配置中缺少某些内容,无法从其他 vlan 或网络访问 ssh/ping

网络工程 思科
2022-02-12 08:26:42

我很困惑,这怎么不起作用..我只想从 10.109.32.6.0 访问 asa 管理

我有远程 asa。两个站点之间有一个 mpls 链接。我在 10.109.32.6 后面,而 asa 在 10.109.35.11.asa 后面,并且连接了 mpls 路由(VLAN2 10.4.1.0),请参见下面的配置,有什么建议我做错了吗?我添加了额外的配置以允许从我的站点 ping 和 ssh

ssh VLAN12 255.255.255.0 inside
ssh 10.109.32.6 255.255.255.192  MPLS  http server enable
http VLAN12 255.255.255.0 inside 
http 10.109.32.6 255.255.255.192 MPLS  icmp permit any inside 
icmp permit any MPLS 
 inspect icmp 
  inspect icmp error 
    name x.x.x.x InternetGateway description Internet Gateway 
    name x.x.x.x IS description Fidelity Information Systems MPLS IP Range 
    name 10.109.0.0 MPLS description MPLS IP Range 
    name 10.4.3.3 MPLSGateway description MPLS Gateway 
    name 10.5.1.0 VLAN12 description Internal user LAN 
    name 10.4.3.0 VLAN80 description MPLS third party network 
    ! 
    interface Ethernet0/0 
    !  
    interface Ethernet0/1 
     switchport access vlan 3 
    !
    interface Ethernet0/2 
     switchport access vlan 2 
    !  
    interface Ethernet0/3 
    !
    interface Ethernet0/4 
    !
    interface Ethernet0/5 
    !
    interface Ethernet0/6 
    !
    interface Ethernet0/7 
    !
    interface Vlan1 
     description Internal LAN 
     nameif inside 
     security-level 100 
     ip address 10.5.1.1 255.255.255.0 
    ! 
    interface Vlan2  
     description Internet Access 
     nameif outside 
     security-level 0 
     ip address x.x.x.x x.x.x.x 
    ! 
    interface Vlan3 
     description LaSer Group MPLS 
     no forward interface Vlan2 
     nameif MPLS 
     security-level 0 
     ip address 10.4.1.4 255.255.255.0 
    ! 
    ftp mode passive 
    clock timezone GMT/BST 0 
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 
    dns server-group DefaultDNS 
     domain-name X.X.X.X 
    object-group network gMPLS 
     description MPLS Destinations 
     network-object MPLS 255.255.0.0 
     network-object IS 255.255.0.0 
    access-list inside_nat_outbound_1 remark Traffic to internet hidden behind  X.X.X.X 
    access-list inside_nat_outbound_1 extended permit ip VLAN12 255.255.255.0 any 
    access-list inside_nat_outbound remark Traffic to MPLS hidden behind  10.109.35.11 
    access-list inside_nat_outbound extended permit ip VLAN12 255.255.255.0  object-group gMPLS 
    pager lines 24
    logging asdm informational 
    mtu inside 1500 
    mtu outside 1500 
    mtu MPLS 1500  
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable 
    arp timeout 14400  
    global (outside) 1 X.X.X.X netmask 255.0.0.0 
    global (MPLS) 2 10.109.35.11 netmask 255.0.0.0 
    nat (inside) 2 access-list inside_nat_outbound 
    nat (inside) 1 access-list inside_nat_outbound_1 
    route outside 0.0.0.0 0.0.0.0 InternetGateway 1 
    route outside 0.0.0.0 255.255.255.255 InternetGateway 255 
    route MPLS MPLS 255.255.0.0 10.4.1.1 1
    route MPLS IS 255.255.0.0 10.4.1.1 1
    timeout xlate 3:00:00 
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
    timeout tcp-proxy-reassembly 0:01:00 
    timeout floating-conn 0:00:00 
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL 
    http server enable 
    http VLAN12 255.255.255.0 inside 
    no snmp-server location 
    no snmp-server contact 
    snmp-server enable traps snmp authentication linkup linkdown coldstart 
    crypto ipsec security-association lifetime seconds 28800 
    crypto ipsec security-association lifetime kilobytes 4608000 
    telnet timeout 5 
    ssh VLAN12 255.255.255.0 inside 
    ssh 10.109.32.6 255.255.255.192 MPLS 
    ssh timeout 5 
    console timeout 0 

    dhcpd auto_config outside 
    !
    dhcpd address 10.5.1.5-10.5.1.254 inside 
    dhcpd dns 1.1.1.1 1.1.1.1 interface inside 
    dhcpd domain xxxx interface inside 
    dhcpd enable inside 
    !

    threat-detection basic-threat 
    threat-detection statistics access-list 
    no threat-detection statistics tcp-intercept 

    !
    class-map inspection_default 
     match default-inspection-traffic 
    !
    !
    policy-map type inspect dns preset_dns_map 
     parameters
      message-length maximum client auto 
      message-length maximum 512 
    policy-map global_policy 
     class inspection_default 
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny 
      inspect sunrpc 
      inspect xdmcp 
      inspect sip 
      inspect netbios 
      inspect tftp 
      inspect ip-options 
    ! 
    service-policy global_policy global 
    prompt hostname context 
    no call-home reporting anonymous
2个回答

这直接来自cisco的网站:

 hostname(config)# crypto key generate rsa modulus 1024
 hostname(config)# write memory
 hostname(config)# aaa authentication ssh console LOCAL
 WARNING: local database is empty! Use 'username' command to define local users.
 hostname(config)# username exampleuser1 password examplepassword1
 hostname(config)# ssh 192.168.1.2 255.255.255.255 inside
 hostname(config)# ssh timeout 30

您必须为 SSH 生成加密密钥和允许的 IP 地址才能通过 SSH 访问防火墙。在路由器上,您必须创建用户名和密码并创建 SSH 密钥。我没有看到加密密钥。

你的IP地址是什么?您说您在 10.109.32.6 “后面”,但除非您拥有该地址或属于 VLAN12,否则您将无法访问防火墙。

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.html#wp1503771

我不相信 ping 将永远工作。这些安全设备被设计禁用。至于 SSH,可以从外部进行 - 连接到设备的公共 IP。您只需要配置它。大量在线配置示例,例如此链接如果一切都失败了,请重新启动并尝试(最多 5 个并发连接可能会挂起会话?)

其它你可能感兴趣的问题
上一篇IP地址技术性 下一篇保护我的 Intranet