网络工程 - 将 VLAN 添加到网络后，CISCO ASA 5512-X 互联网流量在 WAN 上间歇性下降几秒钟 - 吾爱随笔录

将 VLAN 添加到网络后，CISCO ASA 5512-X 互联网流量在 WAN 上间歇性下降几秒钟

网络工程思科-ASA

2022-02-26 17:41:40

我们最近将内部网络划分为 VLAN，以便通过 WiFi 更好地管理。所有的 VLAN 都被创建为 GE1 的子接口。之前连接的 GE2 和 GE3 被断开和禁用。GE0 保持原生状态并设置为 WAN。GE1的本地网络作为管理接口。

进行此配置后，我们会遇到一次通过 WAN 断断续续 ping 几秒钟的问题。无论问题是否存在，丢包率保持不变。下降仅适用于互联网流量。ping VLAN 网关没有问题。

在办公室有用户的白天，跌落更为严重。

我无法追踪问题的根源。关于我应该在哪里寻找的任何指示？

ASA Version 9.9(1)3 
!
hostname ####-asa
domain-name ####capital.local
enable password #### encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd #### encrypted
names
ip local pool vpn-pool2 10.0.1.1-10.0.1.10 mask 255.255.255.0
ip local pool VPN_pool3 10.0.0.220-10.0.0.245 mask 255.255.255.0
ip local pool vpn-pool 10.0.0.202-10.0.0.219 mask 255.255.255.0

!
interface GigabitEthernet0/0
 nameif WAN
 security-level 1
 ip address #### 255.255.255.252 
!
interface GigabitEthernet0/1
 nameif MGMT
 security-level 99
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet0/1.1
 vlan 300
 nameif GuestWifi
 security-level 4
 ip address 10.1.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 100
 nameif LAN1
 security-level 2
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 200
 nameif Voice
 security-level 5
 ip address 10.10.0.254 255.255.255.0 
!
interface GigabitEthernet0/2
 description Avaya subnet
 shutdown
 nameif LAN2
 security-level 3
 ip address dhcp setroute 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
boot system disk0:/asa991-3-smp-k8.bin
ftp mode passive
clock timezone AST 3
dns domain-lookup WAN
dns server-group DefaultDNS
 name-server 8.8.8.8 
 name-server 192.168.10.202 
 domain-name ####
dns server-group ####
 name-server 62.208.25.212 
 name-server 83.136.58.190 
dns-group ###
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VMhost1
 host 10.0.0.2
object service Blackberry
 service tcp destination eq 3101 
object service RDP
 service tcp destination eq 3389 
object service SSL2
 service tcp destination eq https 
object service ssh
 service tcp source eq ssh destination eq ssh 
object network vmhost3
 host 10.0.0.3
object network Exchange
 host 10.0.0.5
object network NAS
 host 10.0.0.13
object network ExchangeSMTP
 host 10.0.0.5
object service SMTP
 service tcp source range 1 65535 destination eq smtp 
object network avaya
 host 10.10.0.1
object network avaya2
 host 10.10.0.1
object network avaya3
 host 10.0.0.201
object service avaya-5060
 service tcp source eq sip destination eq sip 
object network avaya4
 host 10.10.0.1
 description avaya
object network LANIP
 range 10.0.0.2 10.0.0.254
object network VPN
 range 10.0.2.1 10.0.2.254
object network NEC_DSX
object service DHCP
 service tcp source range 1 65535 destination range 67 68 
object network avaya7
 host 10.10.0.2
object network avaya6
 host 10.0.0.201
object network avaya8
 host 10.0.0.201
object network avaya9
 host 10.10.0.1


