文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Cisco ASA NAT/ACL跨EZVPN问题

Cisco ASA NAT/ACL跨EZVPN问题
EN

Network Engineering用户
提问于 2016-02-03 18:24:49
回答 1查看 804关注 0票数 4

我有一个EZVPN运行在两个位置之间,位置A有一个5520和EZVPN服务器,位置B有一个5506和一个EZVPN客户端。目前,我正在尝试设置NAT和ACL(s),以便网络中B位置的主机可以访问A位置的DMZ中的几个服务器。下面是我来自两个地点的包裹追踪。附件是来自两个地点的消毒的吐露。

*

代码语言:javascript
复制
*LocationA-Firewall# packet-tracer input inside tcp <Location B inside ip> 443 <Location A DMZ server ip> 443 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   <Location B inside ip>  255.255.255.0   outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location B inside ip>/443 to <Location B inside ip>/443
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x73cb5f60, priority=11, domain=permit, deny=true
      hits=343658, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
      src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
      dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
      input_ifc=dmz, output_ifc=any
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule*

*

===========================================================

代码语言:javascript
复制
LocationB-Firewall# packet-tracer input inside tcp <Location B inside ip> 443 <Location A DMZ server ip> 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <internet next hop> using egress ifc  outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate <Location A DMZ server ip>/443 to <Location A DMZ server ip>/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OWL_inside in interface inside
access-list OWL_inside extended permit ip any4 any4
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:      
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:
Static translate <Location B inside ip>/443 to <Location B inside ip>/443

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: aaa-user
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 568767, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

在这些数据包跟踪上,我正在测试HTTPS访问,因为它是我需要跨两个区域打开的端口之一。由于位置A的ASA出现问题,我尝试了以下NAT和ACL添加(outside_access_in是应用于外部接口的ACL,dmz_access_in是应用于DMZ的ACL ):

代码语言:javascript
复制
access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup

access-list outside_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

这些都没用。除了那些ACL条目之外,我的ACL中没有关于位置B的流量的条目。ASP数据包捕获也没有帮助。对这两个地点进行卫生处理后的吐露如下:

代码语言:javascript
复制
    :
    ASA Version 9.5(2) 
    !
    hostname LocationB-Firewall
    domain-name company.com

    names
    !
    interface GigabitEthernet1/1
     nameif outside
     security-level 0
     ip address dhcp setroute 
    !
    interface GigabitEthernet1/2
     nameif inside
     security-level 100
     ip address (location B inside) 255.255.255.0 
    !
    interface Management1/1
     management-only
     no nameif
     no security-level
     no ip address
    !
    boot system disk0:/asa952-lfbff-k8.SPA
    ftp mode passive
    dns server-group DefaultDNS
     domain-name oscarwinski.com
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object-group network Location_A_Networks
     network-object (Location A network).0 255.255.255.0

    object-group network Location_B_Networks
     network-object (Location B network).0 255.255.255.0

    object-group network Remote_DMZ
     network-object host <Location A dmz server IP>


    access-list LocationB_inside extended permit ip any4 any4 
  access-list outside_access_in extended permit tcp host <internet IP> object-group Location_B_Networks eq https 


    no pager
    logging console emergencies
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    e
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Location_A_Networks Location_A_Networks no-proxy-arp route-lookup
    nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup

    !
    object network obj_any
     nat (any,outside) dynamic interface

    access-group outside_access_in in interface outside
    access-group LocationB_inside in interface inside

    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL 
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    service sw-reset-button
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    no ssh stricthostkeycheck
    ssh (Location A outside interface) 255.255.255.255 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    vpnclient server (outside interface)
    vpnclient mode network-extension-mode
    vpnclient nem-st-autoconnect
    vpnclient vpngroup vpn password *****
    vpnclient username ezvpn password *****
    vpnclient enable

    !
    dhcpd address (location B network)-(location B network) inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept

    dynamic-access-policy-record DfltAccessPolicy

    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
      inspect ip-options 
      inspect pptp
    !
    service-policy global_policy global
    prompt hostname context 

    : end

地点A如下:

代码语言:javascript
复制
    ASA Version 9.1(3) 
    !
    hostname LocationA-Firewall
    domain-name company.com
    interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address (location A outside) 255.255.255.240 
    !
    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address (location A inside) 255.255.255.0 
    !
    !
    object network (location B)-remote_network
     subnet (location B) 255.255.255.0
    object-group network (Location A)_Networks
     network-object (Location A) 255.255.255.0
    object-group network DMZ_Servers
     network-object <DMZ servers IPs>

    access-list ezvpn_split extended permit tcp object-group (Location A)_Networks object (location B)-remote_network 


    nat (dmz,outside) source static DMZ_Servers DMZ_Servers destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup

    nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup


access-group outside_access_in in interface outside
access-group inside in interface inside
access-group dmz_access_in in interface dmz
    !
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
    crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
    crypto ipsec ikev1 transform-set aes256set esp-aes-256 esp-sha-hmac 
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA
    crypto dynamic-map vpn_dyn_map 1 set ikev1 transform-set aes256set
    crypto dynamic-map vpn_dyn_map 1 set reverse-route
    crypto dynamic-map vpn_dyn_map 500 set ikev1 transform-set ESP-3DES-MD5
    crypto map VPN 65535 ipsec-isakmp dynamic vpn_dyn_map
    crypto map VPN interface outside
    crypto isakmp identity address 
    crypto isakmp nat-traversal 10
    crypto ikev1 enable outside
    crypto ikev1 policy 5
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes-256
     hash sha
     group 5
     lifetime 86400
    ssh 0.0.0.0 0.0.0.0 inside
    management-access inside
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
    !username ezvpn password <removed>
     vpn-group-policy DefaultRAGroup
    tunnel-group DefaultL2LGroup ipsec-attributes
     ikev1 pre-shared-key <removed>
    tunnel-group DefaultRAGroup ppp-attributes
     no authentication chap
     authentication ms-chap-v2
    tunnel-group ezvpn type remote-access
    tunnel-group ezvpn general-attributes
     default-group-policy ezvpnpolicy
    tunnel-group ezvpn ipsec-attributes
     ikev1 pre-shared-key <removed>
    tunnel-group (location A outside) type ipsec-l2l
    tunnel-group (location A outside) ipsec-attributes
     ikev1 pre-shared-key <removed>
    !
    class-map preset_dns_map
    class-map global-class
     match access-list global_mpc
    class-map apple_class
     match access-list dmz_access_in
    class-map inspection_default
     match default-inspection-traffic
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map type inspect http apple_map
     parameters
     match not request header host regex apple_domain
    policy-map global_policy
     description Internet_Netflow
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect netbios 
      inspect rsh 
      inspect skinny  
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect xdmcp 
      inspect http 
      inspect icmp 
      inspect rtsp 
      inspect sip  
     class global-class
      flow-export event-type all destination 10.1.1.25
     class apple_class
      inspect http apple_map 
    !
    service-policy global_policy global
    prompt hostname context 
    : end

编辑:这是我在两个方向运行数据包跟踪后在日志中看到的:

定位A

代码语言:javascript
复制
Feb  4 10:05:08 10.255.1.1 %ASA-5-111008: User 'enable_15' executed the 'packet-tracer input dmz tcp <DMZ Server IP> 443 <Location B Inside IP> 443' command.
Feb  4 10:05:08 10.255.1.1 %ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'packet-tracer input dmz tcp <DMZ Server IP> 443 <Location B Inside IP> 443'

定位B

代码语言:javascript
复制
Feb  4 08:50:30 <Location B Inside IP> %ASA-5-111008: User 'enable_15' executed the 'packet-tracer input inside tcp <Location B Inside IP> 443 <DMZ Server IP> 443' command.
Feb  4 08:50:30 <Location B Inside IP> %ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'packet-tracer input inside tcp <Location B Inside IP> 443 <DMZ Server IP> 443'
Feb  4 08:51:15 <Location B Inside IP> %ASA-7-609001: Built local-host outside:<DMZ Server IP>
Feb  4 08:51:15 <Location B Inside IP> %ASA-6-302013: Built outbound TCP connection 936480 for outside:<DMZ Server IP>/443 (<DMZ Server IP>/443) to inside:<Location B Inside IP>45/50378 (<Location B Inside IP>45/50378)
Feb  4 08:51:45 <Location B Inside IP> %ASA-6-302014: Teardown TCP connection 936480 for outside:<DMZ Server IP>/443 to inside:<Location B Inside IP>45/50378 duration 0:00:30 bytes 0 SYN Timeout
Feb  4 08:51:45 <Location B Inside IP> %ASA-7-609002: Teardown local-host outside:<DMZ Server IP> duration 0:00:30

这两个位置都打开了以下日志记录选项:

代码语言:javascript
复制
logging enable
logging timestamp
logging standby
logging buffer-size 1048576
logging console emergencies
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm notifications
logging facility 23
logging host inside <syslog server IP>

我还认为,可能会将我想要进入EZVPN的拆分隧道列表中的dmz网络添加进来,但它没有:

代码语言:javascript
复制
access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

编辑:将ACL语句添加到两个信任项中

nat
acl
cisco-asa
vpn
EN

回答 1

Network Engineering用户

回答已采纳

发布于 2016-02-08 15:59:17

在对这个问题进行了大量讨论之后,这里有一个解决方案: 1)在B位置取出nat语句,因为它们会干扰VPN隧道:

代码语言:javascript
复制
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Location_A_Networks Location_A_Networks no-proxy-arp route-lookup
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup

2)将DMZ语句保存在分割隧道ACL中:

代码语言:javascript
复制
access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

( 3)我的访问列表条目切换没有什么好的理由。是这样的:

代码语言:javascript
复制
access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

本来应该是这样的:

代码语言:javascript
复制
access-list dmz_access_in extended permit tcp object-group DMZ_Servers object (location B)-remote_network eq https
票数 1
EN
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://networkengineering.stackexchange.com/questions/26513

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档