ASA 未能找到出口接口和 Nat?问题

网络工程 思科 思科-ASA
2022-02-19 15:42:43

我无法从 Inside->Outside 、DMZ->Outside 、Inside->DMZ ASDM 中的数据包跟踪器 ping 指示访问规则,但我看不到(单击规则),我无法从数据包跟踪器创建反向规则。当我遇到类似问题时,这是 Nat 问题。文档和博客都在谈论 Asa 如何使用 Xlate(Nat) 规则在路由表之前首先路由流量,因此如果 Nat 失败,则无法定位出口接口(无法路由流量)。
此外,Inside->DMZ 等不需要任何 Nat 或访问规则才能工作。以防万一我尝试允许所有交通规则但没有帮助。

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.0.10.1 255.255.255.0 
!
interface Ethernet0/1
 nameif DMZ
 security-level 50
 ip address 10.0.20.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Outside
 security-level 0
 ip address 10.0.50.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup Outside
same-security-traffic permit intra-interface
object network DMZtoOUT 
 subnet 10.0.20.0 255.255.255.0
object network DMZtoOUThttp 
 host 10.0.20.2
object network INStoOUTdyn 
 subnet 10.0.10.0 255.255.255.0
object network DMZtoOUTftp 
 host 10.0.20.2
object network INStoDMZ 
 subnet 192.168.1.0 255.255.255.0
object network InsideNetwork 
 subnet 10.0.10.0 255.255.255.0
object network TrustedUsers 
 subnet 10.0.50.0 255.255.255.128
object network UntrustedUsers 
 subnet 10.0.50.128 255.255.255.128
object network IntoOut 
 subnet 10.0.10.0 255.255.255.0
object network TEST 
 range 10.0.10.1 10.0.10.254
object network TEST2 
 range 10.0.20.1 10.0.20.254
object network FUCK 
 range 10.0.20.1 10.0.20.254
object network Insidenet 
 subnet 10.0.10.0 255.255.255.0
object network INStoOut 
 subnet 10.0.10.0 255.255.255.0
object network ANY 
 subnet 0.0.0.0 0.0.0.0
object network INtoOUT 
 subnet 10.0.10.0 255.255.255.0
object-group icmp-type ICMPALL
 icmp-object alternate-address
 icmp-object conversion-error
 icmp-object echo
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object information-request
 icmp-object mask-reply
 icmp-object mask-request
 icmp-object mobile-redirect
 icmp-object parameter-problem
 icmp-object redirect
 icmp-object router-advertisement
 icmp-object router-solicitation
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object traceroute
 icmp-object unreachable
object-group service DMZservices
 service-object tcp destination eq ftp 
 service-object tcp destination eq ftp-data 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
object-group network MAPPEDINDMZ
 network-object object TEST
 network-object object TEST2
access-list inside_access_in extended permit icmp any any 
access-list Outside_access_in extended permit object-group DMZservices object TrustedUsers host 10.0.20.2 
access-list Outside_access_in extended permit tcp object UntrustedUsers host 10.0.20.2 eq www 
access-list InsideNet standard permit 10.0.10.0 255.255.255.0 
access-list DMZ_access_in extended permit icmp any any object-group ICMPALL 
access-list global_access extended permit icmp any any object-group ICMPALL 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu Outside 1500
mtu management 1500
ip local pool VPNpool 10.0.10.100-10.0.10.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.20.0 255.255.255.0 inside
icmp permit 10.0.10.0 255.255.255.0 inside
icmp permit host 10.0.20.1 inside
icmp permit 10.0.10.0 255.255.255.0 DMZ
icmp permit 10.0.20.0 255.255.255.0 DMZ
no asdm history enable
arp timeout 14400
nat (inside,Outside) source static InsideNetwork InsideNetwork destination static InsideNetwork InsideNetwork
!
object network DMZtoOUT
 nat (DMZ,Outside) dynamic interface
object network DMZtoOUThttp
 nat (DMZ,Outside) static interface service tcp www www 
object network DMZtoOUTftp
 nat (DMZ,Outside) static interface service tcp ftp ftp 
object network INtoOUT
 nat (inside,Outside) dynamic interface
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NewRad protocol radius
aaa-server NewRad (DMZ) host 10.0.20.3
 timeout 5
 key *****
 authentication-port 1812
 accounting-port 1813
http server enable
http 10.0.10.0 255.255.255.0 inside
dhcpd address 10.0.10.2-10.0.10.99 inside
dhcpd enable inside
!
dhcpd address 10.0.50.2-10.0.50.254 Outside
dhcpd enable Outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
1个回答

在您的身份 NAT (nonat) 上,在命令末尾添加“route-lookup”以绕过将 XLATE 用于出口接口的行为。

其它你可能感兴趣的问题
上一篇RIP 更新包 下一篇为什么我们在应用层(BGP、RIP)中没有校验和验证?