Назад | Перейти на главную страницу

Внешний доступ ASA 5505 для клиентов с динамически назначаемыми IP-адресами, без внешнего доступа для клиентов со статическими IP-адресами

У нас есть ASA, настроенный для доступа в Интернет, который отлично работает для клиентов, которым IP-адрес назначен DHCP, но не для клиентов с вручную назначенными IP-адресами.

Например, если DHCP-сервер настроен на выдачу IP-адресов от 172.16.101.1 до 172.16.101.10, устройство может получить IP-адрес 172.16.101.1. Эта машина будет иметь подключение к Интернету.

Если затем мы настроим диапазон DHCPd-серверов от 172.16.101.2 до 172.16.101.10 и статически назначим IP-адрес 172.16.101.1 клиенту, у него не будет доступа в Интернет. Однако он будет иметь внутренний доступ и доступ к VPN.

Если я попытаюсь выполнить команду ping 8.8.8.8, в журнал будет записано следующее:

ASA 3 8 февраля 2013 г. 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Запретить входящий icmp src снаружи: 8.8.8.8 dst-серверы: xxx.xxx.xxx.100 (тип 0, код 0)

Где «серверы» - это имя внутреннего интерфейса, из которого сделан запрос, а «xxx.xxx.xxx.100» - это внешний IP-адрес. Кажется, что DNAT не работает, когда IP-адрес клиента назначен статически.

Кто-нибудь видел такое поведение раньше? Это меня поставило в тупик!

Текущая конфигурация:

ASA Version 8.2(5)

!

hostname hayes-fw

enable password XXXXXXXXX encrypted

passwd XXXXXXXXX encrypted

names

name 212.xxx.xxx.2 DUNSTABLE

!

interface Ethernet0/0

description Internet

switchport access vlan 105

switchport trunk allowed vlan 100,109

switchport trunk native vlan 999

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/1

description Failover back-to-back

switchport access vlan 254

!

interface Ethernet0/2

description Internal

switchport trunk allowed vlan 100-106

switchport trunk native vlan 999

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/3

description unused

switchport trunk allowed vlan 100-104

!

interface Ethernet0/4

description temp-inside

switchport trunk allowed vlan 60

switchport trunk native vlan 60

switchport mode trunk

!

interface Ethernet0/5

description unused

switchport access vlan 253

shutdown

!

interface Ethernet0/6

description unused

switchport access vlan 253

shutdown

!

interface Ethernet0/7

description unused

switchport access vlan 100

!

interface Vlan60

nameif temp-inside

security-level 100

ip address 172.xx.60.253 255.255.255.0

!

interface Vlan100

description Mgmt

nameif mgmt

security-level 100

ip address 172.xx.100.253 255.255.255.0 standby 172.16.100.252

!

interface Vlan101

nameif servers

security-level 90

ip address 172.16.101.253 255.255.255.0 standby 172.16.101.252

!

interface Vlan102

description Warehouse

nameif office

security-level 80

ip address 172.16.102.253 255.255.255.0 standby 172.16.102.252

!

interface Vlan103

nameif warehouse-cameras

security-level 60

ip address 172.16.103.253 255.255.255.0 standby 172.16.103.252

!

interface Vlan104

description Office

nameif warehouse

security-level 70

ip address 172.16.104.253 255.255.255.0 standby 172.16.104.252

!

interface Vlan105

nameif voip

security-level 50

ip address 172.16.105.253 255.255.255.0

!

interface Vlan106

nameif guest

security-level 40

ip address 172.16.106.253 255.255.255.0

!

interface Vlan109

nameif outside

security-level 0

ip address 80.xxx.xx.100 255.255.255.248 standby 80.xxx.xx.101

!

interface Vlan254

description LAN Failover Interface

!

ftp mode passive

object-group network FELTHAM-NETWORKS

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object host 217.xxx.xxx.155

object-group network HAYES-NETWORKS

network-object 172.16.100.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

network-object 172.16.104.0 255.255.255.0

network-object host 192.168.1.253

network-object 80.xxx.xx.96 255.255.255.248

network-object 172.16.60.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

object-group network DUNSTABLE-NETWORKS

network-object 172.16.33.0 255.255.255.0

network-object host 212.xxx.xxx.3

access-list DUNSTABLE-VPN extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list FELTHAM-VPN extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

access-list Inbound extended permit icmp any interface voip

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

access-list outside_cryptomap extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list outside_cryptomap_1 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS

access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging buffered debugging

logging asdm informational

mtu temp-inside 1500

mtu mgmt 1500

mtu servers 1500

mtu office 1500

mtu warehouse-cameras 1500

mtu warehouse 1500

mtu voip 1500

mtu guest 1500

mtu outside 1500

ip local pool HAYES-POOL 172.16.104.25-172.16.104.50

failover

failover lan unit secondary

failover lan interface failover Vlan254

failover interface ip failover 192.168.254.9 255.255.255.252 standby 192.168.254.10

