Cisco ASA 5512 互联网连接

网络工程 思科 思科 防火墙
2021-07-15 12:43:55

我是网络新手,但在设置 ASA 5512 防火墙时遇到问题。问题是我无法在我的网络内设置互联网连接。

我已经创建了两个接口WAN,公网IP地址(安全级别0),LAN接口IP为192.168.35.4,安全级别100。其实我们是在更换旧路由器,这个应该取他的地址。我已将静态路由 0\0 添加到我的默认网关,并且我可以从路由器 ping Google DNS 服务器,但不能从网络计算机。网络交换机也在 192.168.35.254 上。

出于测试目的,我将 WAN IP 地址更改为 192.168.99.1,并使用 IP 192.168.99.2 将计算机连接到它,当我尝试从 LAN 接口 ping 它时,它不返回 ping。我还允许 ICMP 检查并创建 LAN 到 WAN NAT 规则。

我将不胜感激任何帮助。

Result of the command: "show runn"

: Saved
:
ASA Version 9.1(2) 
!
hostname ciscoasa
enable password 0EnLStscpb84AAdM encrypted
names
!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address 192.168.99.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.35.6 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
 !
 interface GigabitEthernet0/3
 nameif LanTest
 security-level 0
 ip address 192.168.9.1 255.255.255.0 
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Bruce
 host 192.168.35.203
object network Buzz
 host 192.168.35.202
object network Exchange
 host 192.168.35.205
object network Fiona
 host 192.168.35.25
object network Mirror2
 host 192.168.35.24
object network Remy
 host 192.168.35.147
object network VOIP-Phone
 host 192.168.35.152
object service 81
 service tcp source eq 81 destination eq 81 
object service Fax-TCP
 service tcp source eq 5061 destination eq 5061 
object service Fax-UDP
 service udp source eq 5061 destination eq 5061 
object service Phone1
 service tcp source range sip 5090 destination range sip 5090 
object service Phone2
 service udp source range sip 5090 destination range sip 5090 
object service Phone3
 service udp source range 7000 7499 destination range 7000 7499 
object service Phone4
 service udp source range 9000 9049 destination range 9000 9049 
object service Phone5
 service udp source eq 10000 destination eq 10000 
object service SVN
 service tcp source eq 3690 destination eq 3690 
object service Sipgate
 service udp source eq sip destination eq sip 
object service Telavox
 service udp source eq sip destination eq sip 
object service Voiptalk
 service udp source eq sip destination eq sip 
object network Dug
 host 192.168.35.39
object network obj-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
access-list WAN_cryptomap extended permit ip 192.168.35.0 255.255.255.0 192.168.11.0             255.255.255.0 
access-list WAN_cryptomap_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.135.0 255.255.255.0 
access-list WAN_cryptomap_4 extended permit ip 192.168.35.0 255.255.255.0 10.176.0.0 255.240.0.0 
access-list WAN_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 192.168.13.0 255.255.255.0 
access-list WAN_access_in extended permit tcp any interface WAN eq pptp 
access-list WAN_access_in extended permit object Telavox any interface WAN 
access-list global_access extended permit object Phone1 object Dug any 
access-list global_access extended permit object Phone2 object Dug any 
access-list global_access extended permit object Phone3 any any 
access-list global_access extended permit object Phone4 any any 
access-list global_access extended permit object Phone5 any any 
access-list global_access extended permit object Phone1 object VOIP-Phone any 
access-list global_access extended permit object Phone2 object VOIP-Phone any 
access-list global_access extended deny object Phone1 any any 
access-list global_access extended deny object Phone2 any any 
access-list global_access extended permit tcp object Exchange any eq smtp 
access-list global_access extended permit tcp object Exchange any eq pop3 
pager lines 24
logging asdm informational
mtu Management 1500
mtu WAN 1500
mtu LAN 1500
mtu LanTest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Management
icmp permit any LAN
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (LAN,WAN) after-auto source dynamic any interface
access-group WAN_access_in in interface WAN
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 192.168.99.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
http 192.168.0.0 255.255.0.0 Management
http 192.168.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

我已经完成了 JJBurgess 的建议,这是输出:

Result of the command: "packet-tracer input LAN tcp 192.168.45.2 80 192.168.99.2 80 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.99.0    255.255.255.0   WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffa033ca70, priority=13, domain=permit, deny=false
    hits=1, user_data=0x7fff9b795140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=any

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (LAN,WAN) after-auto source dynamic any interface
Additional Information:
Dynamic translate 192.168.45.2/80 to 192.168.99.1/80
 Forward Flow based lookup yields rule:
 in  id=0x7fff9fdfa6a0, priority=6, domain=nat, deny=false
    hits=6, user_data=0x7fff9fb4e6a0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false
    hits=19194, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9ff06120, priority=0, domain=inspect-ip-options, deny=true
    hits=7932, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) after-auto source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff9f52e430, priority=6, domain=nat-reverse, deny=false
    hits=2, user_data=0x7fffa05f92b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=LAN, output_ifc=WAN

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9eba4d20, priority=0, domain=nat-per-session, deny=false
    hits=19196, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9e391890, priority=0, domain=inspect-ip-options, deny=true
    hits=16734, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=WAN, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 17528, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow
2个回答

也许尝试一个标准的许可证,看看你是否有一些动作。如果您这样做,那么我们可以采取一些步骤来更接近您的最终目标。

试试这个:

access-list ACL_INSIDE_TO_OUTSIDE extended permit ip any any
access-group ACL_INSIDE_TO_OUTSIDE in interface LAN

对于您在 WAN 端拥有的计算机...如果您在计算机上使用 Windows 防火墙或其他一些类似的防火墙,请禁用它。=)

在提升模式下,运行命令:

数据包跟踪器输入 LAN tcp 192.168.35.203 80 192.168.99.2 80 详细

并查看输出。如果配置确实存在问题,它应该可以让您了解数据包被丢弃的原因。

您还可以在两个接口上运行捕获以检查数据包是否到达您认为它们应该去的地方,方法是设置一个与您要捕获的数据包匹配的访问列表,并按如下方式应用于接口:

捕获 {捕获名称} 接口 {接口名称} 访问列表 {访问列表名称}

其它你可能感兴趣的问题
上一篇电缆的带宽是否受其长度的限制? 下一篇数据链路、通道、VLAN 的术语