在工作中，我们有一个 cisco 3560 L3 核心，我们在其中实现了所有 L3 VLAN 和控制 VLAN 间路由的 ACL。就客户端机器而言，L3 交换机是默认网关，然后将数据包转发到路由器。就路由器而言，如果它看不到客户端机器，则它连接到交换机。但是，现在需要远程访问 VPN，为此我们将使用 5520 ASA 路由器。这里出现的问题是我们所有的 ACL 都在交换机中，我更愿意将所有这些类型的控件留在交换机中。理想情况下，我希望 VPN 流量从路由器进入，并进入适当 VLAN 上的交换机，然后交换机可以控制 ACL。

我注意到 5520 在与远程连接相关的组策略下确实有一个“vlan”选项，但是我对将数据输入交换机的最佳方式有些困惑。

我将如何最好地实现这一目标？我的 LAN 端口是 GigabitEthernet0/1。

• 我是否使用 GigabitEthernet0/1.4？
• 我是否将 GigabitEthernet0/1 中继到交换机，并使用路由器的内部 IP 设置环回以保留路由？
• 我可以只标记 VLAN 并以某种方式将它们推送到交换机中吗？

这是拓扑的组合图像。

• 左侧的客户端位于 LAN 内部，位于其相应的 VLAN 中，如图所示。
• 我们的核心交换机是 cisco 3560。我们的路由器是 cisco 5520 ASA。
• 右侧的客户端代表通过 cisco SSL VPN 连接的远程客户端。

谢谢大家

ASA 基本配置：

hostname CoreRouter
domain-name ***
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
!
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 30.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 10.0.6.5 255.255.255.0
!
ftp mode passive
clock timezone AWST 8
object network NET-10.0
 subnet 10.0.0.0 255.255.0.0
 description Per (Local)
object network NET-10.1
 subnet 10.1.0.0 255.255.0.0
 description Avv (Remote)
object network RemoteAccessCorp
 subnet 10.0.4.0 255.255.255.0
 description SSL Restricted Remote Access
object network RemoteAccessIT
 subnet 10.0.5.0 255.255.255.0
 description SSL Unrestricted Remote Access
object-group network NET-VPN
 network-object object NET-10.1
 network-object object RemoteAccessCorp
 network-object object RemoteAccessIT
!
access-list s2s-vpn-avv extended permit ip object NET-10.0 object NET-10.1
pager lines 24
mtu outside 1500
mtu inside 1500
mtu inside_12 1500
mtu inside_13 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NET-10.0 NET-10.0 destination static NET-VPN NET-VPN no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic NET-10.0 interface
access-group ingress-harden in interface outside
route outside 0.0.0.0 0.0.0.0 30.0.0.2 1
route inside 10.0.6.0 255.255.255.0 10.0.0.2 1
route inside 10.0.2.0 255.255.255.0 10.0.0.2 1
route inside 10.0.3.0 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP-MEMBEROF-VPN
  map-name  memberOf Group-Policy
  map-value memberOf "CN=IT Staff,OU=Production,OU=Groups,OU=All Users and groups,DC=internal" ItClient
  map-value memberOf "CN=ASA-VPN,OU=Production,OU=Groups,OU=All Users and groups,DC=internal" CorpClient
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 10.0.6.2
 ldap-base-dn OU=Production Users,OU=All Users and groups,DC=internal
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ASA SSL VPN,OU=LDAP System accounts,DC=internal
 server-type microsoft
 ldap-attribute-map LDAP-MEMBEROF-VPN
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
no snmp-server enable
no service password-recovery
crypto ipsec ikev2 ipsec-proposal OurProposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map AeonMap 1 match address s2s-vpn-avv
crypto map AeonMap 1 set peer ***
crypto map AeonMap 1 set ikev2 ipsec-proposal OurProposal
crypto map AeonMap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn CoreRouter.internal
 subject-name CN=CoreRouter.internal
 keypair sslvpnkey
 crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
 certificate ***
  quit
crypto isakmp identity address
crypto ikev2 policy 1
 encryption aes-256
 integrity sha384
 group 21
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
group-policy CorpClient internal
group-policy CorpClient attributes
 wins-server value 10.0.6.2
 dns-server value 10.0.6.2
 dhcp-network-scope 10.0.6.2
 vpn-simultaneous-logins 100
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
group-policy ItClient internal
group-policy ItClient attributes
 wins-server value 10.0.6.2
 dns-server value 10.0.6.2
 dhcp-network-scope 10.0.6.2
 vpn-simultaneous-logins 100
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client
group-policy NoAccess internal
group-policy NoAccess attributes
 vpn-simultaneous-logins 0
username admin password *** encrypted privilege 15
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 authentication-server-group LDAP
 default-group-policy NoAccess
 dhcp-server 10.0.6.2
tunnel-group RemoteAccess webvpn-attributes
 group-alias Connect enable
tunnel-group *** type ipsec-l2l
tunnel-group *** ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6c07d337dc0b47763e4661313febe10c
: end

3560基本配置： 这是一个配置很少的测试开关

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name ***
ip name-server 10.0.6.2
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
 description To Router
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
!
interface Vlan2
 description Corporate
 ip address 10.0.2.1 255.255.255.0
 ip helper-address 10.0.6.2
!
interface Vlan3
 description IT
 ip address 10.0.3.1 255.255.255.0
 ip helper-address 10.0.6.2
!
interface Vlan4
 description Corporate VPN
 shutdown
!
interface Vlan5
 description Corporate IT VPN
 shutdown
!
interface Vlan6
 description Servers
 ip address 10.0.6.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!
control-plane
!
!
line con 0
 escape-character 3
line vty 0 4
 login
line vty 5 15
 login
!
end

编辑 1 - ASA 子接口和交换机中继端口 -不工作

我在交换机中配置了以下内容：

interface Port-channel1
  description Core Router trunk
  switchport trunk encapsulation dot1q
  switchport mode trunk
!
interface FastEthernet 0/8
  description to Router
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 1 mode on
!
int Loopback 0
  ip address 10.0.0.2 255.255.255.0

在 ASA 中，我有以下内容：

interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/1.12
  nameif inside_12
  security-level 100
  no ip address
  vlan 12
interface GigabitEthernet0/1.13
  nameif inside_13
  security-level 100
  no ip address
  vlan 13

group-policy CorpClient attributes
  wins-server value 10.0.6.2
  dns-server value 10.0.6.2
  dhcp-network-scope 10.0.6.2
  vpn-simultaneous-logins 100
  vpn-idle-timeout 30
  vpn-tunnel-protocol ssl-client
  vlan 12
group-policy ItClient attributes
  wins-server value 10.0.6.2
  dns-server value 10.0.6.2
  dhcp-network-scope 10.0.6.2
  vpn-simultaneous-logins 100
  vpn-idle-timeout 30
  vpn-tunnel-protocol ssl-client
  vlan 13

但是，我在使用这种方法时遇到的问题是它似乎不允许路由器和交换机之间进行通信？我相信这是因为交换机端口处于“中继”模式，而路由器端口处于“访问”模式？