1.拓扑图


 

为了审计的需要,syslog的源地址必须设备实际地址,而因为其他方面原因,syslog服务器又不能放在内网。

2.接口配置:
R1:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.18 255.255.255.0
R1(config-if)#no sh
R2:
R2(config)#int f0/0
R2(config-if)#ip add 10.1.1.28 255.255.255.0
R2(config-if)#no sh
R3:
R3(config)#int f0/0
R3(config-if)#ip add 20.1.1.38 255.255.255.0
R3(config-if)#no sh
ASA:
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 20.1.1.1 255.255.255.0

3.路由配置:

R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1
R2(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.1

4.syslog配置:

A.配置syslog接收服务器
R1(config)#logging 20.1.1.18
R2(config)#logging 20.1.1.18
B.指定syslog源地址
R1(config)#logging source-interface FastEthernet0/0
R2(config)#logging source-interface f0/0
C.设定日志级别
R1(config)#logging trap debugging
R2(config)#logging trap debugging
D.开启syslog
R1(config)#logging on
R2(config)#logging on

5.NAT配置:

思路一:用NAT0(失败)

ciscoasa(config)# access-list syslog permit udp any any eq syslog
ciscoasa(config)# nat (inside) 0 access-list syslog
ERROR: access-list has protocol or port

备注:说明nat0的access-list不能包含协议和端口。

思路二:配置策略NAT,禁止syslog协议的数据流进行NAT

ciscoasa(config)# access-list nat extended deny udp any any eq syslog
ciscoasa(config)# access-list nat extended permit ip any any

ciscoasa(config)# nat (inside) 1 access-list nat
ERROR: Deny rules not supported in Policy Nat

备注:策略NAT不支持deny的规则。
既然不支持deny,修改access-list如下:
ciscoasa(config)# access-list nat permit udp 10.1.1.0 255.255.255.0 any neq 514
ciscoasa(config)# access-list nat permit tcp 10.1.1.0 255.255.255.0 any

测试:

1).syslog地址没有在作NAT转换


 
2).tcp的连接作了NAT转换

R1#telnet 20.1.1.38
Trying 20.1.1.38 ... Open


User Access Verification

Password:
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:02:43  
* 66 vty 0                idle                 00:00:00 20.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

R2#telnet 20.1.1.38
Trying 20.1.1.38 ... Open


User Access Verification

Password:
R3>show users
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:03:46  
  66 vty 0                idle                 00:01:02 20.1.1.1
* 67 vty 1                idle                 00:00:00 20.1.1.1

  Interface    User               Mode         Idle     Peer Address

R3>

3).udp的非514端口也作了地址转换(以dns做测试)

R3配置成DNS服务器
R3(config)#ip dns server
R3(config)#ip host www.yuntian.com 20.1.1.38
R1配置成R3的DNS客户端
R1(config)#ip domain lookup
R1(config)#ip name-server 20.1.1.38
R1(config)#end
R1#
*Mar  1 02:15:16.139: %SYS-5-CONFIG_I: Configured from console by console
R1上ping主机名
R1#ping www.yuntian.com

Translating "www.yuntian.com"...domain server (20.1.1.38) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/44/104 ms
R3上抓包确认已经作了地址转换
R3#debug ip udp
UDP packet debugging is on
R3#
*Mar  1 00:45:40.487: UDP: rcvd src=20.1.1.1(1026), dst=20.1.1.38(53), length=41
*Mar  1 00:45:40.491: UDP: Random local port generated 54505, network 1
*Mar  1 00:45:40.491: Reserved port 54505 in Transport Port Agent for UDP IP type 1
*Mar  1 00:45:40.499: UDP: sent src=20.1.1.38(53), dst=20.1.1.1(1026), length=57
*Mar  1 00:45:40.603: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:45:40.703: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:45:40.727: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:45:40.759: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:45:40.779: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1


4).icmp因为没有配置策略NAT,所以也没有转换,无法ping通(无路由)

R1#ping 20.1.1.38

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

R3#debug ip icmp
*Mar  1 00:37:36.167: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18
R3#
*Mar  1 00:37:38.167: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18
R3#
*Mar  1 00:37:40.191: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18
R3#
*Mar  1 00:37:42.143: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18
R3#
*Mar  1 00:37:44.183: ICMP: echo reply sent, src 20.1.1.38, dst 10.1.1.18

5).添加icmp协议也进行策略NAT,可以ping通也作了NAT
ciscoasa(config)# access-list nat permit icmp 10.1.1.0 255.255.255.0 any

R1#ping 20.1.1.38

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/64/132 ms
R1#

R3#
*Mar  1 00:39:26.279: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:39:26.403: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:39:26.467: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:39:26.503: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1
*Mar  1 00:39:26.519: ICMP: echo reply sent, src 20.1.1.38, dst 20.1.1.1

6).缺点
需要明确指定inside到outside的协议进行转换,如果没有指定就可能导致无法访问,因为除了tcp、udp、icmp之外还有其他协议。

6.总结:

A.nat0的access-list不能包含协议和端口。
B.策略NAT不支持deny的规则。
C.实际工程项目中,可能内网就不需要访问outside的syslog服务器器,因此可以采用NAT0方法把内网到达syslog服务器的流量进行nat免除。
----
syslog是实际应用中比较少有的单向通讯的udp数据流,syslog客户端只管发,syslog服务器只管收,不会给syslog客户端回复任何信息

ciscoasa(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 host 20.1.1.18
ciscoasa(config)# nat (outside) 0 access-list nonat
ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface