网络工程 - 通过 ASA 访问 TACACS+ 服务器 - 吾爱随笔录

通过 ASA 访问 TACACS+ 服务器

网络工程思科思科-ASA acl 塔卡克斯

2022-02-04 09:09:03

我正在尝试为一个项目设置 TACACS+。下图显示了网络的布局。

到目前为止，我已经设置并运行了 TACACS+ 服务器 (HQ_AAA_SERVER)，它可以很好地用于 ASA 防火墙 (HQ-FW1) 的身份验证等。我相信当我运行命令时，HQ 路由器 (HQ) 上的设置正确：

test aaa group tacacs+ admin Cisco legacy

我可以看到一个 TCP SYN 数据包从 HQ e0/1 发送到端口 49 上的 tacacs 服务器但没有响应，并且从 HQ-FW1 Gi0/1 捕获我什么也看不到。

我已向 HQ-FW1 添加了一个 ACL，该 ACL 应用于外部接口：

access-list OUTSIDE-ACL extended permit tcp host 192.168.20.1 host 192.168.10.10 eq tacacs

（192.168.20.1 是路由器上的 e0/1，192.168.10.10 是 TACACS+ 服务器。）

我是否遗漏了允许流量所需的其他命令，还是我的 ACL 错误？如果有帮助，很高兴添加任何配置信息/输出等。

ASA 配置


: 
: Serial Number: 9AUN2D30JLX
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2000 MHz
: Written by localadmin at 20:03:49.299 UTC Sun Nov 28 2021
!
ASA Version 9.5(2)204 
!
hostname HQ-FW1
domain-name asecuritycompany.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 description TO THE HQ ROUTER OUTSIDE 192.168.20.0/30 NETWORK
 nameif outside
 security-level 0
 ip address 192.168.20.2 255.255.255.252 
!
interface GigabitEthernet0/1
 description TO THE HQ INSIDE 192.168.10.0/24 NETWORK
 nameif inside
 security-level 100
 ip address 192.168.10.2 255.255.255.0 
!
interface GigabitEthernet0/2
 description TO THE WEB_DMZ 192.168.30.0/29 NETWORK
 nameif web-dmz
 security-level 40
 ip address 192.168.30.1 255.255.255.248 
!
interface GigabitEthernet0/3
 description TO THE HQ FTP DMZ NETWORK 192.168.40.0/29
 nameif ftp-dmz
 security-level 60
 ip address 192.168.40.1 255.255.255.248 
!
interface GigabitEthernet0/4
 description TO THE HQ CLIENT DMZ NETWORK 192.168.50.0/29
 nameif client-dmz
 security-level 50
 ip address 192.168.50.1 255.255.255.248 
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name asecuritycompany.com
object network net-local
 subnet 192.168.10.0 255.255.255.0
object network net-outside
 subnet 192.168.20.0 255.255.255.252
object network net-web-dmz
 subnet 192.168.30.0 255.255.255.224
object network net-ftp-dmz
 subnet 192.168.40.0 255.255.255.224
object network net-client-dmz
 subnet 192.168.50.0 255.255.255.224
object network net-dmz-web-server
 host 192.168.30.2
object network net-dmz-ftp-server
 host 192.168.40.2
object network net-dmz-client-server
 host 192.168.50.2
object network net-remote
 subnet 10.1.10.0 255.255.255.0
access-list OUTSIDE-ACL extended permit tcp host 192.168.20.1 host 192.168.10.10 eq tacacs 
access-list OUTSIDE-ACL extended permit ip any host 192.168.30.2 
access-list BRFTPACL extended permit ip object net-local object net-remote 
access-list CLIENT-VPN-LIST webtype permit tcp host 192.168.50.2 eq www
access-list CLIENT-VPN-LIST webtype deny tcp any
access-list CLIENT-VPN-LIST webtype deny url any
pager lines 23
mtu outside 1500
mtu inside 1500
mtu web-dmz 1500
mtu ftp-dmz 1500
mtu client-dmz 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
!
object network net-local
 nat (inside,outside) dynamic interface
object network net-dmz-web-server
 nat (web-dmz,outside) static 209.165.200.227
access-group OUTSIDE-ACL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server HQ-TACACS-GROUP protocol tacacs+
 reactivation-mode timed
aaa-server HQ-TACACS-GROUP (inside) host 192.168.10.10
 key testing123
user-identity default-domain LOCAL
aaa authentication serial console HQ-TACACS-GROUP LOCAL
aaa authentication telnet console HQ-TACACS-GROUP LOCAL
aaa authentication ssh console HQ-TACACS-GROUP LOCAL
aaa authentication enable console HQ-TACACS-GROUP LOCAL
aaa authorization command HQ-TACACS-GROUP LOCAL
aaa accounting ssh console HQ-TACACS-GROUP
aaa accounting enable console HQ-TACACS-GROUP
aaa accounting command HQ-TACACS-GROUP
aaa accounting serial console HQ-TACACS-GROUP
aaa accounting telnet console HQ-TACACS-GROUP
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set BRFTPTRANS esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map BRFTPMAP 1 match address BRFTPACL
crypto map BRFTPMAP 1 set pfs group1
crypto map BRFTPMAP 1 set peer 10.1.1.2 
crypto map BRFTPMAP 1 set ikev1 transform-set BRFTPTRANS
crypto map BRFTPMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
 auto-import
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 cache
  disable
 error-recovery disable
group-policy CLIENT-VPN-POLICY internal
group-policy CLIENT-VPN-POLICY attributes
 webvpn
  filter value CLIENT-VPN-LIST
dynamic-access-policy-record DfltAccessPolicy
username localadmin password zDkbp36jt66L0Z6u encrypted privilege 15
username vpntemp password VTXQbFOPKnQDvIdw encrypted
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
 ikev1 pre-shared-key SECRET-KEY
tunnel-group CLIENT-VPN-GROUP type remote-access
tunnel-group CLIENT-VPN-GROUP general-attributes
 default-group-policy CLIENT-VPN-POLICY
 authorization-required
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect http 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
Cryptochecksum:e63cf43d3932782eb38e32959344b993
: end

