思科ASA -我的NAT正在迫使流量出错误的界面!
思科ASA -我的NAT正在迫使流量出错误的界面!
提问于 2017-06-08 22:53:42
Cisco ASA 5508,9.6.3代码。我有两个外部接口BACKUP和PRIMARY以及一个INSIDE接口。由于某种原因,NAT将流量发送给备份接口,即使备份关闭了!
编辑我孤立了这个问题,使这个问题变得简单了。
我发现,如果您使用两次有目的地的NAT,ASA将根据NAT路由数据包,而完全忽略路由表。这是相关的配置。
interface GigabitEthernet0/0
nameif PRIMARY
security-level 0
ip address 22.22.22.22 255.255.255.240
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 172.16.1.10 255.255.255.0
interface GigabitEthernet0/2
nameif BACKUP
security-level 0
ip address 33.33.33.33 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 22.22.22.23 1
object network OBJ-55.55.55.55
host 55.55.55.55
object service OBJ-HTTP
service tcp destination eq 80
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
nat (INSIDE,PRIMARY) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
nat (INSIDE,any) source static any any service OBJ-HTTP OBJ-HTTP no-proxy-arp我的目标是将NAT流量转到55.55.55.55到接口,而不是端口80上的其他所有东西。
当我做这个配置并尝试一个数据包跟踪,我们可以看到它采取了错误的路径。
ASA-DEV# packet-tracer input INSIDE tcp 172.16.1.99 2222 55.55.55.55 80
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
NAT divert to egress interface BACKUP-INTERNET-TEST
Untranslate 55.55.55.55/80 to 55.55.55.55/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-INSIDE-IN in interface INSIDE
access-list ACL-INSIDE-IN extended permit ip any host 55.55.55.55
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
Static translate 172.16.1.99/2222 to 192.168.79.1/2222
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: inspect-http
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http PMAP-HTTP-INSPECT
service-policy global_policy global
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,BACKUP) source static any interface destination static OBJ-55.55.55.55 OBJ-55.55.55.55
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1404251, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: BACKUP
output-status: down
output-line-status: down
Action: allow还有一些显示命令:
ASA-DEV(config)# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 208.69.250.17 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 22.22.22.23, OUTSIDE
C 172.16.1.0 255.255.255.0 is directly connected, INSIDE
ASA-DEV(config)# sho int ip brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 22.22.22.22 YES CONFIG up up
GigabitEthernet0/1 172.16.1.10 YES CONFIG up up
GigabitEthernet0/2 33.33.33.33 YES manual down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down正如您所看到的,我的路由表是基本的,我的备份接口(G0/2)甚至没有启动。那么,NAT为什么要尝试路由出备份界面呢!?
回答 1
Network Engineering用户
回答已采纳
发布于 2017-06-09 05:45:27
这是ASA数据包处理的一个非常特殊的部分,许多人不知道这个部分叫做NAT转移检查
NAT分流检查(即重写路由表的内容)正在检查是否有任何NAT规则指定到达接口的入站数据包的目标地址转换。如果没有明确指定如何转换该数据包的目标IP地址的规则,则将查询全局路由表以确定出口接口。如果有一条规则显式地指定如何转换数据包目标IP地址,则NAT规则“将”该数据包“拉”到转换中的另一个接口,并且有效地绕过全局路由表。
Cisco已经声明,这些NAT规则旨在覆盖路由表。
您可以使用EEM脚本作为解决方案,以保留NAT语句,并使其仍然工作。脚本依赖于IP来跟踪IP失败将触发的syslog消息,然后在发生这种情况时添加或删除NAT。http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118049-config-eem-00.html
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/41788
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号