网络工程 - 防火墙到内部/外部网络连接 - 吾爱随笔录

防火墙到内部/外部网络连接

网络工程局域网防火墙

2022-03-04 03:53:47

我有一个 3560 Core 开关连接到一个 2960 Transmittor 开关。我在 3560 上创建了 VLAN 10，IP 地址为 192.168.1.11，我还在 2960 上创建了 VLAN 10，IP 地址为 192.168.1.12，所以它们在同一个子网中。我在防火墙上创建了一个“内部”子接口，IP 地址为 192.168.1.10，但我无法从我的 3560 交换机 ping 防火墙子接口 ip。我已经为所有设备提供了所有配置。请帮忙！这是我的防火墙配置（5520 ASA）：

这是防火墙的配置，

ciscoasa#  sh run
: Saved
:
: Serial Number: JMX1131L1ZU
: Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
:
ASA Version 9.1(7)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.1
 vlan 5
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0
!
interface GigabitEthernet0/0.2
 vlan 6
 nameif outside
 security-level 0
 ip address 192.168.2.10 255.255.255.0
!
interface GigabitEthernet0/0.3
 vlan 7
 nameif dmz
 security-level 50
 ip address 192.168.3.10 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6287e0f52613b8763af300eae4849745
: end
ciscoasa#

2960 Switch(变送器开关)-

Transmittor#sh run
Building configuration...
Current configuration : 1913 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Transmittor
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10,20,30,40,112-113
!
vlan 210
 name netmon
!
vlan 439
 name radio
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
 switchport access vlan 10
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
!
interface GigabitEthernet0/22
 switchport access vlan 10
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface Vlan1
 no ip address
 no ip route-cache
!
interface Vlan10
 ip address 192.168.1.12 255.255.255.0
 no ip route-cache
!
interface Vlan20
 ip address 192.168.20.14 255.255.255.0
 no ip route-cache
!
interface Vlan30
 ip address 192.168.30.14 255.255.255.0
 no ip route-cache
!
interface Vlan40
 ip address 192.168.40.14 255.255.255.0
 no ip route-cache
!
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
 password abc
 login
line vty 5 15
 login
!
end

3560 开关的输出：

Switch#sh run
Building configuration...

Current configuration : 1704 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface GigabitEthernet0/28
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.1.11 255.255.255.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Switch#

2个回答

您需要在 ASA 上为每个 VLAN 创建子接口。子接口的作用类似于交换机上的 VLAN 接口。这有效地将您的内部接口变成了主干。例如：

interface gi0/0
no ip address

interface gi0/0.10
vlan 10
nameif VLAN10
ip address 1.1.1.1 255.255.255.0

由于我不了解您的最终计划，因此我将为您提供其他几个选择。

如果您在防火墙上的 VLAN 之间进行路由，Ron Trunk 为您提供的是您应该做的事情。您将需要以某种方式让路由器知道防火墙后面的路由。您可以使用静态路由（不可扩展）或路由协议来告诉路由器核心交换机后面有哪些路由。您可以在防火墙和路由器上运行 OSPF，并且可以将默认路由注入路由器上的 OSPF。

如果你有三层核心交换机，并且你想在核心交换机上的 VLAN 之间进行路由（可能比防火墙或路由器上更好），你应该在三层交换机上启用路由，然后设置路由链接，而不是中继，在核心交换机和防火墙之间。然后防火墙和路由器将需要知道核心交换机后面的网络。您可以使用静态路由（不可扩展）或路由协议来告诉防火墙和路由器核心交换机后面有哪些路由。您可以在核心交换机、防火墙和路由器上运行 OSPF，并且可以将默认路由注入路由器上的 OSPF。

您的第三个选项是在路由器上的 VLAN 之间进行路由。如果您在路由器上的 VLAN 之间进行路由（可能是最不吸引人的选项），您需要将防火墙设置为透明防火墙，以便 VLAN 可以从核心交换机传递到路由器。然后，您需要以 Ron 告诉您为防火墙所做的类似方式（子接口）在路由器上设置 VLAN 和地址。

其它你可能感兴趣的问题

上一篇为什么中央 mikrotik 路由器不路由辅助网络（PPTP VPN）？下一篇当主 ACS 设备在拆分 ACS 5.6 部署中出现故障时该怎么办？