网络工程 - IP 地址超出 Cisco ASA 5505 阻止的 DHCP 范围 - 吾爱随笔录

IP 地址超出 Cisco ASA 5505 阻止的 DHCP 范围

网络工程思科思科纳特 ACL

2021-07-25 18:58:38

我的问题是：我有一个 Cisco ASA，其INSIDE接口设置为DHCP租用 IP 10.1.10.104 - 254 ……我有一些静态服务器使用“较低”IP 范围（即10.1.10.11）。问题是任何“低于”的内容.104都被阻止访问除10.1.10.0. 它还被 NAT 规则阻止，尝试PPTP从OUTSIDE网络转发端口流量 IE 。我在下面包含了我的运行配置。

结果：输入接口：内部输入状态：向上输入线状态：向上输出接口：外部输出状态：向上输出线状态：向上动作：允许

    ASA Version 8.2(5) 
!

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.100 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.xx.xx.xx 255.255.255.248 
!
ftp mode passive
object-group network DM_INLINE_NETWORK_1
 network-object 10.xx.xx.0 255.255.255.0
 network-object 10.xx.xx.0 255.255.255.0
access-list outside_access_in extended permit icmp any any 
access-list outside_1_cryptomap extended permit ip 10.1.10.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.xx.xx.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.xx.xx.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 74.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 170
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd auto_config outside
!
dhcpd address 10.1.10.104-10.1.10.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key xx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect pptp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
: end

有什么我明显缺少的吗？我是网络菜鸟，所以请记住这一点，如果需要更多信息等，请通知我...为简单起见，让我们使用单个 IP10.1.10.11作为“问题”IP。

＃＃＃＃＃＃＃＃＃＃＃＃＃编辑＃＃＃＃＃＃＃＃＃＃＃＃

我traceroute从下面的答案中添加了一个建议。我再次重申，我是一个菜鸟，所以要温柔。

Result of the command: "packet-tracer input inside tcp 10.1.10.11 80 75.75.75.75  80"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 10.1.10.0 255.255.255.0
  match ip inside 10.1.10.0 255.255.255.0 outside any
    dynamic translation to pool 1 (74.xx.xx.225 [Interface PAT])
    translate_hits = 841385, untranslate_hits = 182888
Additional Information:
Dynamic translate 10.1.10.11/80 to 74.xx.Xx.225/120 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.1.10.0 255.255.255.0
  match ip inside 10.1.10.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1635639, packet dispatched to next module

然而

这失败了：

Result of the command: "packet-tracer input outside icmp 75.75.75.75 0 0 10.1.10.11 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.10.0       255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc95e4128, priority=0, domain=permit, deny=true
    hits=343309, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

2个回答

我看到你有一个访问列表 :access-list outside_access_in 但我没有看到它应用在界面上。我认为你也应该有一个内部接口的访问列表，并应用于它。允许来自内部的 icmp、http、https 以及您需要的任何其他协议。然后做一个traceroute。

您也可以试试这个命令：packet-tracer 在这里查看如何使用它：https : //supportforums.cisco.com/docs/DOC-5796

此命令可以显示您的数据包是否失败。

编辑

所以你需要 2 个 ACL，一个用于内部接口，一个用于外部。我看到你已经有一个用于外部但它没有应用于接口。像这样 :access-group outside_access_in in interface outside

也为内部创建一个 ACL，并应用它。

从外到内测试数据包跟踪是没有用的。像这样：“icmp 75.75.75.75 0 0 10.1.10.11 外的数据包跟踪器输入”

这是因为它将始终被丢弃，因为您没有静态 NAT 映射和允许流量的 ACL 条目。

所以第一个数据包跟踪器测试是我们需要的，它看起来没问题。我们希望看到来自内部的流量正在形成一个流。防火墙将允许返回的流。（这是一个有状态的防火墙）

因此，为内部和外部创建一个应用 ACL，看看它是否有效。

让我们在这里使用数据包跟踪器 2，你想达到什么目的？如果有人试图访问防火墙外部接口上的网络服务器，它必须是一个公共 IP，您应该检查数据包跟踪器。防火墙将丢弃数据包，因为它看不到内部接口上存在的 IP 地址的转换，因此数据包将被丢弃。

因此，首先您需要为应该解决问题的内部 IP 地址创建静态 NAT 或静态 PAT。

静态 NAT：静态（内部、外部）74.xx.xx.xx 10.1.10.11

静态 PAT（假设内部接口上的服务器正在运行 Web 服务）：静态（内部、外部）TCP 74.xx.xx.xx 80 10.1.10.11 80

此外，您需要在内部允许您想要进入此服务器的流量，只需要允许从防火墙外部发起的流量，从内部发起的流量被称为安全并允许从较高安全区域转到较低安全区域。

其它你可能感兴趣的问题

上一篇在面向字节的协议之上改进点对点层的设计下一篇在未启用 QoS 的情况下在 6509 上遇到高输出下降时，是否会考虑保留队列 xxx 输出？