object network LAN1
 subnet 10.0.0.0 255.255.255.0
object network anywhere
 subnet 0.0.0.0 0.0.0.0
object network inside-net
 subnet 10.0.0.0 255.255.255.0
object network vpn-subnets
 subnet 10.0.2.0 255.255.255.0
object network obj-10.0.1.0
 subnet 10.0.2.0 255.255.255.0
object network avaya10
 host 10.10.0.2
object network avaya11
 host 10.10.0.2
object network owncloudtest
 host 10.0.0.9
object network owncloudtest2
 host 10.0.0.9
object network ExchangePOP
 host 10.0.0.5
object network ExchangeSMTP2
 host 10.0.0.5
object network GoodServer
 host 10.0.0.14
object network NETWORK_OBJ_10.0.0.0_24
 subnet 10.0.0.0 255.255.255.0
object network GUESTWIFI
 subnet 10.1.0.0 255.255.255.0
object network GuestWifi
 subnet 10.1.0.0 255.255.255.0
object network A_62.208.22.185
 host 62.208.22.185
object network PRTG
 host 10.0.0.15
object network NETWORK_OBJ_10.0.0.192_26
 subnet 10.0.0.192 255.255.255.192
object network Exchange-HTTP-LE
 host 10.0.0.5
object-group protocol DM_INLINE_PROTOCOL_6
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object alternate-address
 icmp-object conversion-error
 icmp-object echo
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object information-request
 icmp-object mask-reply
 icmp-object mask-request
 icmp-object mobile-redirect
 icmp-object parameter-problem
 icmp-object redirect
 icmp-object router-advertisement
 icmp-object router-solicitation
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object traceroute
 icmp-object unreachable
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq domain 
 service-object tcp destination eq www 
 service-object tcp destination eq imap4 
 service-object tcp destination eq pop3 
 service-object tcp destination eq pptp 
 service-object tcp destination eq smtp 
 service-object tcp destination eq ssh 
 service-object object Blackberry 
 service-object object RDP 
 service-object tcp destination eq https 
 service-object gre 
object-group network DM_INLINE_NETWORK_3
 network-object host 125.78.89.45
 network-object host 183.60.205.231
 network-object 124.0.0.0 255.0.0.0
 network-object host 119.147.153.58
 network-object host 103.4.19.61
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group network OBJ-INSIDE-NETWORKS
 network-object 10.0.0.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_4
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
 protocol-object ip
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_8
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_9
 protocol-object ip
 protocol-object icmp
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_10
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_11
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_12
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_13
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_14
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_15
 protocol-object ip
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_16
 protocol-object ip
 protocol-object udp
 protocol-object tcp
access-list global_access extended permit icmp any4 any4 object-group DM_INLINE_ICMP_1 
access-list global_access extended deny object-group DM_INLINE_PROTOCOL_1 any4 object-group DM_INLINE_NETWORK_3 
access-list global_access extended permit object-group DM_INLINE_SERVICE_1 any4 object VMhost1 
access-list global_access extended permit tcp any4 any4 eq domain 
access-list global_access extended permit ip 10.0.0.0 255.255.255.0 any4 
access-list global_access extended permit ip any4 10.0.0.0 255.255.255.0 
access-list global_access extended permit tcp any4 any4 eq https 
access-list global_access extended permit ip 10.1.0.0 255.255.255.0 any4 
access-list global_access extended permit ip any4 10.1.0.0 255.255.255.0 
access-list LAN1_access_in extended permit tcp object Exchange any4 eq smtp 
access-list LAN1_access_in extended permit tcp any4 object Exchange eq smtp 
access-list LAN1_access_in extended deny tcp any4 any4 eq smtp 
access-list LAN1_access_in extended permit tcp any4 any4 eq https 
access-list LAN1_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any4 10.0.1.0 255.255.255.0 
access-list LAN1_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.1.0 255.255.255.0 any4 
