嗨,我是非常新的思科ASA 5000系列,并有两个接口,我想路由之间,数据networking192.168.69.0/24和语音192.168.70.0 / 24,我已经join,并可以ping相应的网关,当相同的子网,但是如果我连接到数据交换机端口,我不能ping通语音VLAN,反之亦然。
我以为这是与NAT有关的,所以我添加了nat豁免规则,但仍然没有骰子。 我缺乏理解,所以会欣赏书籍或教程网站/video的build议,这将有助于我了解ASA政策。
问候,
克里斯
请在下面find我的configuration:
Result of the command: "show running-config" : Saved : ASA Version 8.2(5) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 switchport access vlan 70 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.69.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan70 no forward interface Vlan2 nameif voice security-level 100 ip address 192.168.70.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface access-list voice_nat0_outbound extended permit ip any 192.168.69.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu voice 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (voice) 0 access-list voice_nat0_outbound timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.69.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.69.5-192.168.69.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous : 结束
你需要全局命令。 使用nat(iface)命令指定哪些stream量是PAT(NAT,但所有IP都被转换为一个IP),则使用全局(iface)命令为匹配的nat IDconfiguration此IP:示例
nat(inside) 1 0.0.0.0 0.0.0.0 global(voice) 1 interface
来自内部接口的任何来源IP将被分配到语音接口IP,以用于从内部到语音的通信。 也可以用global命令指定一个IP地址
你的语音VLAN接口应该有其他的安全级别,因为安全等级0用于外部接口,内部使用100。 与NAT和全局configuration,您可以访问从一个较高的安全级别的接口到一个较低的。 如果你想从低到高访问你需要一个静态
你需要访问列表允许/拒绝stream量,例如icmp:
access-list acl-inside permit icmp any any access-list acl-voice permit icmp any any access-group acl-inside in int inside access-group acl-voice in int voice
cli文档: http : //www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html
asdm文档: http : //www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.htm