总部路由器配置


!
! Last configuration change at 20:06:11 GMT Sun Nov 28 2021 by localadmin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login CONSOLE-LINE local
aaa authentication login HQTACACS group tacacs+ local
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username localadmin privilege 15 secret 5 $1$mX0o$aBpVy.ik5ak8ev4wq9IRf1
!
redundancy
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
 no shutdown
 description TO THE ISP-HQ NETWORK 209.165.200.224/30
 ip address 209.165.200.226 255.255.255.224
!
interface Ethernet0/1
 no shutdown
 description TO THE HQ NETWORK 192.168.10.0/24
 ip address 192.168.20.1 255.255.255.252
!
interface Ethernet0/2
 no shutdown
 no ip address
 shutdown
!
interface Ethernet0/3
 no shutdown
 no ip address
 shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 10.1.1.0 255.255.255.252 Ethernet0/0
ip route 10.1.10.0 255.255.255.0 Ethernet0/0
ip route 192.31.7.32 255.255.255.224 Ethernet0/0
ip route 192.168.10.10 255.255.255.255 Ethernet0/1
ip route 198.133.219.0 255.255.255.252 Ethernet0/0
ip route 209.165.200.227 255.255.255.255 Ethernet0/1
ip route 209.165.200.228 255.255.255.255 Ethernet0/1
!
!
!
tacacs-server directed-request
tacacs server HQTACACS
 address ipv4 192.168.10.10
 key testing123
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 logging synchronous
 login authentication CONSOLE-LINE
line aux 0
line vty 0 4
 transport input none
!
!
end

从 HQ-FW1 上的 Gi0/0 捕获的 Wireshark 跟踪，显示数据包已发送但未通过防火墙。（没有从 Gi0/1 捕获数据包）

数据包跟踪器输出：

HQ-FW1(config)# packet-tracer input outside tcp 192.168.20.1 1234 192.168.10.1$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.10 using egress ifc  inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-ACL in interface outside
access-list OUTSIDE-ACL extended permit tcp host 192.168.20.1 host 192.168.10.10 eq tacacs
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network net-local
 nat (inside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1个回答

在您的路由器上，所有指向防火墙的静态路由都是错误的。您需要定义下一跳，因为您不在 PTP 链接上。

请使用以下命令删除所有指向 Eth0/1 的路由：

no ip route 192.168.10.10 255.255.255.255 Ethernet0/1
no ip route 209.165.200.227 255.255.255.255 Ethernet0/1
no ip route 209.165.200.228 255.255.255.255 Ethernet0/1

并将它们替换为：

ip route 192.168.10.10 255.255.255.255 192.168.20.2
ip route 209.165.200.227 255.255.255.255 192.168.20.2
ip route 209.165.200.228 255.255.255.255 192.168.20.2

然后，您应该能够重新测试并验证您的防火墙现在正在接收数据包。

另外，您应该为您的 Eth0/0 接口重复上述步骤（进行修改），将这些路由指向您的下一个跃点，这可能是来自您的 ISP 的路由器）。

编辑 1：请同时使用命令设置 TACACS 的源接口ip tacacs source-interface Eth0/1

编辑 2：要纠正您的 NAT 问题，即由于 RPF 检查而丢弃您的流量，您可以制定一个非常具体的 NAT 豁免声明，该声明将优先于该流量当前匹配的广泛 NAT 声明，而不会干扰任何你的其他流量。

您需要先创建更多对象。为此，您可以键入：

object network TACACS-HOST
 host 192.168.10.10
object network HQ-ROUTER
 host 192.168.20.1

接下来，您可以使用这些新对象添加 NAT 豁免声明。为此，您可以键入：

nat (outside,inside) source static HQ-ROUTER HQ-ROUTER destination static TACACS-HOST TACACS-HOST

然后，您可以使用我之前提到的相同 packet-tracer 命令验证流，或者您可以尝试身份验证请求。

其它你可能感兴趣的问题

上一篇AAA 身份验证 - 说明每个 AAA 命令的工作原理下一篇具有 Radius 和用户密码身份验证的 WPA2 Enterprise（通过 Active Directory） - 机密性