English
网站导航
 
 


 
  : 咨询热线
 考试咨询  培训咨询  MSN咨询

公司地址:深圳市罗湖区


服务列表

课程列表
培训课程介绍
红帽redhat
CISCO思科认证
Aruba认证课程
IPV6课程
CWNP无线认证
H3C认证
Oracle认证
企业实战培训
CIW网络认证

>>>>>进入技术文摘 列表
 

思科ASA排错实验


点击进入:技术文摘  专栏  添加时间: 2010-5-7 11:40:43  阅读数: 3864
 

思科ASA防火墙排错实验

                                       作者:黎老师

 

 

网络拓扑环境如下:

 

 

       ASA之间运行动态路由协议OSPF

客户机PC1经过SW1交换机连接两台网关路由器R1R2(也可以将看做两台三层交换机),R1R2配置三层网关冗余协议HSRPR1Active路由器,R2Standy路由器;R1R2再经由防火墙ASA提供上网服务;R1 R2 

正常通讯情况下路由器和防火墙的配置信息如下

 

R1配置信息:

R1#show ip route

 

Gateway of last resort is 10.2.1.254 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/1

     10.0.0.0/24 is subnetted, 2 subnets

O       10.3.1.0 [110/25] via 10.2.1.254, 00:00:41, Ethernet0/0

C       10.2.1.0 is directly connected, Ethernet0/0

O*E2 0.0.0.0/0 [110/1] via 10.2.1.254, 00:00:41, Ethernet0/0

ASA防火墙通过OSPF下发的默认路由

R1#show standby

Ethernet0/1 - Group 1

  State is Active    R1HSRP组的Active路由器

    5 state changes, last state change 00:36:08

  Virtual IP address is 172.16.1.254   HSRP的虚拟IP地址为172.16.1.254

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 1.577 secs

  Preemption enabled

  Active router is local

  Standby router is 172.16.1.253, priority 100 (expires in 9.571 sec)

  Priority 150 (configured 150)  此路由器优先级为150

  IP redundancy name is "hsrp-Et0/1-1" (default)

 

R1#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Et0/1       1   150  P Active   local           172.16.1.253    172.16.1.254  

 

R2配置信息:

R2 show ip route

 

Gateway of last resort is 10.3.1.254 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.3.1.0 is directly connected, Ethernet0/1

O       10.2.1.0 [110/20] via 10.3.1.254, 00:00:13, Ethernet0/1

O*E2 0.0.0.0/0 [110/1] via 10.3.1.254, 00:00:13, Ethernet0/1

 

R2#show standby

Ethernet0/0 - Group 1

  State is Standby  路由器R2Standy路由器

    7 state changes, last state change 00:36:32

  Virtual IP address is 172.16.1.254

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 1.021 secs

  Preemption enabled

  Active router is 172.16.1.251, priority 150 (expires in 7.023 sec)

  Standby router is local

  Priority 100 (default 100) 优先级为默认值100

  IP redundancy name is "hsrp-Et0/0-1" (default)

R2#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Et0/0       1   100  P Standby  172.16.1.251    local           172.16.1.254

 

ASA配置信息

ciscoasa# show route

 

Gateway of last resort is not set

 

O    172.16.1.0 255.255.255.0 [110/20] via 10.2.1.1, 0:00:24, inside-R1

172.16.1.0的路由从R1R2学习过来的Cost相等, ASA不允许负载均衡只能选择一条

C    10.3.1.0 255.255.255.0 is directly connected, inside-R2

C    10.2.1.0 255.255.255.0 is directly connected, inside-R1

C    10.1.1.0 255.255.255.0 is directly connected, outside

ciscoasa#   show run int e0/1

interface Ethernet0/1

 nameif inside-R2

 security-level 100

 ip address 10.3.1.254 255.255.255.0

ciscoasa#   show run int e0/2 

interface Ethernet0/2

 nameif outside

 security-level 0

 ip address 10.1.1.254 255.255.255.0

ciscoasa#   show run int e0/0 

interface Ethernet0/0

 nameif inside-R1

 security-level 100

ip address 10.2.1.254 255.255.255.0

PC1能够正常访问Internet地址10.1.1.30(实验环境模拟的Internet公网地址)