access-list LAN1_access_in extended deny object DHCP 10.10.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list LAN1_access_in extended permit object-group DM_INLINE_PROTOCOL_4 any4 10.0.2.0 255.255.255.0 
access-list LAN1_access_in extended permit object-group DM_INLINE_PROTOCOL_5 10.0.2.0 255.255.255.0 any4 
access-list WAN_access_in extended permit tcp any4 object GoodServer eq https 
access-list WAN_access_in extended permit icmp any4 host 10.0.0.16 inactive 
access-list WAN_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any4 host 10.10.0.2 
access-list WAN_access_in extended permit ip any4 interface GuestWifi 
access-list WAN_access_in extended permit object-group DM_INLINE_PROTOCOL_13 any4 host 10.10.0.1 
access-list local standard permit 10.0.0.0 255.255.255.0 
access-list outside_access_in extended permit udp any4 host 10.0.0.16 eq sip 
access-list outside_access_in extended permit tcp any4 host 10.0.0.201 range 35000 45000 
access-list LAN2_access_in extended deny object DHCP 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255.0 
access-list LAN2_access_in extended permit object-group DM_INLINE_PROTOCOL_11 10.10.0.0 255.255.255.0 any4 
access-list LAN2_access_in extended permit object-group DM_INLINE_PROTOCOL_12 any4 10.10.0.0 255.255.255.0 
access-list WAN_cryptomap extended permit ip 10.0.0.0 255.255.255.0 object vpn-subnets 
access-list GuestWifi_access_in extended permit ip any4 interface WAN 
access-list GuestWifi_access_in extended deny object-group DM_INLINE_PROTOCOL_9 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list GuestWifi_access_in extended deny object-group DM_INLINE_PROTOCOL_8 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0 
access-list LAN1_access_in_1 extended deny object-group DM_INLINE_PROTOCOL_7 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0 
access-list LAN1_access_in_1 extended deny object-group DM_INLINE_PROTOCOL_6 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list LAN1_access_in_1 extended permit ip 192.168.1.0 255.255.255.0 any 
access-list MGMT_access_in extended permit object-group DM_INLINE_PROTOCOL_14 any any 
access-list Voice_access_in extended permit object-group DM_INLINE_PROTOCOL_15 10.10.0.0 255.255.255.0 any 
access-list Voice_access_in extended permit object-group DM_INLINE_PROTOCOL_16 any 10.10.0.0 255.255.255.0 
access-list Voice_access_in extended deny object DHCP 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination LAN1 10.0.0.15 2055
mtu WAN 1500
mtu GuestWifi 1500
mtu LAN1 1500
mtu LAN2 1500
mtu management 1500
mtu Voice 1500
mtu MGMT 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-791-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (LAN1,WAN) source static inside-net inside-net destination static vpn-subnets vpn-subnets
nat (WAN,LAN1) source static obj-10.0.1.0 obj-10.0.1.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS
nat (LAN1,WAN) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static vpn-subnets vpn-subnets no-proxy-arp route-lookup
nat (WAN,WAN) source static any any destination static NETWORK_OBJ_10.0.0.192_26 NETWORK_OBJ_10.0.0.192_26 no-proxy-arp route-lookup
nat (LAN1,WAN) source static any any destination static NETWORK_OBJ_10.0.0.192_26 NETWORK_OBJ_10.0.0.192_26 no-proxy-arp route-lookup
nat (MGMT,LAN1) source static any any unidirectional no-proxy-arp
!
object network VMhost1
 nat (any,WAN) static interface service tcp 2222 2222 
object network vmhost3
 nat (any,WAN) static interface service tcp ssh 222 
object network Exchange
 nat (any,WAN) static interface service tcp https https 
object network NAS
 nat (any,WAN) static interface service tcp 3333 3333 
object network ExchangeSMTP
 nat (any,WAN) static interface service tcp smtp smtp 
object network avaya
 nat (any,WAN) static interface service tcp sip sip 
object network avaya2
 nat (any,WAN) static interface service tcp 5061 5061 
object network avaya3
 nat (any,WAN) static interface service tcp 8080 8080 
object network avaya4
 nat (any,WAN) static interface service udp sip sip 
object network avaya7
 nat (any,WAN) static interface service tcp https 8881 
object network avaya9
 nat (any,WAN) static interface service udp 5061 5061 

