我为我们大楼里的租户提供了一个共享的网络环境,ASA 位于小型企业互联网调制解调器和每个租户的网络之间。
Gateway Modem Cisco ASA DNS Server
192.168.001.254 <---> 192.168.001.253
010.000.255.001 <---> 010.000.255.002
(Tenant's Networks) 010.000.XXX.XXX
所有租户都可以毫无问题地访问 DNS 服务器,我们计划在网关网络 (192.168.1.252) 上添加 VPN 设备,并希望它使用 10.0.255.2 DNS 服务器。我正在使用 ASDM,但就我而言,我无法让它运行,以便使用 ASA 的外部 IP (.1.253) 从网关网络访问 DNS 服务器。当我使用 ASDM 中的公共服务器向导时,它告诉我无法使用 ASA 的外部 IP。我做错了什么?我们的 ASA 正在运行 9.12.2
: Saved
:
: Serial Number: [REDACTED]
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2800 MHz, 1 CPU (2 cores)
: Written by [REDACTED] at [REDACTED]
!
ASA Version 9.12(2)9
!
hostname firewall
domain-name example.com
enable password [REDACTED] encrypted
passwd [REDACTED] encrypted
names
no mac-address auto
!
interface GigabitEthernet0/0
description Gateway Access
nameif outside
security-level 0
dhcp client route track 1
ip address dhcp setroute
dhcprelay server 192.168.1.254
!
interface GigabitEthernet0/1
description Inside Trunk Interface
flowcontrol send on
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/1.1
description Default Native VLAN1
vlan 1
nameif Default-VLAN
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/1.2
description 9831 datacentre VLAN
vlan 2
nameif 9831-DC-VLAN
security-level 10
ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/1.18
description 9818 LAN Segment
shutdown
vlan 18
nameif 9818-VLAN
security-level 100
ip address 10.0.18.1 255.255.255.0
!
interface GigabitEthernet0/1.31
description 9831 LAN Segment
vlan 31
nameif 9831-VLAN
security-level 100
ip address 10.0.31.1 255.255.255.0
!
interface GigabitEthernet0/1.34
description 9834 LAN Segment
shutdown
vlan 34
nameif 9834-VLAN
security-level 100
ip address 10.0.34.1 255.255.255.0
!
interface GigabitEthernet0/1.35
description 9835 LAN Segment
vlan 35
nameif 9835-VLAN
security-level 100
ip address 10.0.35.1 255.255.255.0
!
interface GigabitEthernet0/1.75
description 9875 LAN Segment
vlan 75
nameif 9875-VLAN
security-level 100
ip address 10.0.75.1 255.255.255.0
!
interface GigabitEthernet0/1.100
description VPN VLAN
vlan 100
nameif VPN-VLAN
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description Pi-Hole Dedicated Interface
nameif Pi-Hole_Dedicated
security-level 100
ip address 10.0.255.1 255.255.255.0
!
interface GigabitEthernet0/5
description ASA Firewall-to-Firewall Comm Link
nameif Failover-CommLink
security-level 100
ip address 10.255.255.1 255.255.255.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
banner exec Please be sure to save any changes with write.
banner login Connected to Cisco ASA - $(hostname)
banner motd This system is for PRIVATE use only. All unauthorized access attempts will be logged and reported.
banner motd If you do not have existing authorization to modify this device, exit now.
boot system disk0:/asa9-12-2-9-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network A_
object network example.com
fqdn v4 example.com
object network ISP_Gateway
host 192.168.1.254
description AT&T Gateway
object network Gateway-Network
subnet 192.168.1.0 255.255.255.0
object network PAT-VLAN31
subnet 10.0.31.0 255.255.255.0
description 9831 VLAN PAT Configuration
object network PAT-VLAN02
subnet 10.0.2.0 255.255.255.0
description DC01 VLAN PAT Configuration
object network PAT-VLAN34
subnet 10.0.34.0 255.255.255.0
description 9834 VLAN PAT Configuration
object network PAT-VLAN35
subnet 10.0.35.0 255.255.255.0
description 9835 VLAN PAT Configuration
object network Aluminium-Can
host 10.0.2.100
description Server-AluminumCan
object network PAT-VLAN18
subnet 10.0.18.0 255.255.255.0
description 9818 VLAN PAT Configuration
object network any-to-VLAN02
subnet 10.0.0.0 255.255.0.0
object network MGMT-PAT
subnet 10.0.0.0 255.255.255.0
description MGMT network PAT
object network DEFAULT-PAT
subnet 10.0.1.0 255.255.255.0
object network pve.example.com
host 10.0.2.99
description Proxmox Host (1)
object network PAT-VLAN75
subnet 10.0.75.0 255.255.255.0
description 9875 VLAN PAT Configuration
object network PAT-PiHole
subnet 10.0.255.0 255.255.255.0
object network VLAN31toPi
subnet 10.0.31.0 255.255.255.0
object network PiHole
subnet 10.0.255.0 255.255.255.0
description PiHole Outside Access PAT
object network ASA-Outside-IP
host 192.168.1.253
description IP Assigned with DHCP reservation by gateway.
