Cisco ASA-5505 - 可以从 LAN 连接的设备 ping Internet,但是我无法从 LAN 接口 ping 到 Internet

网络工程 路由 思科-ASA ipsec
2022-02-03 03:22:52

我是 Cisco ASA 和 ASDM 的新手。与 IOS 设备的差异作斗争。网络布局如下:

AWS VPC -- IPsec 隧道 -- ASA-5505 -- LAN

目前:

  1. IPsec 隧道已启动。
  2. AWS 可以访问 LAN 连接的设备。
  3. 局域网连接的设备可以访问互联网。

但是我有这两个问题:

  1. ASA 的 LAN 接口无法 ping 到 Internet。
  2. SLA 监控不起作用。(也许与第 1 点有关?)

下面我插入了大部分运行配置(和路由表)。我删除了加密配置,并用 xxx 隐藏了一些八位组的 WAN 地址。希望这里有足够的配置有助于故障排除。如果一些额外的信息会有所帮助,请询问。

(抱歉,可能有更好的方法来格式化下面的运行配置。)

ciscoasa# show running-config  
: Saved  
:  
ASA Version 9.1(2)8  
!  
interface Ethernet0/0  
 switchport access vlan 2  
!  
interface Ethernet0/1  
!  
interface Ethernet0/2  
!  
interface Ethernet0/3  
!  
interface Ethernet0/4  
!  
interface Ethernet0/5  
!  
interface Ethernet0/6  
!  
interface Ethernet0/7  
!  
interface Vlan1  
 nameif inside  
 security-level 100  
 ip address 192.168.0.1 255.255.255.0  
!  
interface Vlan2  
 nameif outside  
 security-level 0  
 ip address xxx.152.29.xxx 255.255.255.240  
!  
ftp mode passive  
object network inside-subnet-1  
 subnet 192.168.0.0 255.255.255.0  
object network AWS-inside-subnet  
 subnet 172.19.254.128 255.255.255.128  
object network NETWORK_OBJ_192.168.0.0_24  
 subnet 192.168.0.0 255.255.255.0  
object-group protocol DM_INLINE_PROTOCOL_1  
 protocol-object ip  
 protocol-object icmp  
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet  
pager lines 24  
logging enable  
logging asdm informational  
mtu outside 1500  
mtu inside 1500  
no failover  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
no arp permit-nonconnected  
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static AWS-inside-subnet AWS-inside-subnet  
!  
object network inside-subnet-1  
 nat (inside,outside) dynamic interface  
route outside 0.0.0.0 0.0.0.0 xxx.152.29.xxx 1  

http server enable  
http 192.168.0.0 255.255.255.0 inside  
no snmp-server location  
no snmp-server contact  

sla monitor 1  
 type echo protocol ipIcmpEcho 172.19.254.129 interface outside  
 frequency 30  
sla monitor schedule 1 life forever start-time now  
!  
ssh 192.168.0.0 255.255.255.0 inside  
ssh timeout 20  
ssh key-exchange group dh-group1-sha1  
console timeout 0  
!  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map  
  inspect ftp  
  inspect h323 h225  
  inspect h323 ras  
  inspect rsh  
  inspect rtsp  
  inspect esmtp  
  inspect sqlnet  
  inspect skinny  
  inspect sunrpc  
  inspect xdmcp  
  inspect sip  
  inspect netbios  
  inspect tftp  
  inspect ip-options  
  inspect icmp  
!   
: end  
ciscoasa# show route  

Gateway of last resort is xxx.152.29.xxx to network 0.0.0.0  

C    xxx.152.29.xxx 255.255.255.240 is directly connected, outside  
C    192.168.0.0 255.255.255.0 is directly connected, inside  
S*   0.0.0.0 0.0.0.0 [1/0] via xxx.152.29.xxx, outside  
ciscoasa#
2个回答

要使 IP SLA 正​​常工作,请将您的加密 ACL 从以下位置更改:

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet

到 :

access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 any4 object AWS-inside-subnet

而且,当然,在远程对等方做同样的事情(相反)。

这样,IP SLA(源自 ASA 的外部 IP 地址)也通过隧道传输。

来源:http ://www.tunnelsup.com/troubleshooting-vpn-between-cisco-asa-and-amazon-aws

编辑:请注意,如果 AWS 和 Internet 之间存在任何流量,建议的配置更改可能会破坏事情,因为它可能导致该流量现在穿过隧道(取决于另一端的配置方式)。

Edit2:如果您从外部界面获取它,这也应该使常规 ping 工作。老实说,我不确定来自内部界面的 ping 是否可以正常工作 - 如果您启用management-access inside. 这至少应该允许您从 AWS ping 内部接口。

在 CLI 中键入这些命令(从您提供的配置开始):

management-access inside
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.0.0_24 object AWS-inside-subnet
no access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.0.0 255.255.255.0 object AWS-inside-subnet
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static AWS-inside-subnet AWS-inside-subnet no-proxy-arp route-lookup
nat (inside outside) after-auto source dynamic any interface
object network inside-subnet-1
no nat (inside,outside) dynamic interface
exit
ip sla monitor 1
no type echo protocol ipIcmpEcho 172.19.254.129 interface outside
type echo protocol ipIcmpEcho 172.19.254.129 source-ipaddr 192.168.0.1
exit
track 1 rtr 1 reachability

键入上述命令后,退出配置模式并清除 ipsec sa 以重新启动隧道。SLA 监视器应该开始工作。如果没有,您可能想为 source-ip 参数尝试另一个 192.168.0.x 地址。

另外,您的 ASA IOS 映像非常旧!您可能会遇到 VPN 错误。我强烈建议升级到 9.1(7)19 (asa917-19-k8.bin)

有关详细信息,请参阅https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

其它你可能感兴趣的问题
上一篇作为无线客户端,监管领域是否相关? 下一篇/23 GNS3 中的 IP 空间分配