服务器 Gind.cn
  1. 服务器 Gind.cn
  3. debuggingASA防火墙规则(带或不带ASDM)
Intereting Posts
Windows Server 2003 Standard – 程序兼容性? 在Mac OS X 10.7 Lion上通过vpn运行nmap失败 Windows 2008 R2:Perfmon,多个数据收集集,这是可能的 文件是没有permision创build的 通过SSL使用Apache时,POST请求随机丢弃 无法在同一个子网(LAN)Windows 2011 Server中ping某些IP地址 什么是远程Linux负载监视的良好Web界面? 一个端口上的PPTP VPN IPTables:允许传出MySQL连接,但不允许传入连接 在新的服务器上安装新版本的Exhange(2013) Debian上的pptpd不会写任何日志 记住密码 本地VLAN不匹配和缺lessVLAN? 负载均衡一大堆的Squid服务器 添加DKIM签名到dkim = pass的邮件

debuggingASA防火墙规则(带或不带ASDM)

有什么方法可以debuggingASA防火墙规则应用程序? 我创build了两个简单的访问规则:允许任何ICMP并允许任何UDP。
第一个工作,我可以平。 udp不起作用。 在ASDM中运行跟踪(模拟数据包)显示数据包被隐式拒绝规则丢弃,但我不明白为什么它不匹配任何UDP规则? 我可以启用规则评估的日志logging吗?

以下是我认为相关的configuration(对不起,不是思科专家,使用ASDM): 

access-list Split-tunnel-ACL standard permit 10.65.0.0 255.255.0.0 access-list outside_access_in extended permit icmp any any access-list outside_access_in remark test access-list outside_access_in extended permit udp host xxxx host yyyy

我也尝试任何一个,而不是xxxx和yyyy没有什么不同。 数据包跟踪表示数据包在访问检查阶段被隐式拒绝规则丢弃。 icmp规则正在工作。

更多数据: 

  Result of the command: "packet-tracer input outside udp xxxx 5060 yyyy 5060 detailed" Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xad31d370, priority=111, domain=permit, deny=true hits=28380, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 input_ifc=outside, output_ifc=outside Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

命令结果:“show access-list” 

 access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list Split-tunnel-ACL; 1 elements; name hash: 0xaa04f5f3 access-list Split-tunnel-ACL line 1 standard permit xxx.xx5.0.0 255.255.0.0 (hitcnt=6240) 0x9439a34b access-list outside_access_in; 2 elements; name hash: 0x6892a938 access-list outside_access_in line 1 extended permit icmp any any (hitcnt=0) 0x71af81e1 access-list outside_access_in line 2 remark test access-list outside_access_in line 3 extended permit udp host xxxx host yyyy (hitcnt=0) 0x9fbf7dc7 access-list inside_nat0_outbound; 4 elements; name hash: 0x467c8ce4 access-list inside_nat0_outbound line 1 extended permit ip object City-network object Remote-mgmt-pool 0x1c53e4c4 access-list inside_nat0_outbound line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 192.168.2.0 255.255.255.248 (hitcnt=0) 0x1c53e4c4 access-list inside_nat0_outbound line 2 extended permit ip object City-network object City2-network 0x278c6c43 access-list inside_nat0_outbound line 2 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx2.0.0 255.255.0.0 (hitcnt=0) 0x278c6c43 access-list inside_nat0_outbound line 3 extended permit ip object City-network object City1-network 0x2b77c336 access-list inside_nat0_outbound line 3 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=0) 0x2b77c336 access-list inside_nat0_outbound line 4 extended permit ip object City-network object City3-network 0x9fdd4c28 access-list inside_nat0_outbound line 4 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x9fdd4c28 access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City1-network 0x12693b9a access-list outside_cryptomap line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx1.0.0 255.255.0.0 (hitcnt=265) 0x12693b9a access-list inside_nat_outbound; 1 elements; name hash: 0xb64b365a access-list inside_nat_outbound line 1 extended permit tcp object City-network any eq smtp 0x4c753adf access-list inside_nat_outbound line 1 extended permit tcp xxx.xx5.0.0 255.255.0.0 any eq smtp (hitcnt=0) 0x4c753adf access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa access-list outside_cryptomap_1 line 1 extended permit ip object City-network object City-network 0x4b257004 access-list outside_cryptomap_1 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx5.0.0 255.255.0.0 (hitcnt=0) 0x4b257004 access-list outside_cryptomap_2; 1 elements; name hash: 0x4e1c27f3 access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 object City4-network 0xa82be620 access-list outside_cryptomap_2 line 1 extended permit ip xxx.xx5.0.0 255.255.0.0 xxx.xx3.0.0 255.255.0.0 (hitcnt=25) 0xa82be620

你的tracer会返回input_ifc=outside, output_ifc=outside因为它没有其他目标地址的路由信息​​,而你的outside_access_in ACL在两个条目上的命中次数为0; ICMP不起作用,至less不是通过这个ACL。

绝对需要看到NAT规则(和相关的ACL,如果是策略NAT的话)。

它是使用专用地址还是防火墙的接口地址? 它还没有得到这么多,但是,我们也要确认是否有正确的路由信息​​来获得到目的地址的stream量; 如果服务器与防火墙的内部接口在同一个子网中,这将是自动的。