object-group network Inside-Networks
network-object 10.0.0.0 255.255.255.0
network-object 10.0.1.0 255.255.255.0
network-object 10.0.18.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.31.0 255.255.255.0
network-object 10.0.34.0 255.255.255.0
network-object 10.0.35.0 255.255.255.0
network-object 10.0.75.0 255.255.255.0
object-group service web
service-object tcp-udp destination eq 443
service-object tcp-udp destination eq www
object-group service Minecraft_Server_Port tcp-udp
port-object eq 65535
port-object eq 65534
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list outside_access_in remark Allow all to DC
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any 10.0.2.0 255.255.255.0
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list inside_access_out extended permit ip any interface Pi-Hole_Dedicated
access-list global_access extended permit ip any any
access-list global_access extended permit ip object-group Inside-Networks object-group Inside-Networks
access-list global_access extended permit ip object-group Inside-Networks any
access-list Pi-Hole_Dedicated_access_out extended permit ip any any
access-list Pi-Hole_Dedicated_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu Default-VLAN 1500
mtu 9831-DC-VLAN 1500
mtu 9818-VLAN 1500
mtu 9831-VLAN 1500
mtu 9834-VLAN 1500
mtu 9835-VLAN 1500
mtu 9875-VLAN 1500
mtu VPN-VLAN 1500
mtu Pi-Hole_Dedicated 1500
mtu Failover-CommLink 1500
no failover
no monitor-interface Default-VLAN
no monitor-interface 9831-DC-VLAN
no monitor-interface 9818-VLAN
no monitor-interface 9831-VLAN
no monitor-interface 9834-VLAN
no monitor-interface 9835-VLAN
no monitor-interface 9875-VLAN
no monitor-interface VPN-VLAN
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any Default-VLAN
icmp permit any 9831-DC-VLAN
asdm image disk0:/asdm-7122.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network PAT-VLAN31
nat (9831-VLAN,outside) dynamic interface
object network PAT-VLAN02
nat (9831-DC-VLAN,outside) dynamic interface
object network PAT-VLAN34
nat (9834-VLAN,outside) dynamic interface
object network PAT-VLAN35
nat (9835-VLAN,outside) dynamic interface
object network PAT-VLAN18
nat (9818-VLAN,outside) dynamic interface
object network MGMT-PAT
nat (inside,outside) dynamic interface
object network DEFAULT-PAT
nat (Default-VLAN,outside) dynamic interface
object network PAT-VLAN75
nat (9875-VLAN,outside) dynamic interface
object network PAT-PiHole
nat (any,Pi-Hole_Dedicated) dynamic interface
object network PiHole
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
access-group Pi-Hole_Dedicated_access_in in interface Pi-Hole_Dedicated
access-group Pi-Hole_Dedicated_access_out out interface Pi-Hole_Dedicated
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
no user-identity enable
user-identity default-domain LOCAL
no user-identity action mac-address-mismatch remove-user-ip
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 outside
http 10.0.0.0 255.0.0.0 inside
http 10.0.31.0 255.255.255.0 9831-VLAN
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.254 interface outside
sla monitor schedule 1 life forever start-time now
sla monitor 100
type echo protocol ipIcmpEcho 192.168.1.254 interface outside
timeout 1000
frequency 3
sla monitor schedule 100 life forever start-time now
sla monitor 111
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 1000
frequency 30
sla monitor schedule 111 life forever start-time now
sla monitor 112
type echo protocol ipIcmpEcho 1.1.1.1 interface outside
timeout 1000
frequency 30
sla monitor schedule 112 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.31.0 255.255.255.0 9831-VLAN
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd domain example.com
dhcpd auto_config outside
!
dhcpd address 10.0.0.10-10.0.0.250 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
dhcpd address 10.0.1.10-10.0.1.250 Default-VLAN
dhcpd auto_config outside interface Default-VLAN
dhcpd enable Default-VLAN
!
dhcpd auto_config outside interface 9831-DC-VLAN
!
dhcpd address 10.0.18.10-10.0.18.250 9818-VLAN
dhcpd auto_config outside interface 9818-VLAN
dhcpd enable 9818-VLAN
!
dhcpd address 10.0.31.10-10.0.31.250 9831-VLAN
dhcpd dns 10.0.255.2 192.168.1.254 interface 9831-VLAN
dhcpd auto_config outside interface 9831-VLAN
dhcpd enable 9831-VLAN
!
dhcpd address 10.0.34.10-10.0.34.250 9834-VLAN
dhcpd dns 10.0.255.2 192.168.1.254 interface 9834-VLAN
dhcpd auto_config outside interface 9834-VLAN
dhcpd enable 9834-VLAN
!
dhcpd address 10.0.35.10-10.0.35.250 9835-VLAN
dhcpd dns 10.0.255.2 192.168.1.254 interface 9835-VLAN
dhcpd auto_config outside interface 9835-VLAN
dhcpd enable 9835-VLAN
!
dhcpd address 10.0.75.10-10.0.75.250 9875-VLAN
dhcpd dns 10.0.255.2 192.168.1.254 interface 9875-VLAN
dhcpd auto_config outside interface 9875-VLAN
dhcpd enable 9875-VLAN
!
dhcpd address 10.0.255.10-10.0.255.250 Pi-Hole_Dedicated
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.30 source outside
ntp server 129.6.15.29 source outside
ntp server 129.6.15.28 source outside
dynamic-access-policy-record DfltAccessPolicy
username [REDACTED] password [REDACTED] encrypted
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
!
prompt hostname state context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 28
subscribe-to-alert-group configuration periodic monthly 28
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
!
rest-api image disk0:/asa-restapi-132200-lfbff-k8.spa
Cryptochecksum:0268c6b3eb40ef5acf968b8907aecb8d
: end