我们有一个configuration为访问互联网的ASA,对于有DHCP分配的IP地址的客户,但对于手动分配的IP的客户不适用。
例如,DHCP服务器configuration为172.16.101.1和172.16.101.10之间的IP地址,设备可能会得到IP地址172.16.101.1。 这台机器将连接到互联网。
如果我们将DHCPD服务器范围configuration为172.16.101.2至172.16.101.10,并将172.16.101.1 IP静态分配给客户端,则它将不能访问互联网。 它将会有内部访问和VPN访问。
如果我尝试ping 8.8.8.8,则会logging以下内容:
ASA 3 Feb 08 2013 15:51:01 8.8.8.8 xxx.xxx.xxx.100 Deny inbound icmp src outside:8.8.8.8 dst servers:xxx.xxx.xxx.100(type 0,code 0)
“服务器”是内部接口的名称,“xxx.xxx.xxx.100”是外部IP。 当客户端IP被静态分配时,DNAT似乎不起作用。
有没有人见过这种行为? 它让我难住!
运行configuration:
ASA Version 8.2(5) ! hostname hayes-fw enable password XXXXXXXXX encrypted passwd XXXXXXXXX encrypted names name 212.xxx.xxx.2 DUNSTABLE ! interface Ethernet0/0 description Internet switchport access vlan 105 switchport trunk allowed vlan 100,109 switchport trunk native vlan 999 switchport mode trunk speed 100 duplex full ! interface Ethernet0/1 description Failover back-to-back switchport access vlan 254 ! interface Ethernet0/2 description Internal switchport trunk allowed vlan 100-106 switchport trunk native vlan 999 switchport mode trunk speed 100 duplex full ! interface Ethernet0/3 description unused switchport trunk allowed vlan 100-104 ! interface Ethernet0/4 description temp-inside switchport trunk allowed vlan 60 switchport trunk native vlan 60 switchport mode trunk ! interface Ethernet0/5 description unused switchport access vlan 253 shutdown ! interface Ethernet0/6 description unused switchport access vlan 253 shutdown ! interface Ethernet0/7 description unused switchport access vlan 100 ! interface Vlan60 nameif temp-inside security-level 100 ip address 172.xx.60.253 255.255.255.0 ! interface Vlan100 description Mgmt nameif mgmt security-level 100 ip address 172.xx.100.253 255.255.255.0 standby 172.16.100.252 ! interface Vlan101 nameif servers security-level 90 ip address 172.16.101.253 255.255.255.0 standby 172.16.101.252 ! interface Vlan102 description Warehouse nameif office security-level 80 ip address 172.16.102.253 255.255.255.0 standby 172.16.102.252 ! interface Vlan103 nameif warehouse-cameras security-level 60 ip address 172.16.103.253 255.255.255.0 standby 172.16.103.252 ! interface Vlan104 description Office nameif warehouse security-level 70 ip address 172.16.104.253 255.255.255.0 standby 172.16.104.252 ! interface Vlan105 nameif voip security-level 50 ip address 172.16.105.253 255.255.255.0 ! interface Vlan106 nameif guest security-level 40 ip address 172.16.106.253 255.255.255.0 ! interface Vlan109 nameif outside security-level 0 ip address 80.xxx.xx.100 255.255.255.248 standby 80.xxx.xx.101 ! interface Vlan254 description LAN Failover Interface ! ftp mode passive object-group network FELTHAM-NETWORKS network-object 172.16.2.0 255.255.255.0 network-object 172.16.3.0 255.255.255.0 network-object 172.16.4.0 255.255.255.0 network-object host 217.xxx.xxx.155 object-group network HAYES-NETWORKS network-object 172.16.100.0 255.255.255.0 network-object 172.16.102.0 255.255.255.0 network-object 172.16.103.0 255.255.255.0 network-object 172.16.104.0 255.255.255.0 network-object host 192.168.1.253 network-object 80.xxx.xx.96 255.255.255.248 network-object 172.16.60.0 255.255.255.0 network-object 172.16.101.0 255.255.255.0 object-group network DUNSTABLE-NETWORKS network-object 172.16.33.0 255.255.255.0 network-object host 212.xxx.xxx.3 access-list DUNSTABLE-VPN extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS access-list FELTHAM-VPN extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS access-list Nat0 extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS access-list Inbound extended permit icmp any interface voip access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS access-list outside_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS access-list outside_cryptomap extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS access-list outside_cryptomap_1 extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group DUNSTABLE-NETWORKS access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group FELTHAM-NETWORKS access-list office_nat0_outbound extended permit ip object-group HAYES-NETWORKS object-group HAYES-NETWORKS pager lines 24 logging enable logging timestamp logging buffer-size 8192 logging buffered debugging logging asdm informational mtu temp-inside 1500 mtu mgmt 1500 mtu servers 1500 mtu office 1500 mtu warehouse-cameras 1500 mtu warehouse 1500 mtu voip 1500 mtu guest 1500 mtu outside 1500 ip local pool HAYES-POOL 172.16.104.25-172.16.104.50 failover failover lan unit secondary failover lan interface failover Vlan254 failover interface ip failover 192.168.254.9 255.255.255.252 standby 192.168.254.10 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (temp-inside) 0 access-list Nat0 nat (temp-inside) 1 172.16.60.0 255.255.255.0 nat (servers) 0 access-list Nat0 nat (servers) 1 172.16.101.0 255.255.255.0 nat (office) 0 access-list office_nat0_outbound nat (office) 1 172.16.102.0 255.255.255.0 nat (warehouse) 0 access-list Nat0 nat (warehouse) 1 172.16.104.0 255.255.255.0 nat (outside) 0 access-list Nat0 nat (outside) 1 172.16.101.