Cisco ASA - 启用相同安全级别之间的通信

Cisco ASA - 启用相同安全级别之间的通信

我最近继承了一个装有 Cisco ASA(运行版本 8.2)的网络。

我正在尝试将其配置为允许两个配置了相同安全级别 (DMZ-DMZ) 的接口之间进行通信

已设置“same-security-traffic permit inter-interface”,但主机无法在接口之间通信。我假设某些 NAT 设置导致了我的问题。以下是我正在运行的配置:

ASA Version 8.2(3) 
!
hostname asa
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 400
!
interface Ethernet0/1
 switchport access vlan 400
!
interface Ethernet0/2
 switchport access vlan 420
!
interface Ethernet0/3
 switchport access vlan 420
!
interface Ethernet0/4
 switchport access vlan 450
!
interface Ethernet0/5
 switchport access vlan 450
!
interface Ethernet0/6
 switchport access vlan 500
!
interface Ethernet0/7
 switchport access vlan 500
!
interface Vlan400
 nameif outside
 security-level 0
 ip address XX.XX.XX.10 255.255.255.248 
!
interface Vlan420
 nameif public
 security-level 20
 ip address 192.168.20.1 255.255.255.0 
!
interface Vlan450
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan500
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object host XX.XX.XX.11
 network-object host XX.XX.XX.13
object-group service ssh_2220 tcp
 port-object eq 2220
object-group service ssh_2251 tcp
 port-object eq 2251
object-group service ssh_2229 tcp
 port-object eq 2229
object-group service ssh_2210 tcp
 port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
 group-object ssh_2210
 group-object ssh_2220
object-group service zabbix tcp
 port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 group-object zabbix
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service http_8029 tcp
 port-object eq 8029
object-group network DM_INLINE_NETWORK_2
 network-object host 192.168.20.10
 network-object host 192.168.20.30
 network-object host 192.168.20.60
object-group service imaps_993 tcp
 description Secure IMAP
 port-object eq 993
object-group service public_wifi_group
 description Service allowed on the Public Wifi Group. Allows Web and Email.
 service-object tcp-udp eq domain 
 service-object tcp-udp eq www 
 service-object tcp eq https 
 service-object tcp-udp eq 993 
 service-object tcp eq imap4 
 service-object tcp eq 587 
 service-object tcp eq pop3 
 service-object tcp eq smtp 
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www 
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host XX.XX.XX.11 object-group ssh_2251 
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group ssh_2229 
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group http_8029 
access-list outside_access_in remark ssh from outside to internal hosts
access-list outside_access_in extended permit tcp any host XX.XX.XX.13 object-group DM_INLINE_TCP_1 
access-list outside_access_in remark dns service to internal host
access-list outside_access_in extended permit object-group TCPUDP any host XX.XX.XX.13 eq domain 
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any 
access-list dmz_access_in extended permit tcp any host 192.168.10.29 object-group DM_INLINE_TCP_2 
access-list public_access_in remark Web access to DMZ websites
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www 
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
access-list public_access_in extended permit object-group public_wifi_group any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255 
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255 
static (dmz,outside) XX.XX.XX.13 192.168.10.10 netmask 255.255.255.255 dns 
static (dmz,outside) XX.XX.XX.11 192.168.10.30 netmask 255.255.255.255 dns 
static (dmz,inside) 192.168.0.29 192.168.10.29 netmask 255.255.255.255 
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns 
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns 
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns 
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
!
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
!
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!

答案1

从逻辑上讲,它们位于同一个 DMZ 中,因此防火墙应该只将流量视为第 2 层,而不会对其应用任何策略。您可以尝试该same-security-traffic permit intra-interface命令,看看这是否能缓解问题,但我怀疑您的某台主机配置错误。请确保主机上的子网掩码全部正确,并且基于主机的防火墙没有阻止您的请求。

答案2

转到 ADDM 并查看是否已启用“配置”>“接口”页面底部的复选框。

复选框显示

启用连接到同一接口的两个或多个主机之间的流量

相关内容