Cisco

Cisco ASA 5505 語音/數據 VLAN 不 ping/路由

  • May 25, 2012

嗨,我是 Cisco ASA 5000 系列的新手,我想在兩個介面之間路由,數據網路 192.168.69.0/24 和語音 192.168.70.0/24,我已經添加了兩者,並且可以在打開時 ping 各自的網關相同的子網,但如果我連接到數據交換機埠,我無法 ping 語音 VLAN,反之亦然。

我認為這與 NAT 有關,所以我添加了 nat 豁免規則但仍然沒有骰子。我缺乏了解,因此希望能提供有助於我了解 ASA 政策的書籍或教程網站/影片的建議。

問候,

克里斯

請在下面找到我的配置:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 70
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.69.1 255.255.255.0 
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute 
!
interface Vlan70
no forward interface Vlan2
nameif voice
security-level 100
ip address 192.168.70.1 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
access-list voice_nat0_outbound extended permit ip any 192.168.69.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu voice 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (voice) 0 access-list voice_nat0_outbound
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.69.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.69.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.69.5-192.168.69.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum client auto
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect rsh 
 inspect rtsp 
 inspect esmtp 
 inspect sqlnet 
 inspect skinny  
 inspect sunrpc 
 inspect xdmcp 
 inspect sip  
 inspect netbios 
 inspect tftp 
 inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

: 結尾

你需要全域命令。使用 nat (iface) 命令,您可以指定哪些流量到 PAT(NAT,但所有 IP 都轉換為一個 IP),此 IP 使用 global(iface) 命令配置為匹配的 nat ID:範例

nat(inside) 1 0.0.0.0 0.0.0.0
global(voice) 1 interface

來自內部介面的任何源 IP 都將被 PATed 到語音介面 IP,以用於從內部到語音的流量。也可以使用 global 命令指定 IP 地址

您的語音 VLAN 介面應該具有其他安全級別,因為安全級別 0 用於外部介面,而 100 用於內部。配置 nat 和 global 後,您可以從更高安全級別的介面訪問更低的安全級別。如果你想從低到高訪問,你需要一個靜態的

並且您將需要允許/拒絕流量的訪問列表,例如 icmp:

access-list acl-inside permit icmp any any
access-list acl-voice permit icmp any any
access-group acl-inside in int inside
access-group acl-voice in int voice

cli 文件:http ://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html

asdm 文件:http ://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.htm

引用自:https://serverfault.com/questions/392730