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 80.168.58.97 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authorization exec authentication-server http server enable http 172.16.33.0 255.255.255.0 warehouse http 172.16.100.0 255.255.255.0 mgmt http 172.16.30.0 255.255.255.0 warehouse http 172.16.33.0 255.255.255.0 temp-inside http 172.16.60.0 255.255.255.0 temp-inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp servers crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DM-HAYES 10 set transform-set ESP-AES-128-SHA crypto dynamic-map DM-HAYES 10 set security-association lifetime seconds 288000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map CM-VPN 10 match address DUNSTABLE-VPN crypto map CM-VPN 10 set pfs crypto map CM-VPN 10 set peer 212.xxx.xxx.3 crypto map CM-VPN 10 set transform-set ESP-AES-128-SHA crypto map CM-VPN 20 match address FELTHAM-VPN crypto map CM-VPN 20 set pfs crypto map CM-VPN 20 set peer 217.xxx.xxx.155 crypto map CM-VPN 20 set transform-set ESP-AES-128-SHA crypto map CM-VPN 99 ipsec-isakmp dynamic DM-HAYES crypto map outside_map2 10 match address outside_cryptomap_1 crypto map outside_map2 10 set pfs crypto map outside_map2 10 set peer 217.xxx.xxx.155 crypto map outside_map2 10 set transform-set ESP-AES-128-SHA crypto map outside_map2 20 match address outside_cryptomap crypto map outside_map2 20 set pfs crypto map outside_map2 20 set peer 212.xxx.xxx.3 crypto map outside_map2 20 set transform-set ESP-AES-128-SHA crypto map outside_map2 interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 telnet timeout 5 ssh scopy enable ssh 172.16.60.0 255.255.255.0 temp-inside ssh 172.16.100.0 255.255.255.0 mgmt ssh 172.16.33.0 255.255.255.0 mgmt ssh 172.16.33.0 255.255.255.0 warehouse ssh timeout 60 ssh version 2 console timeout 0 management-access warehouse dhcp-client update dns server both dhcpd address 172.16.60.1-172.16.60.175 temp-inside dhcpd dns 79.xxx.xxx.84 interface temp-inside dhcpd domain hayes.com interface temp-inside dhcpd enable temp-inside ! dhcpd address 172.16.101.2-172.16.101.10 servers dhcpd dns 79.xxx.xxx.84 interface servers dhcpd domain hayes.com interface servers dhcpd enable servers ! dhcpd address 172.16.102.1-172.16.102.175 office dhcpd dns 79.xxx.xxx.84 interface office dhcpd domain hayes.com interface office dhcpd enable office ! dhcpd address 172.16.103.1-172.16.103.200 warehouse-cameras dhcpd domain cameras.hayes.com interface warehouse-cameras dhcpd enable warehouse-cameras ! dhcpd address 172.16.104.1-172.16.104.175 warehouse dhcpd dns 79.xxx.xxx.84 interface warehouse dhcpd domain hayes.com interface warehouse dhcpd enable warehouse ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 172.16.104.254 source warehouse webvpn group-policy HAYES-RAVPN-POLICY internal group-policy HAYES-RAVPN-POLICY attributes dns-server value 172.16.104.254 79.xxx.xxx.84 vpn-idle-timeout 1440 vpn-tunnel-protocol IPSec l2tp-ipsec username admin password /f.QRufHe2ulQB/e encrypted privilege 15 tunnel-group HAYES type remote-access tunnel-group HAYES general-attributes address-pool HAYES-POOL default-group-policy HAYES-RAVPN-POLICY tunnel-group HAYES ipsec-attributes pre-shared-key * tunnel-group 212.xxx.xxx.3 type ipsec-l2l tunnel-group 212.xxx.xxx.3 ipsec-attributes pre-shared-key * tunnel-group 217.xxx.xxx.155 type ipsec-l2l tunnel-group 217.xxx.xxx.155 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http someAddress://butIcantPostLinks destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily : end 你会得到否认,因为你没有在防火墙的外部接口上允许返回的ICMP ping数据包。 ICMP是无状态的,正因为如此,你将需要允许stream量进出。类似这样的事情将解决这个问题。
Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo Access-list <OUTSIDE_ACCESSLIST-NAME> extended permit icmp any any echo-reply
没有你的configuration副本我不能告诉你,但我会说你的互联网访问问题是NAT相关的。 张贴configuration。
这不是ASA的问题,而是我们正在testing的服务器。 将IP设置为静态后,dhclient继续运行。 在尝试续租时,它会失败,服务器将失去它的networking连接。
感谢您的帮助。