Meraki 处于 ASA 后的直通模式

网络工程 思科 虚拟专用网 梅拉基
2021-08-03 16:40:37

我无法通过 ASA 5508-X 后面的 Meraki 盒获取双向流量。我可以看到来自客户端 VPN 的请求从客户端设备发送到我们 LAN 上的服务器,服务器响应,但 Meraki 从未将其发送给客户端。(Meraki 处于直通模式。)不确定是否有必要更清楚地定义远程子网,我之前在本地定义了客户端子网,但这也好不到哪里去。作为参考,192.168.3.0/24 是客户端,192.168.129.0/24 是另一个站点。

我相信,我转发了正确的端口。我已经为站点到站点和客户端添加了默认路由。我认为这可能是一个 NAT 问题。这是 ASA 配置。

ASA Version 9.8(2) 
!
hostname ciscoasa
enable password $xxx
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.254.0 
!
interface GigabitEthernet1/2.2
 description Isolated Guest traffic
 vlan 2
 nameif Guest
 security-level 60
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif VOIP
 security-level 100
 ip address 172.16.0.99 255.255.255.0 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network inside
 subnet 192.168.0.0 255.255.254.0
object network phones
 subnet 172.16.0.0 255.255.255.0
object network Guests
 subnet 192.168.2.0 255.255.255.0
 description Isolated guest traffic
object network Meraki
 host 192.168.0.1
object network Meraki_natt
 host 192.168.0.1
object network bossVPN
 host 192.168.3.0
 description 255.255.255.0

access-list global_access extended permit udp any object Meraki eq isakmp 
access-list global_access extended permit udp any object Meraki eq 4500 
access-list internal extended permit ip any any 
access-list internal extended permit icmp any any 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 8.8.8.8 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 8.8.4.4 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 9.9.9.9 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 75.75.76.76 eq domain 
access-list internal extended permit udp object Meraki any eq isakmp 
access-list internal extended permit udp object Meraki any eq 4500 
access-list external extended permit ip any any 
access-list external extended permit icmp any any 
access-list Guest_access_in extended deny ip any 192.168.0.0 255.255.254.0 
access-list Guest_access_in extended permit ip any any 
access-list Guest_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu Guest 1500
mtu VOIP 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!

object network inside
 nat (inside,outside) dynamic interface
object network phones
 nat (VOIP,outside) dynamic interface
object network Guests
 nat (Guest,outside) dynamic interface
object network Meraki
 nat (any,outside) static interface service udp isakmp isakmp 
object network Meraki_natt
 nat (any,outside) static interface service udp 4500 4500 
access-group external in interface outside
access-group internal in interface inside
access-group Guest_access_in in interface Guest
access-group internal in interface VOIP
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.3.0 255.255.255.0 192.168.0.1 1
route inside 192.168.129.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.249 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd domain BII interface inside
dhcpd enable inside
!
dhcpd address 192.168.2.100-192.168.2.149 Guest
dhcpd dns 9.9.9.9 8.8.8.8 interface Guest
dhcpd lease 86400 interface Guest
dhcpd domain Guest interface Guest
dhcpd enable Guest
!
dhcpd address 172.16.0.120-172.16.0.219 VOIP
dhcpd dns 8.8.8.8 interface VOIP
dhcpd lease 86400 interface VOIP
dhcpd domain voip interface VOIP
dhcpd enable VOIP
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

编辑 将我们内部网络上的服务器上的静态路由添加到客户端 vpn 子网允许该服务器与 VPN 一起工作。我宁愿 ASA 上的静态路由很重要。

奇怪的是,如果我加载 PBX (172.16.0.35),我会在“Client VPN pcap”上看到双向流量,但 192.168.0.0/23 流量都不起作用。

来自 ASA 的路由是否必须传播才能工作?重新启动连接的设备或其他什么?

编辑 2 一些上下文。Meraki 位于 ASA 和我们的 52 端口 L2 交换机之间的 GigabitEthernet1/2 上。

编辑 3 我现在倾向于 NAT 再次成为问题。

Meraki WAN 流量(受客户端 VPN IP 地址限制) Meraki WAN 流量(受客户端 VPN IP 地址限制)

Meraki LAN 流量(受客户端 VPN IP 地址限制) Meraki LAN 流量(受客户端 VPN 地址限制)

Meraki 客户端 VPN 流量 Meraki 客户端 VPN 流量

任何人都可以帮助我使用 NAT 语句通过 192.168.0.1 发送所有 192.168.3.0/24 流量吗?

1个回答

事实证明,Meraki 上的直通模式在 ASA 后不起作用。Meraki 不会通过 ASA 转发流量,因此 TCP 握手被破坏,即 VPN 流量将 SYN 直接发送到联网机器,但联网机器通过 ASA 进行响应,ASA 丢弃数据包,因为它没有得到第一个 SYN。(在此模式下,Meraki 只会转发定向到它的流量,否则它是 L2 设备。)

我的解决方案是在相同的安全级别下将 Meraki 中断到它自己的接口上,并调整路由以指向它的新 IP 地址。在 Meraki 文档中,这称为“VPN 集中器”模式。作为参考,除了静态 IP 之外,我不需要更改 Meraki 配置中的任何内容,ASA 的配置只是添加了另一个接口,以及关联的 NAT 和路由。

其它你可能感兴趣的问题
上一篇Cisco ASA 到 AWS 云的 L2L ACL 问题 下一篇静态 NAT - Cisco Packet Tracer