ASA 不会通过所有流量

网络工程 思科-ASA 纳特
2022-02-07 02:37:06

我有一个为非盈利组织设置的 ASA,它不通过流量。根据流量的来源,数据包跟踪器给出了混合的结果,两个结果是流量被 ACL 丢弃,另一个是 NAT 问题。我敢肯定,我错过了一些明显的东西。我可以访问某些网站,例如 youtube 和 google drive,但不能访问其他网站,例如 Dropbox 或 gmail。他们也可以毫无问题地直播到 youtube。我倾向于这是流量从外部接口返回到内部接口的问题。这是当前的配置。

: Saved
:
ASA Version 8.0(3)
!
hostname ASANAME
domain-name abcd.org
enable password xxxxxxxxxxxxxxxxxxx encrypted
names
name 172.20.10.1 ASANAME
!
interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan10
 description to INSIDE VLAN
 nameif INSIDE
 security-level 100
 ip address ASANAME 255.255.255.0
!
interface Vlan100
 description to OUTSIDE interface
 nameif OUTSIDE
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 description physical connection to Cablemodem
 switchport access vlan 100
!
interface Ethernet0/1
 description TRON_NET
 switchport access vlan 10
!
interface Ethernet0/2
 description WF
 switchport access vlan 10
!
interface Ethernet0/3
 description PR
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
!
passwd Vy9tC77pJs8BycTr encrypted
banner motd
banner motd +-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
banner motd | There is no right to privacy on this device. |
banner motd | |
banner motd +-+
banner motd
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 name-server 75.75.75.75
 name-server 8.8.8.8
 domain-name lldm.org
object-group icmp-type DefaultICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ssh
 port-object eq telnet
object-group service DropBox tcp
 port-object eq 17500
 port-object eq 17600
 port-object eq 17603
 port-object eq www
 port-object eq https
object-group service RTMP_Streaming tcp
 description Used to stream to youtube
 port-object eq 1935
 port-object eq www
 port-object eq https
object-group service TeamViewer
 service-object tcp-udp eq www
 service-object tcp eq 5938
 service-object tcp eq www
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp eq www
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq domain
 service-object udp eq domain
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object tcp-udp eq domain
 service-object tcp-udp eq www
 service-object tcp eq https
access-list ACL_INSIDE_OUT extended permit ip any any log
access-list ACL_INSIDE_OUT extended permit udp any any log
access-list ACL_INSIDE_OUT extended permit tcp any any log
access-list ACL_INSIDE_OUT extended permit tcp any any eq https log
access-list ACL_INSIDE_OUT extended permit tcp any any eq domain log
access-list ACL_INSIDE_OUT extended permit icmp any any echo
access-list ACL_INSIDE_OUT extended permit tcp any any eq www log
access-list ACL_INSIDE_IN extended permit ip any any log
access-list ACL_OUTSIDE_OUT extended permit ip any any log
access-list ACL_OUTSIDE_OUT extended permit udp any any log
access-list ACL_OUTSIDE_OUT extended permit tcp any any log
access-list ACL_OUTSIDE_OUT extended permit tcp any any eq www log
access-list ACL_OUTSIDE_OUT extended permit tcp any any eq https log
access-list ACL_OUTSIDE_OUT extended permit tcp any any eq domain log
access-list ACL_OUTSIDE_OUT extended permit icmp any any echo
access-list ACL_OUTSIDE_IN extended permit ip any any log
access-list ACL_OUTSIDE_IN extended permit udp any any log
access-list ACL_OUTSIDE_IN extended permit tcp any any log
access-list ACL_OUTSIDE_IN extended deny tcp any any object-group DM_INLINE_TCP_1 log warnings inactive
access-list OUTSIDE_ACL extended permit object-group TCPUDP any any eq domain
access-list OUTSIDE_ACL extended permit tcp any any object-group RTMP_Streaming
access-list OUTSIDE_ACL extended permit object-group TeamViewer any any
access-list OUTSIDE_ACL extended permit tcp any any object-group DropBox
access-list OUTSIDE_ACL extended permit ip 172.20.10.0 255.255.255.0 any log
access-list OUTSIDE_ACL extended permit ip any 172.20.10.0 255.255.255.0 log
access-list OUTSIDE_ACL extended permit tcp 172.20.10.0 255.255.255.0 any log
access-list OUTSIDE_ACL extended permit tcp any 172.20.10.0 255.255.255.0 log
access-list OUTSIDE_ACL extended permit udp any 172.20.10.0 255.255.255.0 log
access-list OUTSIDE_ACL extended permit udp 172.20.10.0 255.255.255.0 any log
access-list INSIDE_nat_outbound extended permit object-group DM_INLINE_SERVICE_1 172.20.10.0 255.255.255.0 any
access-list INSIDE_nat_outbound extended permit object-group DM_INLINE_SERVICE_2 any 172.20.10.0 255.255.255.0
access-list INSIDE_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging history warnings
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 172.20.10.0 255.255.255.0
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 LANCASA 1
route INSIDE 172.168.20.0 255.255.255.0 LANCASA 1
route INSIDE 192.168.1.0 255.255.255.0 LANCASA 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http xxxxxxxxxxxxxx 255.255.255.255 OUTSIDE
http xxxxxxxxxxxxxx 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh xxxxxxx xxxxxxx INSIDE
ssh xxxxxxx xxxxxxxx OUTSIDE
ssh timeout 59
ssh version 2
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 691200
dhcpd domain abcd.ORG
!
dhcpd address 172.20.10.100-172.20.10.131 INSIDE
dhcpd dns 75.75.75.75 75.75.76.76 interface INSIDE
dhcpd lease 1048575 interface INSIDE
dhcpd domain abcd.org interface INSIDE
dhcpd enable INSIDE
!

no threat-detection basic-threat
threat-detection statistics
username xxxxxx password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
1个回答

所以我开始转圈,把我带到路由表……出于某种原因,我有 2 个默认路由和一个静态路由,它的网络输入错误并指向一个可路由的地址。

以红色标出的第一条路由是通过 ASA 的主机名设置的,ASA 是我的内部网络的默认网关。

以红色标出的第二条路由是 asa 主机名的默认值,它是不可路由的私有 IP。因此,每当我大部分时间访问某个 IP 时,它可能会访问该路由,该路由会将流量发送回 INSIDE 接口并且永远不会到达任何地方。

我注意到我在 INSIDE 网络上的 ACL 在其传入的 ACL 条目上得到了很多点击,但在 OUTSIDE ACL 上却没有,这有点让我失望。现在一切正常。

在此处输入图像描述

其它你可能感兴趣的问题
上一篇双路由器,双 ISP NAT 问题 下一篇每个应用程序都使用 OSI 模型的层吗?