您好,请参见下面的网络图。
我正在尝试将分支路由器 (10.1.1.1) 配置为在 HQ-AAA-Server 主机 (192.168.10.10) 上使用 TACACS AAA。TACACS 通过 VPN 隧道连接到 HQ-FW1 的 Branch-FW1 ASA 设备运行良好。
我可以在wireshark 上看到流量,表明当我尝试登录到分支路由器时,TCP SYN 数据包在端口 49 上发送,但没有收到回复,而且我没有看到任何 VPN 流量生成,因此看起来 BR-FW1 ASA 正在阻止要求。
我在 Branch-FW1 中有一个 ACL,允许来自外部接口的 TACACS 流量,另一个将其标记为 VPN 隧道的有趣流量:
VPN 隧道 ACL:
access-list HQFTPACL permit ip object net-local object net-remote
access-list HQFTPACL permit tcp host 10.1.1.1 host 192.168.10.10 eq tacacs
外部 ACL:
access-list OUTSIDE-ACL extended permit tcp host 10.1.1.1 host 192.168.10.10 eq tacacs
access-group OUTSIDE-ACL in interface outside
使用数据包跟踪器看起来好像 ACL 上的隐式拒绝正在阻止来自外部的 TACACS 流量,但我无法弄清楚为什么会这样?
Branch-FW(config)# packet-tracer input outside tcp 10.1.1.1 1234 192.168.10.10$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.1.1 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop
完整的 Branch-FW1 配置:
:
: Serial Number: 9A2EL3EHE12
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2000 MHz
: Written by admin at 13:15:20.359 UTC Fri Dec 10 2021
!
ASA Version 9.5(2)204
!
hostname Branch-FW
domain-name asecuritycompany.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description TO THE BRANCH ROUTER OUTSIDE 10.1.1.0/30 NETWORK
nameif outside
security-level 0
ip address 10.1.1.2 255.255.255.252
!
interface GigabitEthernet0/1
description TO THE BRANCH INSIDE 10.1.10.0/24 NETWORK
nameif inside
security-level 100
ip address 10.1.10.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner login ****************************************************************
banner login * *
banner login * UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED *
banner login * *
banner login * You must have explicit, authorized permission to access *
banner login * or configure this device. *
banner login * *
banner login * Unauthorized attempts and actions to access or use this *
banner login * system may result in civil and/or criminal penalties. *
banner login * *
banner login * All activities performed on this device are logged *
banner login * and monitored. *
banner login * *
banner login ****************************************************************
ftp mode passive
dns server-group DefaultDNS
domain-name asecuritycompany.com
object network net-local
subnet 10.1.10.0 255.255.255.0
object network net-outside
subnet 10.1.1.0 255.255.255.252
object network net-remote
subnet 192.168.10.0 255.255.255.0
access-list HQFTPACL extended permit ip object net-local object net-remote
access-list HQFTPACL extended permit tcp host 10.1.1.1 host 192.168.10.10 eq tacacs
access-list OUTSIDE-ACL extended permit tcp host 10.1.1.1 host 192.168.10.10 eq tacacs
pager lines 23
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
!
object network net-local
nat (inside,outside) dynamic interface
object network net-outside
nat (inside,outside) dynamic interface
access-group OUTSIDE-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server HQ-TACACS-GROUP protocol tacacs+
aaa-server HQ-TACACS-GROUP (inside) host 192.168.10.10
key testing123
user-identity default-domain LOCAL
aaa authentication serial console HQ-TACACS-GROUP LOCAL
aaa authentication telnet console HQ-TACACS-GROUP LOCAL
aaa authentication ssh console HQ-TACACS-GROUP LOCAL
aaa authentication enable console HQ-TACACS-GROUP LOCAL
aaa authorization command HQ-TACACS-GROUP LOCAL
aaa accounting ssh console HQ-TACACS-GROUP
aaa accounting enable console HQ-TACACS-GROUP
aaa accounting command HQ-TACACS-GROUP
aaa accounting serial console HQ-TACACS-GROUP
aaa accounting telnet console HQ-TACACS-GROUP
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set HQFTPTRANS esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map HQFTPMAP 1 match address HQFTPACL
crypto map HQFTPMAP 1 set pfs group1
crypto map HQFTPMAP 1 set peer 192.168.20.2
crypto map HQFTPMAP 1 set ikev1 transform-set HQFTPTRANS
crypto map HQFTPMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.10.21 255.255.255.255 outside
ssh 192.168.10.2 255.255.255.255 outside
ssh 192.168.20.2 255.255.255.255 outside
ssh 10.1.10.1 255.255.255.255 outside
ssh 10.1.10.3 255.255.255.255 outside
ssh 192.168.10.21 255.255.255.255 inside
ssh 192.168.10.2 255.255.255.255 inside
ssh 192.168.20.2 255.255.255.255 inside
ssh 10.1.10.1 255.255.255.255 inside
ssh 10.1.10.3 255.255.255.255 inside
ssh timeout 10
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username localadmin password zDkbp36jt66L0Z6u encrypted privilege 15
tunnel-group 192.168.20.2 type ipsec-l2l
tunnel-group 192.168.20.2 ipsec-attributes
ikev1 pre-shared-key SECRET-KEY
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:5c75c343565aaa10bcf4a87ecc2111bf
: end