0 / 0 / 0
Регистрация: 03.02.2016
Сообщений: 3
|
|
1 | |
Asa 5510 не открываются ресурсы сети03.02.2016, 10:11. Показов 1020. Ответов 4
Метки нет (Все метки)
Приветствую всех. Первый опыт с циской, поэтому возможно в конфиге все криво и косо.
Дано: Есть несколько рабочих сетей , работают через маршрутизатор 192.168.0.249. Тут все нормально, вопросов нету. Понадобилось запустить еще несколько сетей, решил попробовать запустить их на Asa 5510. По интерфейсам на асе - Ethernet0/0, смотрит в основную сеть, Ethernet0/1.60 и Ethernet0/1.30 собсно сети, которые должны быть запущены, Ethernet0/3 выход в инет. Порт Ethernet0/1 кинут в каталист 2960g, настроен транк, вланы, клиенты адреса получают. Выход в интернет есть, все ресурсы пингуются, в том числе и в других сетях, которые на другом маршрутизаторе. А теперь проблема. Из сети 192,168,30,0 не открываются никакие ресурсы в сетях 192.168.0.0 и 192.168.20.0, даже веб ресурсы, хотя пинги ходят. В чем дело не пойму ( Делал packet-tracer, все нормально прошло, пишет что пакет должен проходить. Не подскажите в чем может быть дело ? Перывй раз с циской дело имею. Кликните здесь для просмотра всего текста
Код
Result of the command: "sh run" : Saved : ASA Version 8.4(5) ! hostname asa0149 domain-name dom.loc names ! interface Ethernet0/0 nameif l0 security-level 100 ip address 192.168.0.149 255.255.255.0 ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/1.30 vlan 30 nameif l30 security-level 100 ip address 192.168.30.1 255.255.255.0 ! interface Ethernet0/1.60 vlan 60 nameif l60 security-level 100 ip address 192.168.60.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif u148 security-level 0 ip address 99.99.99.99 255.255.255.248 ! interface Management0/0 nameif l172 security-level 100 ip address 172.20.1.1 255.255.255.0 management-only ! boot system disk0:/asa845-k8.bin ftp mode passive clock timezone MSK/MSD 3 clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS name-server 192.168.0.19 name-server 192.168.0.8 domain-name dom.loc same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network local_0 subnet 192.168.0.0 255.255.255.0 object network local_30 subnet 192.168.30.0 255.255.255.0 object network local_60 subnet 192.168.60.0 255.255.255.0 object network local_50 subnet 192.168.50.0 255.255.255.0 object network local_20 subnet 192.168.20.0 255.255.255.0 object network NETWORK_OBJ_192.168.50.0_24 subnet 192.168.50.0 255.255.255.0 object-group service local service-object ip service-object icmp service-object udp service-object tcp service-object icmp traceroute access-list l30_access_out extended permit ip any any access-list l30_access_out extended permit icmp any any access-list l30_access_out extended permit icmp any any traceroute access-list l20_access_out extended permit ip any any access-list l30_access_in extended permit ip any any access-list l30_access_in extended permit icmp any any access-list l30_access_in extended permit icmp any any traceroute access-list l20_access_in extended permit ip any any access-list l0_access_in extended permit ip any any access-list l0_access_in extended permit icmp any any access-list l0_access_in extended permit icmp any any traceroute access-list l60_access_in extended permit ip any any access-list u148_access_in extended permit tcp any any access-list u148_access_in extended permit icmp any any access-list u148_access_in extended permit icmp any any traceroute access-list u148_access_out extended permit tcp any any access-list u148_access_out extended permit icmp any any access-list u148_access_out extended permit icmp any any traceroute access-list l0_access_out extended permit ip any any access-list l0_access_out extended permit icmp any any access-list l0_access_out extended permit icmp any any traceroute pager lines 24 logging enable logging asdm informational mtu l0 1500 mtu l30 1500 mtu l60 1500 mtu u148 1500 mtu l172 1500 ip local pool vpn_pool 192.168.50.2-192.168.50.200 mask 255.255.255.0 no failover icmp unreachable rate-limit 10 burst-size 5 asdm image disk0:/asdm-702.