可证 — 3 个活动 VLAN。第三个 VLAN 只能配置为启动到另一个 VLAN 的流量。
- Security Plus 许可证 — 20 个活动 VLAN。
在透明防火墙模式下,您可以根据您的许可证配置以下 VLAN: - 基本许可证 — 1 个桥接组中的 2 个活动 VLAN。 - Security Plus 许可证 — 3 个活动 VLAN:1 个桥接组中的 2 个活动 VLAN,以及用于故障转移链路的 1 个活动 VLAN。
解决方案:
- 获取可执行静态路由并通过它们路由流量的可管理网络交换机;
- 获取 ASA 的 Security Plus 许可证并将网络 192.168.41.0 连接到第三个 VLAN,对其进行 NAT,所有流量都将通过 ASA。但是,ASA 5505 具有 100Mb 接口,如果您需要移动大量数据,带有可管理交换机的解决方案 1 看起来更好。
答案2
您可以尝试在 Eth 0/6 上为 cisco 添加第三个 VLAN 接口。将其用作 192.168.41.2,然后允许 cisco 中的流量。然后在 Netgear 上,使用 cisco 设置的 192.168.41.2 接口为 192.168.21.x/24 添加静态路由。您还需要在 cisco 上使用新的 VLAN 接口作为网关,返回 192.168.41.x/24 的静态路由。