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (temp-inside) 0 access-list Nat0

nat (temp-inside) 1 172.16.60.0 255.255.255.0

nat (servers) 0 access-list Nat0

nat (servers) 1 172.16.101.0 255.255.255.0

nat (office) 0 access-list office_nat0_outbound

nat (office) 1 172.16.102.0 255.255.255.0

nat (warehouse) 0 access-list Nat0

nat (warehouse) 1 172.16.104.0 255.255.255.0

nat (outside) 0 access-list Nat0

nat (outside) 1 172.16.101.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 80.168.58.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization exec authentication-server

http server enable

http 172.16.33.0 255.255.255.0 warehouse

http 172.16.100.0 255.255.255.0 mgmt

http 172.16.30.0 255.255.255.0 warehouse

http 172.16.33.0 255.255.255.0 temp-inside

http 172.16.60.0 255.255.255.0 temp-inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp servers

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DM-HAYES 10 set transform-set ESP-AES-128-SHA

crypto dynamic-map DM-HAYES 10 set security-association lifetime seconds 288000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map CM-VPN 10 match address DUNSTABLE-VPN

crypto map CM-VPN 10 set pfs

crypto map CM-VPN 10 set peer 212.xxx.xxx.3

crypto map CM-VPN 10 set transform-set ESP-AES-128-SHA

crypto map CM-VPN 20 match address FELTHAM-VPN

crypto map CM-VPN 20 set pfs

crypto map CM-VPN 20 set peer 217.xxx.xxx.155

crypto map CM-VPN 20 set transform-set ESP-AES-128-SHA

crypto map CM-VPN 99 ipsec-isakmp dynamic DM-HAYES

crypto map outside_map2 10 match address outside_cryptomap_1

crypto map outside_map2 10 set pfs

crypto map outside_map2 10 set peer 217.xxx.xxx.155

crypto map outside_map2 10 set transform-set ESP-AES-128-SHA

crypto map outside_map2 20 match address outside_cryptomap

crypto map outside_map2 20 set pfs

crypto map outside_map2 20 set peer 212.xxx.xxx.3

crypto map outside_map2 20 set transform-set ESP-AES-128-SHA

crypto map outside_map2 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 172.16.60.0 255.255.255.0 temp-inside

ssh 172.16.100.0 255.255.255.0 mgmt

ssh 172.16.33.0 255.255.255.0 mgmt

ssh 172.16.33.0 255.255.255.0 warehouse

ssh timeout 60

ssh version 2

console timeout 0

management-access warehouse

dhcp-client update dns server both

dhcpd address 172.16.60.1-172.16.60.175 temp-inside

dhcpd dns 79.xxx.xxx.84 interface temp-inside

dhcpd domain hayes.com interface temp-inside

dhcpd enable temp-inside

!

dhcpd address 172.16.101.2-172.16.101.10 servers

dhcpd dns 79.xxx.xxx.84 interface servers

dhcpd domain hayes.com interface servers

dhcpd enable servers

!

dhcpd address 172.16.102.1-172.16.102.175 office

dhcpd dns 79.xxx.xxx.84 interface office

dhcpd domain hayes.com interface office

dhcpd enable office

!

dhcpd address 172.16.103.1-172.16.103.200 warehouse-cameras

dhcpd domain cameras.hayes.com interface warehouse-cameras

dhcpd enable warehouse-cameras

!

dhcpd address 172.16.104.1-172.16.104.175 warehouse

dhcpd dns 79.xxx.xxx.84 interface warehouse

dhcpd domain hayes.com interface warehouse

dhcpd enable warehouse

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.16.104.254 source warehouse

webvpn

group-policy HAYES-RAVPN-POLICY internal

group-policy HAYES-RAVPN-POLICY attributes

dns-server value 172.16.104.254 79.xxx.xxx.84

vpn-idle-timeout 1440

vpn-tunnel-protocol IPSec l2tp-ipsec

username admin password /f.QRufHe2ulQB/e encrypted privilege 15

tunnel-group HAYES type remote-access

tunnel-group HAYES general-attributes

address-pool HAYES-POOL

default-group-policy HAYES-RAVPN-POLICY

tunnel-group HAYES ipsec-attributes

pre-shared-key *

tunnel-group 212.xxx.xxx.3 type ipsec-l2l

tunnel-group 212.xxx.xxx.3 ipsec-attributes

pre-shared-key *

tunnel-group 217.xxx.xxx.155 type ipsec-l2l

tunnel-group 217.xxx.xxx.155 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http someAddress://butIcantPostLinks

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

Вы получаете это отклонение, потому что вы не разрешили возвращаемый пакет проверки связи ICMP на внешнем интерфейсе брандмауэра. ICMP не имеет состояния, и из-за этого вам нужно будет разрешить входящий и входящий трафик. Что-то вроде этого исправит это.

Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo
Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo-reply

Без копии вашей конфигурации я не могу вам ничего сказать, но я бы сказал, что ваша проблема с доступом в Интернет связана с NAT. Разместите конфиг.

Это была проблема не с ASA, а с сервером, с которым мы тестировали. После установки статического IP-адреса dhclient продолжил работу. При попытке продлить аренду произойдет сбой, и сервер потеряет сетевое соединение.

Спасибо за помощь.