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (l0,u148) source static any any destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup ! object network local_0 nat (any,u148) dynamic interface object network local_30 nat (any,u148) dynamic interface object network local_60 nat (any,u148) dynamic interface access-group l0_access_in in interface l0 access-group l0_access_out out interface l0 access-group l30_access_in in interface l30 access-group l30_access_out out interface l30 access-group l60_access_in in interface l60 access-group u148_access_in in interface u148 access-group u148_access_out out interface u148 route u148 0.0.0.0 0.0.0.0 79.98.212.145 1 route l0 192.168.0.0 255.255.255.255 192.168.0.249 1 route l0 192.168.20.0 255.255.255.0 192.168.0.249 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server domain protocol nt reactivation-mode depletion deadtime 0 max-failed-attempts 5 aaa-server domain (l0) host 192.168.0.8 nt-auth-domain-controller 192.168.0.8 aaa-server domain (l0) host 192.168.0.19 nt-auth-domain-controller 192.168.0.19 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.0.0 255.255.255.0 l0 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto map u148_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map u148_map interface u148 crypto ikev1 enable u148 crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 l0 ssh timeout 30 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd dns 192.168.0.19 192.168.0.8 dhcpd domain dom.loc ! dhcpd address 192.168.30.11-192.168.30.254 l30 dhcpd dns 192.168.0.8 192.168.0.19 interface l30 dhcpd domain dom.loc interface l30 dhcpd enable l30 ! dhcpd address 192.168.60.11-192.168.60.254 l60 dhcpd dns 192.168.0.19 192.168.0.8 interface l60 dhcpd domain dom.loc interface l60 ! dhcpd address 172.20.1.11-172.20.1.254 l172 dhcpd dns 192.168.0.8 192.168.0.19 interface l172 dhcpd domain dom.loc interface l172 dhcpd enable l172 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.0.8 prefer ntp server 192.168.0.19 webvpn anyconnect-essentials group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 192.168.0.19 192.168.0.8 vpn-tunnel-protocol ikev1 default-domain value gs.ru username remote password XXXXXXXXXXXXXXXXXXXXXXXX nt-encrypted privilege 0 username remote attributes vpn-group-policy DefaultRAGroup username XXXXXXXXXXXX password XXXXXXXXXXXXXXXXXX encrypted privilege 15 tunnel-group DefaultRAGroup general-attributes address-pool vpn_pool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:ede1311c22f4fa1ed88e1684c63d6864 : end Result of the command: "packet-tracer input l30 tcp 192.168.30.10 3000 192.168.0.11 3000" Код
Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.0.0 255.255.255.0 l0 Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group l30_access_in in interface l30 access-list l30_access_in extended permit ip any any Additional Information: Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group l0_access_out out interface l0 access-list l0_access_out extended permit ip any any Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1727712, packet dispatched to next module Result: input-interface: l30 input-status: up input-line-status: up output-interface: l0 output-status: up output-line-status: up Action: allow
0
|
03.02.2016, 10:11 | |
Ответы с готовыми решениями:
4
Cisco ASA 5510 ASA 5510. Разобраться с конфигурацией Нет коннекта с ASA 5510 Настройка Cisco ASA 5510 |
461 / 442 / 75
Регистрация: 26.12.2012
Сообщений: 2,886
|
|
03.02.2016, 14:34 | 2 |
0
|
0 / 0 / 0
Регистрация: 03.02.2016
Сообщений: 3
|
|
04.02.2016, 10:00 [ТС] | 3 |
192.168.20.0 находится за маршрутизатором - 192.168.0.249
0
|
461 / 442 / 75
Регистрация: 26.12.2012
Сообщений: 2,886
|
|
04.02.2016, 10:18 | 4 |
0
|
0 / 0 / 0
Регистрация: 03.02.2016
Сообщений: 3
|
|
04.02.2016, 22:47 [ТС] | 5 |
нет, но он там особо и не нужен, в той сети всякий хлам болтается, все ресурсы находятся в 192.168.0.0 и отсюда маршрут есть. Все пингуется в обе стороны, но ни шары, ни остальное не открывается.
0
|
04.02.2016, 22:47 | |
04.02.2016, 22:47 | |
Помогаю со студенческими работами здесь
5
Cisco ASA 5510 подскажите по конфигу Asa 5510 блокирует dns-пакеты Первоначальная настройка AIP SSM на ASA 5510 Фильтрация http запросов на Cisco ASA 5510 Искать еще темы с ответами Или воспользуйтесь поиском по форуму: |