ASA 无法通过边界路由器上的 NAT ping 外部

网络工程 思科 纳特 GNSS3 交通
2021-07-08 21:16:19

我在 GNS3 中具有以下拓扑结构。基本上,云 NAT-1 是互联网,R1 是我带有 NAT 的边界路由器,而 FWASAv-1 应该能够访问互联网,但不能。我用 R2 创建了另一条腿来测试 NAT,令我惊讶的是,它运行良好。这是相关的配置:

[编辑]

ASA --- R1 --- 互联网 --- 谷歌 DNS (8.8.8.8)

从 ASA,我正在尝试 ping google DNS。

R1

R1#sh run
!
interface FastEthernet0/0
 ip address 172.16.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit any

R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.31.1     YES NVRAM  up                    up      
FastEthernet0/1            192.168.122.106 YES DHCP   up                    up      
FastEthernet1/0            10.0.0.1        YES NVRAM  up                    up      
NVI0                       172.16.31.1     YES unset  up                    up  
! -- I don't know what that NVI0 is


R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.122.1 to network 0.0.0.0

C    192.168.122.0/24 is directly connected, FastEthernet0/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.31.0 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet1/0
S*   0.0.0.0/0 [254/0] via 192.168.122.1

R1#ping 192.168.122.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.122.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/15/40 ms
R1#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/32 ms

  [1]: https://i.stack.imgur.com/yLtFj.png

R2

R2#sh run
!
ip name-server 192.168.122.1
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 10.0.0.1

R2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/13/24 ms

R2#ping 192.168.122.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.122.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/28/32 ms

R2#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/46/56 ms

FWASAv-1

ASAv1# sh run ip
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address 172.16.10.1 255.255.255.0 
!
interface GigabitEthernet0/6
 nameif outside
 security-level 0
 ip address 172.16.31.2 255.255.255.0 
!
ASAv1# sh run route
route outside 0.0.0.0 0.0.0.0 172.16.31.1 1
! --- I don't know what those deny below are for
ASAv1# sh run xlate 
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
!
ASAv1#  ping 192.168.122.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.122.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASAv1# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASAv1# ping 172.16.31.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.31.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms

在 R1 中调试 (debug ip nat)

! When successfully pinging 8.8.8.8 from R1
*Mar  1 01:38:32.039:  mapping pointer available mapping:0
*Mar  1 01:38:32.039: NAT: [0] Allocated Port for 10.0.0.2 -> 192.168.122.106: wanted 21 got 21
*Mar  1 01:38:32.043: NAT: i: icmp (10.0.0.2, 21) -> (8.8.8.8, 21) [86]     
*Mar  1 01:38:32.043: NAT: s=10.0.0.2->192.168.122.106, d=8.8.8.8 [86]
*Mar  1 01:38:32.075: NAT: o: icmp (8.8.8.8, 21) -> (192.168.122.106, 21) [35052]     
*Mar  1 01:38:32.075: NAT: s=8.8.8.8, d=192.168.122.106->10.0.0.2 [35052]
*Mar  1 01:38:32.095: NAT: i: icmp (10.0.0.2, 21) -> (8.8.8.8, 21) [87]     
*Mar  1 01:38:32.095: NAT: s=10.0.0.2->192.168.122.106, d=8.8.8.8 [87]
*Mar  1 01:38:32.127: NAT: o: icmp (8.8.8.8, 21) -> (192.168.122.106, 21) [35081]     
*Mar  1 01:38:32.127: NAT: s=8.8.8.8, d=192.168.122.106->10.0.0.2 [35081]
*Mar  1 01:38:32.131: NAT: i: icmp (10.0.0.2, 21) -> (8.8.8.8, 21) [88]     
*Mar  1 01:38:32.131: NAT: s=10.0.0.2->192.168.122.106, d=8.8.8.8 [88]
*Mar  1 01:38:32.167: NAT: o: icmp (8.8.8.8, 21) -> (192.168.122.106, 21) [35115]     
*Mar  1 01:38:32.167: NAT: s=8.8.8.8, d=192.168.122.106->10.0.0.2 [35115]
*Mar  1 01:38:32.187: NAT: i: icmp (10.0.0.2, 21) -> (8.8.8.8, 21) [89]     
*Mar  1 01:38:32.187: NAT: s=10.0.0.2->192.168.122.106, d=8.8.8.8 [89]
*Mar  1 01:38:32.215: NAT: o: icmp (8.8.8.8, 21) -> (192.168.122.106, 21) [35153]     
*Mar  1 01:38:32.215: NAT: s=8.8.8.8, d=192.168.122.106->10.0.0.2 [35153]
*Mar  1 01:38:32.223: NAT: i: icmp (10.0.0.2, 21) -> (8.8.8.8, 21) [90]     
*Mar  1 01:38:32.227: NAT: s=10.0.0.2->192.168.122.106, d=8.8.8.8 [90]
*Mar  1 01:38:32.255: NAT: o: icmp (8.8.8.8, 21) -> (192.168.122.106, 21) [35187]     
*Mar  1 01:38:32.255: NAT: s=8.8.8.8, d=192.168.122.106->10.0.0.2 [35187]

