在 Cisco ASA 5520 上访问和从 DMZ 访问的一般问题

网络工程 思科 联网
2021-07-20 23:18:35

我刚刚将我的软件从 v8.2(x) 升级到 v.9.1(7),但是我在访问和从我的 DMZ 访问时遇到了一些一般问题:

  1. 无法从 DMZ 访问互联网
  2. 无法从 DMZ 外部访问 Web 或邮件服务器

这是我的运行配置:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 109.xxx.yyy.zzz 255.255.255.128
!
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/3
 nameif data
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Management0/0
 nameif mgmt
 security-level 0
 ip address 192.168.128.1 255.255.255.0
!
...
object network obj-dmz-subnet
 subnet 172.16.1.0 255.255.255.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-lan-subnet
 subnet 192.168.1.0 255.255.255.0
object network obj-data-subnet
 subnet 10.0.0.0 255.255.255.0
object network obj-mgmt-subnet
 subnet 192.168.128.0 255.255.255.0
object network web_server
 host 172.16.1.30
object network web_server_http
 host 172.16.1.30
object network web_server_https
 host 172.16.1.30
object network mail_server_smtp
 host 172.16.1.40
object network mail_server_pop3
 host 172.16.1.40
object network mail_server_imap
 host 172.16.1.40
object network mail_server_pop3s
 host 172.16.1.40
object network mail_server_imaps
 host 172.16.1.40
object network mail_server_smtps
 host 172.16.1.40
object-group network web_servers
 network-object host 172.16.1.30
object-group network mail_servers
 network-object host 172.16.1.40
object-group service web_services tcp
 port-object eq www
 port-object eq https
object-group service mail_services tcp
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 995
 port-object eq 993
 port-object eq 465
object-group service zabbix_services tcp
 port-object eq 10050
 port-object eq 10051
access-list ACL_IN extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit ip any4 any4
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group web_servers object-group web_services
access-list OUTSIDE_TO_DMZ extended permit tcp any object-group mail_servers object-group mail_services
access-list OUTSIDE_TO_DMZ extended deny ip any any log
access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet host 192.168.1.4 object-group zabbix_services
!
object network obj-dmz-subnet
 nat (dmz,outside) dynamic interface
object network obj_any
 nat (dmz,outside) dynamic interface
object network obj-lan-subnet
 nat (inside,outside) dynamic interface
object network web_server_http
 nat (dmz,outside) static interface service tcp www www
object network web_server_https
 nat (dmz,outside) static interface service tcp https https
object network mail_server_smtp
 nat (dmz,outside) static interface service tcp smtp smtp
object network mail_server_pop3
 nat (dmz,outside) static interface service tcp pop3 pop3
object network mail_server_imap
 nat (dmz,outside) static interface service tcp imap4 imap4
object network mail_server_pop3s
 nat (dmz,outside) static interface service tcp 995 995
object network mail_server_imaps
 nat (dmz,outside) static interface service tcp 993 993
object network mail_server_smtps
 nat (dmz,outside) static interface service tcp 465 465
access-group OUTSIDE_TO_DMZ in interface outside
access-group DMZ_TO_INSIDE in interface dmz
access-group ACL_IN in interface inside
route outside 0.0.0.0 0.0.0.0 109.xxx.yyy.zzz 1

我的配置中缺少什么?

编辑:NAT 语句清理是问题之一的解决方案。现在我可以完全访问我的网络和邮件服务器。但是,对 DMZ 的 Internet 访问仍然失败。这是 packet-tracer 命令“packet-tracer input dmz tcp 172.16.1.100 80 8.8.8.8 80”的结果:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

编辑:我想我现在已经让一切正常了。它有助于插入以下访问列表:

access-list FROM_DMZ extended permit ip any any

现在我可以向广阔的世界发送 ping 命令并在 DMZ 中升级我的机器。这似乎太容易了。有什么我必须考虑的事情或我忘记的事情吗?

1个回答

在排除故障之前,让我们稍微清理一下您的 NAT 语句。

在这里,我们将暂时删除您的“全局”NAT 语句

 object network obj-dmz-subnet
     no nat (dmz,outside) dynamic interface
 object network obj-lan-subnet
     no nat (inside,outside) dynamic interface

下一个对象是在 ASA 上创建的默认对象,它有一个相应的 NAT 语句,如果您不删除它,已知会导致问题(由于它的广泛性)。据我所知,您没有使用它,因此我们将完全删除它。

no object network obj_any

接下来的两行是再次创建您的全局 NAT 语句,但作为手动 NAT(而不是自动 NAT)并且还在每行中使用 after-auto 关键字以确保它们仅用作最后的手段(如果流量首先与任何其他 NAT 语句不匹配)。

nat (dmz,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface

现在 NAT 语句的顺序更好了,你能告诉我一些数据包跟踪器的输出吗?

packet-tracer input dmz tcp 172.16.1.100 1234 8.8.8.8 80

packet-tracer input outside tcp 8.8.8.8 1234 <your public IP for your web-server> 80

编辑:

请加:

access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 80

随着

access-list DMZ_TO_INSIDE extended permit tcp object obj-dmz-subnet any eq 443

然后执行与您刚才尝试过的相同的 packet-tracer 命令。之前它不起作用的原因是因为您目前只允许 DMZ 子网访问您的 Zabbix 服务器。

我建议,因为我们现在不限制你的 DMZ 只能访问 Zabbix 服务器,你重命名你的 DMZ 访问列表以使其更有意义。

如果要重命名访问列表,可以使用以下命令:

access-list DMZ_TO_INSIDE rename <new name>

例如: access-list DMZ_TO_INSIDE rename from_DMZ

仅供参考,重命名访问列表(或对象)对流量没有影响,因为 ASA 使用访问列表和/或对象的十六进制 ID,而不是其名称,使用 rename 命令不会更改名称。这意味着您可以更改它而不必担心影响用户/服务器。

其它你可能感兴趣的问题
上一篇当跳数等于默认TTL时,数据包会被丢弃吗? 下一篇思科 NX-OS 许可