网络工程 - Cisco ASA 8.2(5) 相同的安全路由问题 - 吾爱随笔录

我有一个运行 8.2(5) 的 ASA 5510，配置如下，我在相同安全级别的子接口之间路由流量时遇到问题。尽管未显示，但每个子接口都有 ACL，允许双向 ICMP 和 IP 流量。注意：我已经减少了发布的配置数量，但应该有足够的配置。

存在的限制是：不能升级超过 8.2(5) 不能使用相同的安全命令所有内部接口都具有相同的安全级别。

流量从外部流向/从外部流向各个子接口，但在子接口之间它是命中注定的，这是我困惑的根源。如果它在不工作时保持一致，那将很容易。

例如，我看到的问题是：

匹配前向和反向流的非对称 NAT 规则；对于从 sub-int 112 到 104 的流量
ICMP 流量被隐式规则拒绝，但每个 ACL 都有 ext perm ICMP any any
我很确定这行 nat (DMZ-102) 1 192.168.102.0 255.255.255.0 是一个错误，但拥有或删除它似乎没有区别。

因此，如果有人有任何建议/建议，请告诉我。

interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 10.172.1.212 255.255.255.0 

interface Ethernet0/1
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address

interface Ethernet0/1.102
 vlan 102
 nameif DMZ-102
 security-level 100
 ip address 192.168.102.251 255.255.255.0 

interface Ethernet0/1.103
 vlan 103
 nameif DMZ-103
 security-level 100
 ip address 192.168.103.252 255.255.255.0 

interface Ethernet0/1.104
 vlan 104
 nameif DMZ-104
 security-level 100
 ip address 192.168.104.252 255.255.255.0 

interface Ethernet0/1.112
 vlan 112
 nameif DMZ-112
 security-level 100
 ip address 192.168.112.252 255.255.255.0 

access-list incoming extended permit ip any any
access-list OUTBOUND extended permit ip any any 
global (outside) 1 interface
global (DMZ-102) 1 interface
global (DMZ-103) 1 interface
global (DMZ-104) 1 interface
global (DMZ-112) 1 interface
nat (DMZ-102) 1 192.168.102.0 255.255.255.0
nat (DMZ-102) 0 192.168.102.0 255.255.255.0
nat (DMZ-103) 0 192.168.103.0 255.255.255.0
nat (DMZ-104) 0 192.168.104.0 255.255.255.0
nat (DMZ-112) 0 192.168.112.0 255.255.255.0
static (DMZ-103,outside) 10.172.1.213 192.168.103.11 netmask 255.255.255.255 
static (DMZ-102,DMZ-103) 192.168.102.0 192.168.102.0 netmask 255.255.255.255
static (DMZ-102,DMZ-104) 192.168.102.0 192.168.102.0 netmask 255.255.255.255
static (DMZ-102,DMZ-112) 192.168.102.0 192.168.102.0 netmask 255.255.255.255
static (DMZ-103,DMZ-102) 192.168.103.0 192.168.103.0 netmask 255.255.255.255
static (DMZ-103,DMZ-104) 192.168.103.0 192.168.103.0 netmask 255.255.255.255
static (DMZ-103,DMZ-112) 192.168.103.0 192.168.103.0 netmask 255.255.255.255
static (DMZ-104,DMZ-102) 192.168.104.0 192.168.104.0 netmask 255.255.255.255
static (DMZ-104,DMZ-103) 192.168.104.0 192.168.104.0 netmask 255.255.255.255
static (DMZ-104,DMZ-112) 192.168.104.0 192.168.104.0 netmask 255.255.255.255
static (DMZ-112,DMZ-102) 192.168.112.0 192.168.112.0 netmask 255.255.255.255
static (DMZ-112,DMZ-103) 192.168.112.0 192.168.112.0 netmask 255.255.255.255
static (DMZ-112,DMZ-104) 192.168.112.0 192.168.112.0 netmask 255.255.255.255
access-group incoming in interface outside
access-group OUTBOUND out interface outside
route outside 0.0.0.0 0.0.0.0 10.172.1.1 1