Cisco内部与DMZ之间的流量

Question

我需要能够平一个DMZ主机从内部主机和签证反之亦然。我尝试过配置静态nat，如下所示

static (INSIDE,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

我创建了一个名为“豁免”的访问列表，允许任何访问。我知道这不是最安全的选择，但在这一点上，我只是需要它的工作。

对此的任何帮助和洞察力都将是惊人的。

这是我的设备的配置。

!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan3002
 nameif OUTSIDE
 security-level 0
 ip address 157.201.226.6 255.255.255.252 
!
interface Vlan3022
 nameif INSIDE
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan3052
 nameif DMZ   
 security-level 50
 ip address 192.168.50.1 255.255.255.0 
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
 switchport access vlan 3022
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!             
interface Ethernet0/7
 switchport trunk allowed vlan 3002,3022,3052
 switchport mode trunk
!
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns domain-lookup DMZ
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit ip any any 
access-list INSIDE extended permit ip any any 
access-list OUTSIDE extended permit tcp any any eq 3389 
access-list OUTSIDE extended permit udp any any eq 3389 
access-list OUTSIDE extended permit tcp any any eq www 
access-list OUTSIDE extended permit udp any any eq www 
access-list OUTSIDE extended permit tcp any any eq https 
access-list OUTSIDE extended permit udp any any eq 443 
access-list OUTSIDE extended permit tcp any any eq ssh 
access-list OUTSIDE extended permit udp any any eq 22 
access-list OUTSIDE extended permit tcp any any eq 1 
access-list OUTSIDE extended permit udp any any eq 1 
access-list OUTSIDE extended permit icmp any any 
access-list OUTSIDE extended permit tcp any any eq 50 
access-list OUTSIDE extended permit tcp any any eq 51 
access-list OUTSIDE extended permit udp any any eq isakmp 
access-list OUTSIDE extended permit tcp any any eq ftp 
access-list DMZ extended permit ip any any 
access-list INSIDE_access_in extended permit ip any any 
access-list from-dmz extended permit ip any any 
access-list DMZ_access_in extended permit ip any any 
access-list dmz-acl extended permit ip any any 
access-list EXEMPT extended permit ip any any 
access-list DMZ_nat0_outbound_1 extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (DMZ,OUTSIDE) 157.201.226.72 192.168.50.2 netmask 255.255.255.255 
static (DMZ,OUTSIDE) 157.201.226.73 192.168.50.3 netmask 255.255.255.255 
static (DMZ,OUTSIDE) 157.201.226.75 192.168.50.5 netmask 255.255.255.255 
static (INSIDE,OUTSIDE) 157.201.226.74 192.168.10.74 netmask 255.255.255.255 
static (INSIDE,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 dns 
access-group OUTSIDE in interface OUTSIDE
access-group EXEMPT in interface INSIDE
access-group EXEMPT in interface DMZ
access-group EXEMPT out interface DMZ
route OUTSIDE 0.0.0.0 0.0.0.0 157.201.226.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Duo-Radius protocol radius
aaa-server Duo-Radius (DMZ) host 192.168.50.4
 timeout 20
 key cuddlypuppies
 authentication-port 1812
 accounting-port 1813
 no mschapv2-capable
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 OUTSIDE
snmp-server host DMZ 192.168.50.5 community public
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto map INSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_map interface INSIDE
crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DMZ_map interface DMZ
crypto isakmp enable OUTSIDE
crypto isakmp enable INSIDE
crypto isakmp enable DMZ
crypto isakmp policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.255.255.255 OUTSIDE
ssh 10.0.0.0 255.0.0.0 OUTSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server INSIDE 192.168.10.2 asdm-647.bin
webvpn
 anyconnect-essentials
group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username team1 password 6cSlCtoGgNx3QZLp encrypted
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group Duo-Radius
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group Duo-Radius
 authentication-server-group (DMZ) Duo-Radius
 secondary-authentication-server-group Duo-Radius use-primary-username
 authorization-server-group Duo-Radius
 accounting-server-group Duo-Radius
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:15266ece8259e82ee10eca7f9e72a029
: end

Answer 1

尝尝这个

access-list DMZ_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 

nat (DMZ) 0 access-list DMZ_nat0_outbound

Answer 2

相同安全级别的两个接口之间的通信量被删除。这是ASA的先天行为。

可以通过应用这个命令：same-security-traffic permit inter-interface来重写它。

不要与“相同的安全-交通许可证内部接口”混淆。它允许通信流进出同一个接口。我看到你申请了这个，你可能真的需要它。但是您肯定还需要应用另一个(inter)。

更好的是，您还可以将内部的安全级别更改为100 (或者比DMZ (当前为50)的值高出任何值)。如果我是你，那就是我要做的。既然你把它们分开了，你可以考虑一个比另一个更安全。

此外，您还需要适当地应用NAT豁免。试着用这个捕捉到所有静态NAT都会有效..。直到您希望从内部流到外部接口为止。

static (INSIDE,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 dns 

删除此静态语句。并应用NAT豁免的方式，它将只适用于内部和非军事区接口之间的流量。这意味着您必须执行策略NAT豁免(也就是ACL的NAT豁免)。它看起来是这样的：

access-list NONAT permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list NONAT

这样，当您的内部主机与Internet对话时，它将不匹配NAT豁免，并将通过您的常规静态语句进行处理。但是，当您的内部主机试图与您的DMZ主机对话时，NAT豁免将优先于您的静态语句，并且允许流量不需要NAT。

进一步注意: NAT豁免是双向的，所以您不需要将ACL条目应用于另一个方向的流量。*只要您从较高的安全级别(如上文所述)开始的流量角度应用ACL。