ASA 中的 NAT (5505) 防火墙不适用于在第 3 层交换机中配置的 VLAN?

网络工程 思科-ASA 纳特 防火墙 数据包跟踪器
2022-02-24 16:00:45

拓扑:在此处输入图像描述

使用的工具:Cisco Packet Tracer

设想:

  • 第 3 层交换机的任何 VLAN 中的主机的 NAT 不起作用。
  • Ping 请求到达外部服务器,但 NAT 不起作用,因此 ISP 路由器无法将请求路由回 ASA(因为目标 ip 是私有 IP 地址)。
  • 如果我从 Layer3-Switch ping 外部服务器,NAT 正在工作

PKT 文件: https ://drive.google.com/file/d/1qbVw9XsCtTbjeGmY5OpxK1552CULkq-C/view?usp=sharing

配置,如果您不想下载文件。

ASA 配置:

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Vlan1
 no nameif
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 shutdown
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 172.16.0.2 255.255.0.0
!
interface Vlan3
 nameif outside
 security-level 0
 ip address 51.1.1.1 255.0.0.0
!
object network LAN
 subnet 172.16.0.0 255.255.255.0
object network VLAN10
 subnet 192.168.10.0 255.255.255.0
object network VLAN20
 subnet 192.168.20.0 255.255.255.0
object network VLAN30
 subnet 192.168.30.0 255.255.255.0
object network VLAN40
 subnet 192.168.40.0 255.255.255.0
object network VLAN50
 subnet 192.168.50.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 51.1.1.2 1
route inside 192.168.0.0 255.255.0.0 172.16.0.1 1
!
access-list local-to-internet extended permit tcp any any
access-list local-to-internet extended permit icmp any any
!
!
access-group local-to-internet in interface outside
object network LAN
 nat (inside,outside) dynamic interface
object network VLAN10
 nat (inside,outside) dynamic interface
object network VLAN20
 nat (inside,outside) dynamic interface
object network VLAN30
 nat (inside,outside) dynamic interface
object network VLAN40
 nat (inside,outside) dynamic interface
object network VLAN50
 nat (inside,outside) dynamic interface

第 3 层交换机配置:

ip routing
!
!
spanning-tree mode pvst
!
!
interface FastEthernet0/1
 no switchport
 ip address 172.16.0.1 255.255.0.0
 duplex auto
 speed auto
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/5
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/6
 switchport access vlan 30
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/7
 switchport access vlan 40
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/8
 switchport access vlan 50
 switchport mode access
 switchport nonegotiate
!
interface Vlan1
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan10
 mac-address 0001.426c.9901
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 10.0.0.2
 ip helper-address 10.0.0.3
!
interface Vlan20
 mac-address 0001.426c.9902
 ip address 192.168.20.1 255.255.255.0
 ip helper-address 10.0.0.2
 ip helper-address 10.0.0.3
!
interface Vlan30
 mac-address 0001.426c.9903
 ip address 192.168.30.1 255.255.255.0
 ip helper-address 10.0.0.2
 ip helper-address 10.0.0.3
!
interface Vlan40
 mac-address 0001.426c.9904
 ip address 192.168.40.1 255.255.255.0
 ip helper-address 10.0.0.2
 ip helper-address 10.0.0.3
!
interface Vlan50
 mac-address 0001.426c.9905
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 10.0.0.2
 ip helper-address 10.0.0.3
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0
 network 10.0.0.0 0.255.255.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.2
1个回答

这是“Cisco Packet Tracer”中的一个错误,导致 NAT 无法正常工作。

请参阅此处:https ://community.cisco.com/t5/routing/packet-tracer-asa-nat-problem/td-p/3936024

(上面链接中的一些解决方法)

一个简单的解决方案(不理想)是使用路由器进行 NATing(所谓的传统方式)。

其它你可能感兴趣的问题
上一篇OSPFv3 身份验证 IPSEC SPI/日志记录问题 - 你能过滤掉日志吗? 下一篇使用 Cisco 的交换机中心 WLC 部署是否会显着增加无线客户端的延迟?