Cisco

Cisco ASA:如何路由 PPPoE 分配的子網?

  • February 1, 2011

我們剛剛收到一條光纖上行鏈路,我正在嘗試配置我們的 Cisco ASA 5505 以正確使用它。

提供商要求我們通過 PPPoE 連接,我設法將 ASA 配置為 PPPoE 客戶端並建立連接。PPPoE 為 ASA 分配了一個 IP 地址,我可以從 ASA ping 出到 Internet,但我應該可以訪問整個 /28 子網。我不知道如何在 ASA 上配置該子網,以便可以將可用的公共地址路由或 NAT 到各種內部主機。

我分配的範圍是:188.xx.xx.176/28 我通過 PPPoE 獲得的地址是 188.xx.xx.177/32,根據我們的提供商,這是我們的預設網關地址。他們聲稱子網已正確路由到我們這邊。

ASA 如何知道它負責光纖介面上的哪個範圍?

如何使用我範圍內的地址?


澄清我的配置;ASA 目前配置為預設路由到埠 Ethernet0/0(介面 vlan2,暱稱為外部)上的 ADSL 上行鏈路。光纖連接到埠 Ethernet0/2(介面 vlan50,暱稱為光纖),因此我可以在將其設置為預設路由之前對其進行配置和測試。一旦我清楚如何設置它,我將用 Fiber 完全替換外部介面。

我的配置(相當長):

