The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]



"ASA 5506 - не работает маршрутизация между VLAN"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (ACL, фильтрация и ограничение трафика)
Изначальное сообщение [ Отслеживать ]
Курсы по Juniper Junos в Москве и Петербурге
"ASA 5506 - не работает маршрутизация между VLAN"  +/
Сообщение от 3fc (ok) on 06-Дек-17, 15:27 
Добрый день!

Есть 2 ASA 5506, объединенных в statefull failover по EtherChannel (порты Gi1/3,4). Порт Gi1/1 - outside, Gi1/2 - внутренняя сеть, на нем создано несколько подинтерфейсов. Gi1/2 смотрит в некую технологическую сеть. Gi1/1 подключен к Cisco 2950, тот - к маршрутизатору, идущему в другую сеть.

Проблема: хосты (в основном ОС Windows) в разных подсетях внутренней сети не видят шлюза, ASA не пингует их. Шлюз для каждого VLAN прописан на хостах (адрес на соответствующем подинтерфейсе Gi1/2). Через внешний интерфейс пинги идут нормально.

Настройка еще не закончена, будут прикручиваться ACL для фильтрации. Пока застрял на данном этапе (я новичок в работе с ASA, прошу строго не судить).

Конфиг:
---------------------
ASA Version 9.7(1)4
!
hostname FRW1
domain-name ***
enable password ***
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.203.5.63 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10
vlan 10
nameif TM
security-level 100
ip address 10.203.4.30 255.255.255.224
!
interface GigabitEthernet1/2.20
vlan 20
nameif RAS
security-level 100
ip address 10.203.4.46 255.255.255.240
!
interface GigabitEthernet1/2.30
vlan 30
nameif RAS_RSDU
security-level 100
ip address 10.203.4.54 255.255.255.248
!
interface GigabitEthernet1/2.31
vlan 31
nameif TM_RDU
security-level 100
ip address 10.203.4.62 255.255.255.248
!
interface GigabitEthernet1/2.40
vlan 40
nameif SCADA
security-level 100
ip address 10.203.4.94 255.255.255.224
!
interface GigabitEthernet1/2.100
vlan 100
nameif IT_MANAGEMENT
security-level 100
ip address 10.203.4.110 255.255.255.240
!
interface GigabitEthernet1/3
channel-group 1 mode on
!
interface GigabitEthernet1/4
channel-group 1 mode on
!
interface Management1/1
management-only
nameif manage
security-level 100
ip address 10.203.4.117 255.255.255.252
!
interface Port-channel1
description LAN/STATE Failover Interface
lacp max-bundle 8
port-channel load-balance src-mac
!
ftp mode passive
clock timezone MSK 3
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network SCADA_NAT_LAN
subnet 10.203.4.64 255.255.255.224
object network TM_NAT_LAN
subnet 10.203.4.0 255.255.255.224
object network RAS_NAT_LAN
subnet 10.203.4.32 255.255.255.240
object network RAS_RSDU_NAT_LAN
subnet 10.203.4.48 255.255.255.248
object network TM_RDU_NAT_LAN
subnet 10.203.4.56 255.255.255.248
object network IT_MANAGEMENT_NAT_LAN
subnet 10.203.4.96 255.255.255.240
object network NAT_RAS_2404
host 10.203.4.33
object network NAT_RAS_FTP
host 10.203.4.33
object network NAT_CS1
host 10.203.4.1
object network NAT_CS2
host 10.203.4.2
object-group network TM
network-object 10.203.4.0 255.255.255.224
object-group network RAS
network-object 10.203.4.32 255.255.255.240
object-group network RAS_RSDU
network-object 10.203.4.48 255.255.255.248
object-group network TM_RDU
network-object 10.203.4.56 255.255.255.248
object-group network SCADA
network-object 10.203.4.64 255.255.255.224
object-group network IT_MANAGEMENT
network-object 10.203.4.96 255.255.255.240
object-group network ARM_RAS
network-object host 10.203.4.38
object-group network ARM_SCADA
network-object host 10.203.4.77
object-group network ARM_SOTI
network-object host 10.203.4.104
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_RAS_2404 eq 2404
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_RAS_FTP eq ftp
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_CS1 eq 2404
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_CS2 eq 2404
access-list ACL_OUTSIDE_IN extended deny ip any any
pager lines 24
logging enable
logging buffer-size 16386
logging monitor critical
logging buffered informational
mtu manage 1500
mtu outside 1500
mtu TM 1500
mtu RAS 1500
mtu RAS_RSDU 1500
mtu TM_RDU 1500
mtu SCADA 1500
mtu IT_MANAGEMENT 1500
failover
failover lan unit primary
failover lan interface STATE Port-channel1
failover polltime unit 1 holdtime 3
failover polltime interface msec 500 holdtime 5
failover link STATE Port-channel1
failover interface ip STATE 10.203.4.113 255.255.255.252 standby 10.203.4.114
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network SCADA_NAT_LAN
nat (SCADA,outside) dynamic interface
object network TM_NAT_LAN
nat (TM,outside) dynamic interface
object network RAS_NAT_LAN
nat (RAS,outside) dynamic interface
object network RAS_RSDU_NAT_LAN
nat (RAS_RSDU,outside) dynamic interface
object network TM_RDU_NAT_LAN
nat (TM_RDU,outside) dynamic interface
object network IT_MANAGEMENT_NAT_LAN
nat (IT_MANAGEMENT,outside) dynamic interface
object network NAT_RAS_2404
nat (RAS,outside) static 10.203.5.11 service tcp 2404 2404
object network NAT_RAS_FTP
nat (RAS,outside) static 10.203.5.11 service tcp ftp ftp
object network NAT_CS1
nat (TM,outside) static 10.203.5.12 service tcp 2404 2404
object network NAT_CS2
nat (TM,outside) static 10.203.5.13 service tcp 2404 2404
access-group ACL_OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.203.5.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.203.4.27 255.255.255.255 manage
ssh 10.203.4.96 255.255.255.240 IT_MANAGEMENT
ssh 10.203.4.104 255.255.255.255 IT_MANAGEMENT
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.203.4.79
dynamic-access-policy-record DfltAccessPolicy
username *** password *** privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb9dc30b5c780c8d2a78334ea2cabb7e
: end

---------------------
Вывод packet-tracer'а:
---------------------
FRW1# packet-tracer input TM icmp 10.203.4.30 0 0 10.203.4.27 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.203.4.27 using egress ifc  TM

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac26fbc80, priority=501, domain=permit, deny=true
        hits=7, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=10.203.4.30, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=any

Result:
input-interface: TM
input-status: up
input-line-status: up
output-interface: TM
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-----------------------------

FRW1# packet-tracer input TM icmp 10.203.4.27 8 0 10.203.4.30 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.203.4.30 using egress ifc  identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac2a95280, priority=120, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac1deeb40, priority=0, domain=nat-per-session, deny=true
        hits=84, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac2a97020, priority=0, domain=inspect-ip-options, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=any

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac2a90d90, priority=208, domain=cluster-redirect, deny=false
        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=identity

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac2a96040, priority=66, domain=inspect-icmp, deny=false
        hits=1, user_data=0x2aaac2b3d140, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=identity

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x2aaac2a96830, priority=66, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0x2aaac2b3bec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=TM, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2655, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: TM
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
------------------
Прошу помощи в настройке!

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "ASA 5506 - не работает маршрутизация между VLAN"  +/
Сообщение от BJ (ok) on 08-Дек-17, 11:06 
icmp permit any any TM
Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема


  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor