NAT在ASA (5505)防火墙不工作的VLAN配置在Layer3交换机?
NAT在ASA (5505)防火墙不工作的VLAN配置在Layer3交换机?
提问于 2021-10-08 13:42:08
图片学:
使用工具: Cisco数据包跟踪器
设想情况:
- NAT的主机在任何一个VLAN的第3层-开关不工作。
- Ping请求到达外部服务器,但NAT无法工作,因此ISP路由器无法将请求路由回ASA (因为目标ip是私有IP地址)。
- 如果我从Layer3 3交换机到外部服务器,NAT正在工作。
PKT文件:https://drive.google.com/file/d/1qbVw9XsCtTbjeGmY5OpxK1552CULkq-C/view?usp=sharing
配置,如果您不想下载文件。
ASA配置:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Vlan1
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
shutdown
!
interface Vlan2
nameif inside
security-level 100
ip address 172.16.0.2 255.255.0.0
!
interface Vlan3
nameif outside
security-level 0
ip address 51.1.1.1 255.0.0.0
!
object network LAN
subnet 172.16.0.0 255.255.255.0
object network VLAN10
subnet 192.168.10.0 255.255.255.0
object network VLAN20
subnet 192.168.20.0 255.255.255.0
object network VLAN30
subnet 192.168.30.0 255.255.255.0
object network VLAN40
subnet 192.168.40.0 255.255.255.0
object network VLAN50
subnet 192.168.50.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 51.1.1.2 1
route inside 192.168.0.0 255.255.0.0 172.16.0.1 1
!
access-list local-to-internet extended permit tcp any any
access-list local-to-internet extended permit icmp any any
!
!
access-group local-to-internet in interface outside
object network LAN
nat (inside,outside) dynamic interface
object network VLAN10
nat (inside,outside) dynamic interface
object network VLAN20
nat (inside,outside) dynamic interface
object network VLAN30
nat (inside,outside) dynamic interface
object network VLAN40
nat (inside,outside) dynamic interface
object network VLAN50
nat (inside,outside) dynamic interface第三层-开关配置:
ip routing
!
!
spanning-tree mode pvst
!
!
interface FastEthernet0/1
no switchport
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/6
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/7
switchport access vlan 40
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/8
switchport access vlan 50
switchport mode access
switchport nonegotiate
!
interface Vlan1
ip address 10.0.0.1 255.0.0.0
!
interface Vlan10
mac-address 0001.426c.9901
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.0.0.2
ip helper-address 10.0.0.3
!
interface Vlan20
mac-address 0001.426c.9902
ip address 192.168.20.1 255.255.255.0
ip helper-address 10.0.0.2
ip helper-address 10.0.0.3
!
interface Vlan30
mac-address 0001.426c.9903
ip address 192.168.30.1 255.255.255.0
ip helper-address 10.0.0.2
ip helper-address 10.0.0.3
!
interface Vlan40
mac-address 0001.426c.9904
ip address 192.168.40.1 255.255.255.0
ip helper-address 10.0.0.2
ip helper-address 10.0.0.3
!
interface Vlan50
mac-address 0001.426c.9905
ip address 192.168.50.1 255.255.255.0
ip helper-address 10.0.0.2
ip helper-address 10.0.0.3
!
router ospf 1
log-adjacency-changes
network 192.168.0.0 0.0.255.255 area 0
network 10.0.0.0 0.255.255.255 area 0
network 172.16.0.0 0.0.255.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.0.2 回答 1
Network Engineering用户
回答已采纳
发布于 2021-10-08 19:45:18
是"Cisco数据包跟踪器“中的一个错误导致NAT无法正常工作。
见此处:https://community.cisco.com/t5/routing/packet-tracer-asa-nat-problem/td-p/3936024
(以上链接中的一些变通方法)
一个简单的解决方案(不理想)是为NATing (所谓的传统方式)使用路由器。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/76603
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号