Cisco
Cisco ASA 5505 語音/數據 VLAN 不 ping/路由
嗨,我是 Cisco ASA 5000 系列的新手,我想在兩個介面之間路由,數據網路 192.168.69.0/24 和語音 192.168.70.0/24,我已經添加了兩者,並且可以在打開時 ping 各自的網關相同的子網,但如果我連接到數據交換機埠,我無法 ping 語音 VLAN,反之亦然。
我認為這與 NAT 有關,所以我添加了 nat 豁免規則但仍然沒有骰子。我缺乏了解,因此希望能提供有助於我了解 ASA 政策的書籍或教程網站/影片的建議。
問候,
克里斯
請在下面找到我的配置:
Result of the command: "show running-config" : Saved : ASA Version 8.2(5) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 switchport access vlan 70 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.69.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Vlan70 no forward interface Vlan2 nameif voice security-level 100 ip address 192.168.70.1 255.255.255.0 ! ftp mode passive same-security-traffic permit inter-interface access-list voice_nat0_outbound extended permit ip any 192.168.69.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu voice 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (voice) 0 access-list voice_nat0_outbound timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.69.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.69.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.69.5-192.168.69.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous: 結尾
你需要全域命令。使用 nat (iface) 命令,您可以指定哪些流量到 PAT(NAT,但所有 IP 都轉換為一個 IP),此 IP 使用 global(iface) 命令配置為匹配的 nat ID:範例
nat(inside) 1 0.0.0.0 0.0.0.0 global(voice) 1 interface來自內部介面的任何源 IP 都將被 PATed 到語音介面 IP,以用於從內部到語音的流量。也可以使用 global 命令指定 IP 地址
您的語音 VLAN 介面應該具有其他安全級別,因為安全級別 0 用於外部介面,而 100 用於內部。配置 nat 和 global 後,您可以從更高安全級別的介面訪問更低的安全級別。如果你想從低到高訪問,你需要一個靜態的
並且您將需要允許/拒絕流量的訪問列表,例如 icmp:
access-list acl-inside permit icmp any any access-list acl-voice permit icmp any any access-group acl-inside in int inside access-group acl-voice in int voicecli 文件:http ://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html
asdm 文件:http ://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.htm