拿手上的设备做了一个简单的实验,具体拓扑如下
adsl router-----asa5510------cat2960
其中asa5510的e0口设为outside,与adsl router的Lan口互联,e1口与2960互联,同时2960的上联口设置为trunk口,在2960上划分了vlan 2、3, 2960的管理vlan为vlan1,ip地址为192.168.1.2,网关为192.168.1.1,在asa5510上划分了子接口,分别对应vlan2和vlan3,配置如下:
------------------ASA 5510 Configuration Begin------------------------
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/1
nameif vlan1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.1
vlan 2
nameif vlan2
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/1.2
vlan 3
nameif vlan3
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
pager lines 24
mtu outside 1500
mtu vlan1 1500
mtu vlan2 1500
mtu vlan3 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.0.10-192.168.0.20
nat (vlan3) 1 192.168.5.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 vlan3
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4d2bbbc0c0ce4cdaad801d3b8b294a4
: end
------------------ASA 5510 Configuration End-----------------------
现在是这样的情况,我在配置中删除nat (vlan3) 1 192.168.5.0 255.255.255.0时,我用接在vlan3下的pc机192.168.5.2是可以ping通2960的管理地址192.168.1.2的,或者是vlan2中的主机192.168.4.2,但如果加上这句,就再也不能ping通这两个地址了,用packet tracer的结果如下:
-----------------------------------有上面这句话时的结果------------------------------------
ciscoasa(config)# packet-tracer input vlan3 icmp 192.168.5.2 8 0 192.168.1.2 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 vlan1
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e0ed10, priority=2, domain=permit, deny=false
hits=720, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e11348, priority=0, domain=permit-ip-option, deny=true
hits=6828, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e106c0, priority=66, domain=inspect-icmp-error, deny=false
hits=752, user_data=0x3e105f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (vlan3) 1 192.168.5.0 255.255.255.0
match ip vlan3 192.168.5.0 255.255.255.0 vlan1 any
dynamic translation to pool 1 (No matching global)
translate_hits = 9, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x41ddd90, priority=1, domain=nat, deny=false
hits=7, user_data=0x41ddd20, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: vlan3
input-status: up
input-line-status: up
output-interface: vlan1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)#
-----------------------------------没有上面这句话时的结果------------------------------------
ciscoasa(config)# packet-tracer input vlan3 icmp 192.168.5.2 8 0 192.168.4.2 detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.4.0 255.255.255.0 vlan2
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e0ed10, priority=2, domain=permit, deny=false
hits=742, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e11348, priority=0, domain=permit-ip-option, deny=true
hits=6874, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3e106c0, priority=66, domain=inspect-icmp-error, deny=false
hits=774, user_data=0x3e105f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7446, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
Phase: 7
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.4.2 using egress ifc vlan2
adjacency Active
next-hop mac address 0016.d4c4.bd0b hits 195
Result:
input-interface: vlan3
input-status: up
input-line-status: up
output-interface: vlan2
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)#
不知各位大大能够解释一下原因及解决方法,谢谢!