ASA-vlan-interface
我们都应该了解在路由器上的单臂路由来做多vlan间路由,那么在ASA之中又如何做呢,如何在ASA中开启子接口等等,带着问题我们来看一个top:
具体需求:
1,ASA只通过一条物理线理去路由两个内网的数据,
2,如何不让e0/1去接受未打标的数据,
3,内部可以与外部通信通过NAT,
4,内网用户不能ping通网关,而网关能ping网内用户
具体网络配置:
R2:
Interface fa0/0
Ip add 192.168.1.2 255.255.255.0
Exit
Ip route 0.0.0.0 0.0.0.0 192.168.1.1
R3:
Interface fa0/0
Ip add 192.168.2.2 255.255.255.0
No sh
Exit
Ip route 0.0.0.0 0.0.0.0 192.168.2.1
R1:
Interface fa0/0
Ip add 192.168.3.2 255.255.255.0
Ip rout 0.0.0.0 0.0.0.0 192.168.3.1
SW1:
Interface fa1/0
No sh
Switchport mode access
Switchport access vlan 2
Exit
Interface fa1/1
Switchport mode access
Switchport access vlan 3
Exit
Interface fa1/2
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport trunk allowed vlan all
Exi
Vlan database
Vlan 2
Vlan 3
Exit
ASA:
Interface e0/0
No sh
Nameif outside
Security-level 0
Ip add 192.168.3.1 255.255.255.0
Exit
Interface e0/1
No sh
Exit
Interface e0/1.1
No sh
Vlan 2
Nameif inside1
Security-level 100
Ip add 192.168.1.1 255.255.255.0
Exit
Interface e0/1.2
Vlan 3
Nameif inside2
Security-level 100
Ip add 192.168.2.1 255.255.255.0
Exit
Same-security-traffic permit inter-interface/允许内网相同级别vlan之间流量互访。
Access-list outacl permit icmp any any
Access-group outacl in interface outside
Icmp deny any echo inside1/拒绝各VLANping各自的网关,但网关可以ping客户。
Icmp deny any echo inside2
Icmp permit any echo-reply inside1
Icmp permit any echo-reply inside2
Nat (inside1) 1 192.168.1.0/内网做PAT出去。
Nat (inside2) 1 192.168.2.0
Global (outside) 1 interface
仅仅只有如上配置,还是不够的,你会发现虽然各个VLAN能PAT出去,但是各个VLAN之间是不能互相通信的。当然如果不用NAT去转换的话他们是可以互相PING的。
要解决一个ASA内网相同安全级别的互相访问不可达问题,我们可以这样,
因为如果在insideX上启用了NAT,VLAN2去VLAN3的话,可能也要检察NAT,那么,没有相应的NAT去进行转换,那么可能会丢弃报文。方案如下:
利用静态static:
static (inside1,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Static (inside2,inside1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
这样就可以实现NAT之后各内网VLAN之间互访。
NAT测试:
ciscoasa(config)# show xlate
7 in use, 12 most used
Global 192.168.1.0 Local 192.168.1.0
Global 192.168.2.0 Local 192.168.2.0
PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096
PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095
PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094
PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093
PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092
ciscoasa(config)# show xlate
7 in use, 12 most used
Global 192.168.1.0 Local 192.168.1.0
Global 192.168.2.0 Local 192.168.2.0
PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096
PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095
PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094
PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093
PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092
ciscoasa(config)#
R2 ping R3,R1:与网关
r2#ping 192.168.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/36 ms
r2#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/20/40 ms
r2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#
需求满足,实验完毕!