object network anywhere
 nat (any,WAN) dynamic interface
object network avaya10
 nat (any,WAN) static interface service tcp 5222 5222 
object network avaya11
 nat (any,WAN) static interface service tcp 8444 8444 
object network owncloudtest
 nat (any,WAN) static interface service tcp www 5555 
object network owncloudtest2
 nat (any,WAN) static interface service tcp https 7777 
object network ExchangePOP
 nat (any,WAN) static interface service tcp pop3 pop3 
object network ExchangeSMTP2
 nat (any,WAN) static interface service tcp 465 465 
object network GoodServer
 nat (LAN1,WAN) static A_62.208.22.185
object network GuestWifi
 nat (any,WAN) dynamic interface
object network PRTG
 nat (any,WAN) static interface service tcp 2443 2443 
object network Exchange-HTTP-LE
 nat (any,WAN) static interface service tcp www www 
access-group WAN_access_in in interface WAN
access-group GuestWifi_access_in in interface GuestWifi
access-group LAN1_access_in_1 in interface LAN1
access-group LAN2_access_in in interface LAN2
access-group Voice_access_in in interface Voice
access-group MGMT_access_in in interface MGMT
access-group global_access global
router rip
 passive-interface default
!
route WAN 0.0.0.0 0.0.0.0 62.208.26.194 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server VPN_users protocol ldap
 max-failed-attempts 5
aaa-server VPN_users (WAN) host 10.0.0.4
 timeout 5
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 LAN1
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
service resetinbound interface WAN
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set pfs 
crypto map WAN_map 1 set peer 93.95.26.238 
crypto map WAN_map 1 set ikev1 phase1-mode aggressive 
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map 1 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto map LAN2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map LAN2_map interface LAN2
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=###-asa
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate 96039f53
    308201cf 30820138 a0030201 02020496 039f5330 0d06092a 864886f7 0d010105 
    0500302c 3111300f 06035504 03130861 736d612d 61736131 17301506 092a8648 
    86f70d01 09021608 61736d61 2d617361 301e170d 31343039 32393131 33393134 
    5a170d32 34303932 36313133 3931345a 302c3111 300f0603 55040313 0861736d 
    612d6173 61311730 1506092a 864886f7 0d010902 16086173 6d612d61 73613081 
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 8181009b 543b7d1f 
    20b63d5a 1f6e3382 1074ae95 c1572119 a8c53348 0028ea66 5bdeb61f 904192ea 
    9860683f e30b2b93 b53bc6c5 91046a15 f26f5edd 19362c81 5e7d7175 8beef726 
    4537dfa1 21f65271 68b49131 4dbbd6f1 a760ddc0 1c5beb2d 371e423a 30baae65 
    f49dca11 67031ae6 482d922a 73dc7be4 8a873751 7efe00a1 dbddf502 03010001 
    300d0609 2a864886 f70d0101 05050003 81810067 2276f556 49c4c90c 4aa8ec46 
    9f0028a5 c395804e 018bc35f 4aad8953 47f7a626 ff190e51 e54713bb 2958012c 
    0dfda292 6ac14e7f 6782abf8 868b7149 b629bd93 f32465c3 d6b79b13 4e0adffc 
    3b1cb8bf 181dea17 51886fc3 1ce9fd87 257df99e ea568a52 2a686628 1efe76bb 
    7ac61421 7a20ab35 45fec6ae 810df307 466fa3
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable WAN
crypto ikev2 enable LAN2 client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable WAN
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface LAN2
dhcpd address 10.1.0.2-10.1.0.253 GuestWifi
dhcpd dns 8.8.8.8 interface GuestWifi
dhcpd enable GuestWifi
!
dhcpd dns 8.8.8.8 interface LAN2
!
dhcpd address 10.10.0.200-10.10.0.250 Voice
dhcpd dns 8.8.8.8 interface Voice
!
dhcpd address 192.168.1.100-192.168.1.200 MGMT
dhcpd dns 8.8.8.8 interface MGMT
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 WAN
ssl trust-point ASDM_TrustPoint0 LAN2
webvpn
 port 4433
 enable WAN
 enable LAN2
 dtls port 4433
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect profiles Anyconnect_VPN disk0:/anyconnect_vpn.xml
 anyconnect enable
 cache
  disable
 no error-recovery disable
group-policy ###_VPN internal
group-policy ###_VPN attributes
 dns-server value 10.0.0.4 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 
 default-domain value ####
group-policy DfltGrpPolicy attributes
 dns-server value 10.0.0.4 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value local
group-policy GroupPolicy_93.95.26.238 internal
group-policy GroupPolicy_93.95.26.238 attributes
 vpn-tunnel-protocol ikev1 
group-policy VPN internal
group-policy VPN attributes
 dns-server value 10.0.0.4 8.8.8.8
 vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
 default-domain value #####.local
 webvpn
  anyconnect profiles value Anyconnect_VPN type user
dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultRAGroup general-attributes
 address-pool (LAN1) vpn-pool
 address-pool vpn-pool2
 authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key ####2014
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpn-pool
tunnel-group 93.95.26.238 type ipsec-l2l
tunnel-group 93.95.26.238 general-attributes
 default-group-policy GroupPolicy_93.95.26.238
tunnel-group 93.95.26.238 ipsec-attributes
 ikev1 pre-shared-key #####
 ikev2 remote-authentication pre-shared-key ####
 ikev2 local-authentication pre-shared-key ####
tunnel-group ####_VPN type remote-access
tunnel-group ####_VPN general-attributes
 address-pool VPN_pool3
 authentication-server-group VPN_users
 default-group-policy ####_VPN
tunnel-group ####_VPN ipsec-attributes
 ikev1 pre-shared-key #####
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_pool3
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 ikev1 pre-shared-key ######
!
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 description Netflow
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class global-class
  flow-export event-type all destination 10.0.0.15
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:ad70e6f97b63e6006958a6fb55484ee7
: end

