我最近继承了一个装有 Cisco ASA(运行版本 8.2)的网络。
我正在尝试将其配置为允许两个配置了相同安全级别 (DMZ-DMZ) 的接口之间进行通信
已设置“same-security-traffic permit inter-interface”,但主机无法在接口之间通信。我假设某些 NAT 设置导致了我的问题。以下是我正在运行的配置:
ASA Version 8.2(3)
!
hostname asa
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 400
!
interface Ethernet0/1
switchport access vlan 400
!
interface Ethernet0/2
switchport access vlan 420
!
interface Ethernet0/3
switchport access vlan 420
!
interface Ethernet0/4
switchport access vlan 450
!
interface Ethernet0/5
switchport access vlan 450
!
interface Ethernet0/6
switchport access vlan 500
!
interface Ethernet0/7
switchport access vlan 500
!
interface Vlan400
nameif outside
security-level 0
ip address XX.XX.XX.10 255.255.255.248
!
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host XX.XX.XX.11
network-object host XX.XX.XX.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host XX.XX.XX.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group http_8029
access-list outside_access_in remark ssh from outside to internal hosts
access-list outside_access_in extended permit tcp any host XX.XX.XX.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to internal host
access-list outside_access_in extended permit object-group TCPUDP any host XX.XX.XX.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.29 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) XX.XX.XX.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) XX.XX.XX.11 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,inside) 192.168.0.29 192.168.10.29 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
!
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
!
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
答案1
从逻辑上讲,它们位于同一个 DMZ 中,因此防火墙应该只将流量视为第 2 层,而不会对其应用任何策略。您可以尝试该same-security-traffic permit intra-interface
命令,看看这是否能缓解问题,但我怀疑您的某台主机配置错误。请确保主机上的子网掩码全部正确,并且基于主机的防火墙没有阻止您的请求。
答案2
转到 ADDM 并查看是否已启用“配置”>“接口”页面底部的复选框。
复选框显示
启用连接到同一接口的两个或多个主机之间的流量