: Saved
:
ASA Version 8.3(2)4 
!
hostname gw
domain-name example.com
enable password ****** encrypted
passwd ****** encrypted
names
name 10.10.1.0 Inside-dhcp-network description Desktops and clients that receive their IP via DHCP
name 10.10.0.208 svn.example.com description Subversion server
name 10.10.0.205 marvin.example.com description LAMP development server
name 10.10.0.206 dns.example.com description DNS, DHCP, NTP
!
interface Vlan2
description Old ADSL WAN connection
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.252 
!
interface Vlan10
description LAN vlan 10 Regular LAN traffic
nameif inside
security-level 100
ip address 10.10.0.254 255.255.0.0 
!
interface Vlan11
description LAN vlan 11 Lab/test traffic
nameif lab
security-level 90
ip address 10.11.0.254 255.255.0.0 
!
interface Vlan20
description LAN vlan 20 ISCSI traffic
nameif iscsi
security-level 100
ip address 10.20.0.254 255.255.0.0 
!
interface Vlan30
description LAN vlan 30 DMZ traffic
nameif dmz
security-level 50
ip address 10.30.0.254 255.255.0.0 
!
interface Vlan40
description LAN vlan 40 Guests access to the internet
nameif guests
security-level 50
ip address 10.40.0.254 255.255.0.0 
!
interface Vlan50
description New WAN Corporate Internet over fiber
nameif fiber
security-level 0
pppoe client vpdn group KPN
ip address pppoe 
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 10,11,30,40
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 50
speed 100
duplex full
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server dns.example.com
domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net 
subnet 10.10.0.0 255.255.0.0
object network svn.example.com 
host 10.10.0.208
object network marvin.example.com 
host 10.10.0.205
object network lab-net 
subnet 10.11.0.0 255.255.0.0
object network dmz-net 
subnet 10.30.0.0 255.255.0.0
object network guests-net 
subnet 10.40.0.0 255.255.0.0
object network dhcp-subnet 
subnet 10.10.1.0 255.255.255.0
description DHCP assigned addresses on Vlan 10 
object network Inside-vpnpool 
description Pool of assignable addresses for VPN clients  
object network vpn-subnet 
subnet 10.10.3.0 255.255.255.0
description Address pool assignable to VPN clients 
object network dns.example.com 
host 10.10.0.206
description DNS, DHCP, NTP 
object-group service iscsi tcp
description iscsi storage traffic
port-object eq 3260
access-list outside_access_in remark Allow access from outside to HTTP on svn.
access-list outside_access_in extended permit tcp any object svn.example.com eq www 
access-list Insiders!_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 
access-list iscsi_access_in remark Prevent disruption of iscsi traffic from outside the iscsi vlan.
access-list iscsi_access_in extended deny tcp any interface iscsi object-group iscsi log warnings 
!
snmp-map DenyV1
deny version 1
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor warnings
logging buffered warnings
logging history critical
logging asdm errors
logging flash-bufferwrap
logging flash-minimum-free 4000
logging flash-maximum-allocation 2000
mtu outside 1500
mtu inside 1500
mtu lab 1500
mtu iscsi 9000
mtu dmz 1500
mtu guests 1500
mtu fiber 1492
ip local pool DHCP_VPN 10.10.3.1-10.10.3.20 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpn-subnet vpn-subnet
!
object network inside-net
nat (inside,outside) dynamic interface
object network svn.example.com
nat (inside,outside) static interface service tcp www www 
object network lab-net
nat (lab,outside) dynamic interface
object network dmz-net
nat (dmz,outside) dynamic interface
object network guests-net
nat (guests,outside) dynamic interface
access-group outside_access_in in interface outside
access-group iscsi_access_in in interface iscsi
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS2003 protocol radius
aaa-server SBS2003 (inside) host 10.10.0.204
timeout 5
key *****
aaa authentication enable console SBS2003 LOCAL
aaa authentication ssh console SBS2003 LOCAL
aaa authentication telnet console SBS2003 LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.0.207 community ***** version 2c
snmp-server location Server room
snmp-server contact beheer@example.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
vpdn group KPN request dialout pppoe
vpdn group KPN localname INSIDERS
vpdn group KPN ppp authentication pap
vpdn username INSIDERS password ***** store-local
dhcpd address 10.40.1.0-10.40.1.100 guests
dhcpd dns 8.8.8.8 8.8.4.4 interface guests
dhcpd update dns interface guests
dhcpd enable guests
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dns.example.com source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy Insiders! internal
group-policy Insiders! attributes
wins-server value 10.10.0.205
dns-server value 10.10.0.206
vpn-tunnel-protocol IPSec l2tp-ipsec 
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Insiders!_splitTunnelAcl
default-domain value example.com
username martijn password ****** encrypted privilege 15
username marcel password ****** encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group Insiders! type remote-access
tunnel-group Insiders! general-attributes
address-pool DHCP_VPN
authentication-server-group SBS2003 LOCAL
default-group-policy Insiders!
tunnel-group Insiders! ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
!
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
 protocol-violation action drop-connection
policy-map global-policy
class global-class
 inspect dns 
 inspect esmtp 
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect http 
 inspect icmp 
 inspect icmp error 
 inspect mgcp 
 inspect netbios 
 inspect pptp 
 inspect rtsp 
 inspect snmp DenyV1 
!
service-policy global-policy global
smtp-server 123.123.123.123
prompt hostname context 
call-home
profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a76bbcf8b19019771c6d3eeecb95c1ca
: end
asdm image disk0:/asdm-635.bin
asdm location svn.example.com 255.255.255.255 inside
asdm location marvin.example.com 255.255.255.255 inside
asdm location dns.example.com 255.255.255.255 inside
asdm history enable

ASA 如何知道它負責光纖介面上的哪個範圍?

它沒有。您的 ISP 知道(希望)給定子網中的主機可以通過 ASA 訪問。如果 ASA 沒有連接對等體(或其他正確的路由),乒乓將開始:ISP 將數據包發送到 ASA,ASA 通過其預設路由將其發回。這就是為什麼我建議至少添加靜態路由,說明您分配的子網可以通過 Null 設備訪問。

如何使用我範圍內的地址?

其實方法很多。例如,您可以將您的私有 IP NAT 到子網中的某個 IP。您可以進一步對其進行子網劃分,並直接在這些 IP 上將一些主機連接到您的 ASA。

引用自:https://serverfault.com/questions/229654