1个回答

据我所知，当主界面用于子界面时，我们不应该在主界面上应用任何配置。这会导致网络出现异常行为：

!
interface GigabitEthernet0/1
 nameif MGMT
 security-level 99
 ip address 192.168.1.1 255.255.255.0 
!

您应该使用专用的 Mgmt 接口（在 ASA 上）、另一个物理接口（G0/3、G0/4 或 G0/5）或另一个子接口（在 G0/1 下）用于 Mgmt 目的，并将主接口 G0/1 保留为默认配置：

### Leave the main interface G0/1 with default configuration
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 300
 nameif GuestWifi
 security-level 4
 ip address 10.1.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 100
 nameif LAN1
 security-level 2
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 200
 nameif Voice
 security-level 5
 ip address 10.10.0.254 255.255.255.0 
!

还有一点需要注意的是，在配置子接口时，子接口和VLAN号要匹配。这将使您的日常操作更容易，因为您可以快速指出哪个子接口在哪个 VLAN 中：

!
interface GigabitEthernet0/1.300
 vlan 300
 nameif GuestWifi
 security-level 4
 ip address 10.1.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif LAN1
 security-level 2
 ip address 10.0.0.1 255.255.255.0 
!
interface GigabitEthernet0/1.200
 vlan 200
 nameif Voice
 security-level 5
 ip address 10.10.0.254 255.255.255.0 
!

其它你可能感兴趣的问题

上一篇PPP 中的 IPv6 - 应该是为链路两端协商的接口标识符吗？需要澄清 RFC 5072 下一篇以太网中的 AUI 和 MAU 是什么意思？