Cisco ASA - 我的 NAT 迫使流量从错误的接口流出!

网络工程 思科
2021-07-17 10:33:51

思科 ASA 5508,9.6.3 代码。我有2个外接口BACKUPPRIMARYINSIDE接口。出于某种原因,即使 BACKUP 关闭,NAT 也会将流量发送出 BACKUP 接口!

在此处输入图片说明

[编辑我已经隔离了这个问题并使这个问题更简单]

我发现如果您使用具有目的地的两次 NATASA 将根据 NAT 路由数据包并完全忽略路由表。这是相关的配置。

interface GigabitEthernet0/0
 nameif PRIMARY
 security-level 0
 ip address 22.22.22.22 255.255.255.240
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.1.10 255.255.255.0
interface GigabitEthernet0/2
 nameif BACKUP
 security-level 0
 ip address 33.33.33.33 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 22.22.22.23 1

object network OBJ-55.55.55.55
 host 55.55.55.55
object service OBJ-HTTP
 service tcp destination eq 80
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55 
nat (INSIDE,PRIMARY) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55 
nat (INSIDE,any) source static any any service OBJ-HTTP OBJ-HTTP no-proxy-arp

我的目标是 NAT 流量到 55.55.55.55 到接口,而不是端口 80 上的所有其他内容。

当我执行此配置并尝试数据包跟踪时,我们可以看到它采用了错误的路径。

ASA-DEV# packet-tracer input INSIDE tcp 172.16.1.99 2222 55.55.55.55 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
NAT divert to egress interface BACKUP-INTERNET-TEST
Untranslate 55.55.55.55/80 to 55.55.55.55/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-INSIDE-IN in interface INSIDE
access-list ACL-INSIDE-IN extended permit ip any host 55.55.55.55
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
Static translate 172.16.1.99/2222 to 192.168.79.1/2222

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: inspect-http
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http PMAP-HTTP-INSPECT
service-policy global_policy global
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1404251, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: BACKUP
output-status: down
output-line-status: down
Action: allow

更多显示命令:

ASA-DEV(config)# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 208.69.250.17 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 22.22.22.23, OUTSIDE
C        172.16.1.0 255.255.255.0 is directly connected, INSIDE

ASA-DEV(config)# sho int ip brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         22.22.22.22     YES CONFIG up                    up
GigabitEthernet0/1         172.16.1.10     YES CONFIG up                    up
GigabitEthernet0/2         33.33.33.33     YES manual down                  down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down

如您所见,我的路由表很简单,而我的 BACKUP 接口 (G0/2) 甚至还没有打开。那么到底为什么 NAT 试图路由备份接口!?

1个回答

这是 ASA 数据包处理的一个非常具体的部分,许多人不知道称为NAT 转移检查

这里简单解释一下

NAT 转移检查(覆盖路由表的内容)正在检查是否有任何 NAT 规则为到达接口的入站数据包指定目标地址转换。

如果没有明确指定如何转换该数据包的目标 IP 地址的规则,则查询全局路由表以确定出口接口。

如果有一条规则明确指定如何转换数据包的目标 IP 地址,则 NAT 规则将数据包“拉”到转换中的另一个接口,并有效地绕过全局路由表。

Cisco 已声明这些 NAT 规则旨在覆盖路由表。

您可以使用 EEM 脚本作为一种解决方法,以保留 NAT 语句并使其继续工作。该脚本依赖 IP SLA 来跟踪 IP SLA 故障将触发的系统日志消息,然后在发生这种情况时添加或删除您的 NAT。 http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html

其它你可能感兴趣的问题
上一篇CRC 错误和 ICMP 数据包丢失相关性 下一篇CSMA 和 OFDM 在 WLAN 中的用途