我有以下网络,它尽我所能将站点拆分为 Corp/DMz 样式的网络,但受限于打包程序跟踪器中 ASA 的限制。两台路由器都具有指向相应 ASA 接口的 10.100.0.0 和 172.16.0.0 网络的静态路由以及网络外的无类路由。
两个 ASA 都有两条静态路由。一个用于它所覆盖的内部网络,以及到其各自路由器(ASA1 到 R1 和 ASA2 到 R2)的无类别路由。从 10.100.0.0 网络内的机器,我可以在 10.50.6.241 ping 内部 R1 接口。从 R1 我可以在 200.195.100.2 ping 路由器接口。
但是,当我尝试从 10.100.0.0 网络(或 ASA1)内的机器 ping 200.195.100.2 时,数据包到达 ASA1 并在 ASA1 上的内部 10.50.6.249/30 接口和外部 10.50.6.244/29 接口之间反弹在 ASA1 内部的 ASA2 上,按照其默认路由的定义将其发送到 R1。
配置的 ASA1 路由:
route inside 10.100.0.0 255.255.0.0 10.50.6.250 1
route outside 0.0.0.0 0.0.0.0 10.50.6.241 1
来自 ASA1 的 ARP 输出
UK-Corp-EP-ASA1#show arp
outside 10.50.6.241 000A.4146.0501
outside 10.50.6.242 0030.F2A0.5101
outside 10.50.6.243 0003.E4BC.38D8
inside 10.50.6.249 0003.E4BC.38D8
inside 10.50.6.250 00D0.BA60.B218
inside 10.100.10.2 00D0.BA60.B218
inside 10.100.10.3 00D0.BA60.B218
outside 172.16.30.4 0002.1612.88E8
谁能建议为什么会发生这种情况?
编辑:
作为一个有趣的注释。重新打开文件并从 PC 运行和跟踪后,我得到以下结果:
PC>tracert 200.195.100.2
Tracing route to 200.195.100.2 over a maximum of 30 hops:
1 0 ms 0 ms 0 ms 10.100.10.1
2 0 ms 0 ms 0 ms 10.50.6.249
3 * 0 ms 1 ms 10.50.6.242
4 37 ms 1 ms 1 ms 200.195.100.6
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10
按照要求:
R1 接口(其他接口已关闭且未使用)
interface FastEthernet0/0
ip address 10.50.6.241 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 200.195.100.1 255.255.255.252
ip nat outside
!
R2 接口
interface FastEthernet0/0
ip address 10.50.6.242 255.255.255.248
ip nat inside
duplex auto
speed auto
!
interface Serial0/0/0
ip address 200.195.100.5 255.255.255.252
ip nat outside
!
开关配置:
R1 - fa0/24
R2 - fa0/23
ASA1 - fa0/1
ASA2 - fa0/2
UK-EP-Distro-SW1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 80
Fa0/2 on 802.1q trunking 80
Fa0/23 on 802.1q trunking 80
Fa0/24 on 802.1q trunking 80
Port Vlans allowed on trunk
Fa0/1 6,10,20,30,80,150
Fa0/2 6,10,20,30,80,150
Fa0/23 6,10,20,30,80,150
Fa0/24 6,10,20,30,80,150
Port Vlans allowed and active in management domain
Fa0/1 6,10,20,30,80,150
Fa0/2 6,10,20,30,80,150
Fa0/23 6,10,20,30,80,150
Fa0/24 6,10,20,30,80,150
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 6,10,20,30,80,150
Fa0/2 6,10,20,30,80,150
Fa0/23 6,10,20,30,80,150
Fa0/24 6,10,20,30,80,150
UK-EP-Distro-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
5 Default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Gig0/1, Gig0/2
6 Routing active
10 UK-Corp-PC active
20 UK-Corp-Server active
30 UK-DMz-Server active
80 Native active
150 VoIP active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
如果我从 10.100.0.0 ping 200.195.100.6,它将得到回复,因为 ASA1 会将数据包从 R2 发送出去(同样,这不是默认路由)。
我已经考虑过它可能是 PT 中的一个错误。我对此无能为力:(
R1路由表:
Gateway of last resort is 200.195.100.2 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.50.6.240/29 is directly connected, FastEthernet0/0
S 10.100.0.0/16 [1/0] via 10.50.6.243
S 172.16.0.0/16 [1/0] via 10.50.6.244
200.195.100.0/30 is subnetted, 1 subnets
C 200.195.100.0 is directly connected, Serial0/0/0
S* 0.0.0.0/0 [1/0] via 200.195.100.2
从 PC 10.100.10.2 ping:
PC>tracert 200.195.100.2
Tracing route to 200.195.100.2 over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 10.100.10.1
2 * 0 ms 0 ms 10.50.6.249
3 * * 0 ms 10.50.6.244
4 * 11 ms 11 ms 10.50.6.249
5 11 ms 10 ms 10 ms 10.50.6.244
6 1 ms 12 ms 12 ms 10.50.6.249
7 25 ms 11 ms 26 ms 10.50.6.244
8 13 ms 12 ms 12 ms 10.50.6.249
9 23 ms 22 ms 24 ms 10.50.6.244
10 19 ms 21 ms 26 ms 10.50.6.249
11 24 ms 13 ms 12 ms 10.50.6.244
12 24 ms 24 ms 21 ms 10.50.6.249
13 34 ms 10 ms 23 ms 10.50.6.244
14 22 ms 33 ms 43 ms 10.50.6.249
文件的 Dropbox 链接。作为本次讨论后的更新,我已将交换机上的接口从中继更改为位于路由 vlan 6 上。
https://www.dropbox.com/sh/kt5x03j1kckf9bw/AABdlTWqvyUNQer-O-t_AAv7a?dl=0