我曾尝试让我的 ASA 在子网之间路由流量,我让它工作了 10 分钟,但经过一些更改后(不幸的是,我不是 ASA 专家)我破坏了一些东西。
一个例子是 192.168.35.0/24 和 192.168.42.0/24 ping 正常,但 IP 流量不流动,不确定发生了什么变化,因此感谢对配置的审查。
我有以下接口和对象,安全级别被相应地设置(从高到低),因为使用nat规则让它们设置相同的优先级变得很痛苦,所以很高兴保持原样:
!
interface GigabitEthernet1/1
description Trunk
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1.10
description Management
vlan 10
nameif Vlan_Management
security-level 100
ip address 192.168.255.1 255.255.255.0
!
interface GigabitEthernet1/1.35
vlan 35
nameif vlan_Users
security-level 90
ip address 192.168.35.1 255.255.255.0
!
interface GigabitEthernet1/1.42
description Voice
vlan 42
nameif vlan_Voice
security-level 80
ip address 192.168.42.1 255.255.255.0
!
interface GigabitEthernet1/1.100
description Guest
vlan 100
nameif vlan_Guest
security-level 10
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet1/1.101
description Lab
vlan 101
nameif vlan_Lab
security-level 20
ip address 192.168.101.1 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
description Internet
nameif Outside
security-level 0
pppoe client vpdn group ISP
ip address pppoe setroute
!
object network Users
subnet 192.168.35.0 255.255.255.0
object network Remote_8
subnet 10.10.8.0 255.255.252.0
description Remote Site
object network Remote_200
subnet 10.10.200.0 255.255.255.0
description remote1
object network Corp
subnet 192.168.35.0 255.255.255.0
object network Voice
subnet 192.168.42.0 255.255.255.0
object network Lab
subnet 192.168.100.0 255.255.255.0
object network Guest
subnet 192.168.100.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object Remote_8
network-object object Remote_200
站点之间存在站点到站点的 IPSEC VPN,并且对该流量应用了 NAT 规则,尽管范围仅限于外部接口,但请注意这是否会导致问题。
我已经允许 IP 流量,并确保子网间流量没有被 NAT(我不认为从较高安全组到较低安全组时需要 NAT?),请问有什么想法可能是什么问题吗?
其余相关配置如下,提前致谢:
pbkdf2
names
ip local pool VPN 192.168.35.2-192.168.35.240 mask 255.255.255.0
ip local pool webVPN 192.168.35.241-192.168.35.245 mask 255.255.255.0
ip local pool VPNN_addresses 192.168.35.246-192.168.35.248 mask 255.255.255.0
!
dns domain-lookup Vlan_Management
dns domain-lookup vlan_Users
dns domain-lookup vlan_Voice
dns domain-lookup vlan_Guest
dns domain-lookup vlan_Lab
dns domain-lookup Outside
same-security-traffic permit inter-interface
access-list Vlan_Corp_access_in extended permit ip any any
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list Vlan_Corp_access_in extended permit ip 192.168.35.0 255.255.255.0 interface Outside
access-list Outside_access_in extended permit ip any any
access-list Outside_cryptomap_1 extended permit ip object Users object Remote_8
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list vlan_Voice_access_in extended permit ip any any
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 interface Outside
access-list vlan_Voice_access_in extended permit ip 192.168.42.0 255.255.255.0 any
access-list vlan_Lab_access_in_1 extended permit ip 192.168.101.0 255.255.255.0 interface Outside
access-list vlan_Guest_access_in extended permit ip 192.168.100.0 255.255.255.0 interface Outside
icmp permit any echo vlan_Users
icmp permit any echo-reply vlan_Users
no arp permit-nonconnected
nat (vlan_Users,Outside) source static Users Users destination static Remote_8 Remote_8 no-proxy-arp route-lookup
nat (vlan_Users,Outside) source static any any destination static Corp Corp no-proxy-arp route-lookup
nat (Outside,Outside) source static any any destination static Corp Corp no-proxy-arp route-lookup
!
object network Users
nat (vlan_Users,Outside) dynamic interface
object network Lab
nat (vlan_Lab,Outside) dynamic interface
object network Voice
nat (vlan_Voice,Outside) dynamic interface
object network Guest
nat (vlan_Guest,Outside) dynamic interface
access-group Vlan_Corp_access_in in interface vlan_Users
access-group vlan_Voice_access_in in interface vlan_Voice
access-group vlan_Guest_access_in in interface vlan_Guest
access-group vlan_Lab_access_in_1 in interface vlan_Lab
access-group Outside_access_in in interface Outside
route Outside 10.10.8.0 255.255.252.0 1.2.3.4 1
route Outside 10.10.200.0 255.255.255.255 1.2.3.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
!
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname ispuser
vpdn group ISP ppp authentication pap
vpdn username ispuser password ***** store-local
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
cache
disable
error-recovery disable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
banner none
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy WVPN_policy internal
group-policy WVPN_policy attributes
vpn-tunnel-protocol ssl-clientless
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
group-policy 1.2.3.4 internal
group-policy 1.2.3.4 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool VPN
address-pool VPNN_addresses
authorization-server-group LOCAL
authorization-server-group (Outside) LOCAL
default-group-policy WVPN_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool webVPN
authentication-server-group (Outside) LOCAL
dhcp-server subnet-selection 192.168.35.3
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy 1.2.3.4
tunnel-group 1.2.3.4 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
数据包跟踪器向语音报告用户已成功接收信息:
ASA# packet-tracer input vlan_Users tcp 192.168.35.3 15000 192.168.42.5 443
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.42.5 using egress ifc vlan_Voice
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Vlan_Corp_access_in in interface vlan_Users
access-list Vlan_Corp_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 152, packet dispatched to next module
Result:
input-interface: vlan_Users
input-status: up
input-line-status: up
output-interface: vlan_Voice
output-status: up
output-line-status: up
Action: allow
并且也从语音到用户(由于隐含规则,即它处于较低的安全组号上,因此会下降):
ASA# packet-tracer input vlan_Voice tcp 192.168.42.5 15000 192.168.35.3 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.35.3 using egress ifc vlan_Users
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: vlan_Voice
input-status: up
input-line-status: up
output-interface: vlan_Users
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
检查服务器上的 wireshark 并从远程客户端执行 ping 操作,我们看到TCP ACKed unseen segment] [TCP Previous segment not captured] [TCP Port numbers reused] messages,最后我们发现防火墙上的 TCP 流量检查正在阻止流量,因为数据包要么序列不完整,要么顺序混乱。
虽然这解决了这个问题,但还是有人担心必须这样做 - 我是否遗漏了什么,或者这可能是一个错误?将固件从 2017 年 8 月升级到最新的 2018 版本。
答案1
这是 NAT 问题。不同方面的 nat-control 是或否是模糊的,并且并不总是正确的。像这样编辑 conf:
nat (vlan_Users,vlan_Voice) source static Users Users dest static Voice Voice