! When pinging 8.8.8.8 from ASAv and failing
*Mar  1 01:39:59.387:  mapping pointer available mapping:0
*Mar  1 01:39:59.387: NAT: [0] Allocated Port for 172.16.31.2 -> 192.168.122.106: wanted 56364 got 56364
*Mar  1 01:39:59.391: NAT*: i: icmp (172.16.31.2, 56364) -> (8.8.8.8, 56364) [7968]
*Mar  1 01:39:59.391: NAT*: i: icmp (172.16.31.2, 56364) -> (8.8.8.8, 56364) [7968]
*Mar  1 01:39:59.391: NAT*: s=172.16.31.2->192.168.122.106, d=8.8.8.8 [7968]
R1#
*Mar  1 01:40:01.415:  mapping pointer available mapping:0
*Mar  1 01:40:01.415: NAT: [0] Allocated Port for 172.16.31.2 -> 192.168.122.106: wanted 56365 got 56365
*Mar  1 01:40:01.415: NAT*: i: icmp (172.16.31.2, 56365) -> (8.8.8.8, 56365) [15738]
*Mar  1 01:40:01.419: NAT*: i: icmp (172.16.31.2, 56365) -> (8.8.8.8, 56365) [15738]
*Mar  1 01:40:01.419: NAT*: s=172.16.31.2->192.168.122.106, d=8.8.8.8 [15738]
R1#
*Mar  1 01:40:03.399:  mapping pointer available mapping:0
*Mar  1 01:40:03.399: NAT: [0] Allocated Port for 172.16.31.2 -> 192.168.122.106: wanted 56366 got 56366
*Mar  1 01:40:03.399: NAT*: i: icmp (172.16.31.2, 56366) -> (8.8.8.8, 56366) [22464]
*Mar  1 01:40:03.403: NAT*: i: icmp (172.16.31.2, 56366) -> (8.8.8.8, 56366) [22464]
*Mar  1 01:40:03.403: NAT*: s=172.16.31.2->192.168.122.106, d=8.8.8.8 [22464]
R1#
*Mar  1 01:40:05.403:  mapping pointer available mapping:0
*Mar  1 01:40:05.403: NAT: [0] Allocated Port for 172.16.31.2 -> 192.168.122.106: wanted 56367 got 56367
*Mar  1 01:40:05.403: NAT*: i: icmp (172.16.31.2, 56367) -> (8.8.8.8, 56367) [29396]
*Mar  1 01:40:05.407: NAT*: i: icmp (172.16.31.2, 56367) -> (8.8.8.8, 56367) [29396]
*Mar  1 01:40:05.407: NAT*: s=172.16.31.2->192.168.122.106, d=8.8.8.8 [29396]
R1#
*Mar  1 01:40:07.407:  mapping pointer available mapping:0
*Mar  1 01:40:07.407: NAT: [0] Allocated Port for 172.16.31.2 -> 192.168.122.106: wanted 56368 got 56368
*Mar  1 01:40:07.407: NAT*: i: icmp (172.16.31.2, 56368) -> (8.8.8.8, 56368) [2676]
*Mar  1 01:40:07.411: NAT*: i: icmp (172.16.31.2, 56368) -> (8.8.8.8, 56368) [2676]
*Mar  1 01:40:07.411: NAT*: s=172.16.31.2->192.168.122.106, d=8.8.8.8 [2676]

我还捕获了 R1 和 Switch1 之间的流量。当 ping 来自 R2 时,数据包显示在那里已经转换。当从 ASA ping 时,那里没有显示任何 icmp 数据包。

它是 ASA 中的东西吗?我不知道还能做什么。我可以提供更多的配置,调试,什么不是。

2个回答

默认情况下,Ping (icmp) 不允许通过 Cisco ASA,您需要在outside->in 上创建规则以允许 icmp 响应。Cisco ASA 是除 ping 之外的全状态防火墙。

所以,我的问题在Cisco 网站上得到了解答基本上,我为 ASA 使用 IOSv 映像,为路由器使用 img 映像。他们在某种程度上发生了冲突。当我将两者都更改为 IOSv 时,它运行良好。

其它你可能感兴趣的问题
上一篇从一个 IP 寻址方案迁移到另一个? 下一篇Wireshark - 仅显示带有注释的 HTTP 请求