 

问题的产生:由于软件或者硬件的原因,管理员需要将HSRPActive路由器切换到R2,然而切换过后问题产生了.PC1不能正常访问InternetPC1 Ping 10.1.1.30模拟)

 

 

 

 

通讯异常的情况下路由器和防火墙的配置信息如下:

R1配置信息:

R1#show ip route

 

Gateway of last resort is 10.2.1.254 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/1

     10.0.0.0/24 is subnetted, 2 subnets

O       10.3.1.0 [110/25] via 10.2.1.254, 00:00:13, Ethernet0/0

C       10.2.1.0 is directly connected, Ethernet0/0

O*E2 0.0.0.0/0 [110/1] via 10.2.1.254, 00:00:13, Ethernet0/0

R1#show standby

Ethernet0/1 - Group 1

  State is Standby  R1已经成为HSRPStandby路由器

    7 state changes, last state change 00:03:20

  Virtual IP address is 172.16.1.254

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 0.972 secs

  Preemption enabled

  Active router is 172.16.1.253, priority 200 (expires in 9.976 sec)

  Standby router is local

  Priority 150 (configured 150)

  IP redundancy name is "hsrp-Et0/1-1" (default)

R1#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Et0/1       1   150  P Standby  172.16.1.253    local           172.16.1.254 

R2配置信息:

R2#show ip route

Gateway of last resort is 10.3.1.254 to network 0.0.0.0

 

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/0

     10.0.0.0/24 is subnetted, 2 subnets

C       10.3.1.0 is directly connected, Ethernet0/1

O       10.2.1.0 [110/20] via 10.3.1.254, 00:00:35, Ethernet0/1

O*E2 0.0.0.0/0 [110/1] via 10.3.1.254, 00:00:35, Ethernet0/1

R2#show standby

Ethernet0/0 - Group 1

  State is Active   R2已经成为HSRPActive路由器

    8 state changes, last state change 00:03:01

  Virtual IP address is 172.16.1.254

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 1.726 secs

  Preemption enabled   抢占开启

  Active router is local

  Standby router is 172.16.1.251, priority 150 (expires in 9.720 sec)

  Priority 200 (configured 200)  配置R2路由器的优先级为200,模拟错误的产生

  IP redundancy name is "hsrp-Et0/0-1" (default)

R2#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Et0/0       1   200  P Active   local           172.16.1.251    172.16.1.254 

ASA配置信息:

ciscoasa#  show route

Gateway of last resort is not set

 

O    172.16.1.0 255.255.255.0 [110/20] via 10.2.1.1, 0:00:05, inside-R1

C    10.3.1.0 255.255.255.0 is directly connected, inside-R2

C    10.2.1.0 255.255.255.0 is directly connected, inside-R1

C    10.1.1.0 255.255.255.0 is directly connected, outside

ciscoasa# show int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                10.2.1.254      YES manual up                    up 

Ethernet0/1                10.3.1.254      YES manual up                    up 

Ethernet0/2                10.1.1.254      YES manual up                    up 

Ethernet0/3                unassigned      YES unset  administratively down up 

ciscoasa#   show run int e0/1

interface Ethernet0/1

 nameif inside-R2

 security-level 100

 ip address 10.3.1.254 255.255.255.0

ciscoasa#   show run int e0/2

interface Ethernet0/2

 nameif outside

 security-level 0

 ip address 10.1.1.254 255.255.255.0

ciscoasa#   show run int e0/0 

interface Ethernet0/0

 nameif inside-R1

 security-level 100

ip address 10.2.1.254 255.255.255.0

 

通过上面路由器和防火墙的配置信息可以初步得知,问题可能出在ASA的策略;

ASA防火墙默认低安全级别接口不能访问高安全级别接口,高安全级别接口访问低安全级别接口需要在全局下启用Inspect

    数据包出去的流向,先到网关R2 经由ASA E0/1后从E0/2去玩外网,此时能够激活E0/1接口的Inspect信息,而数据包回包从E0/2进入后需从E0/0后回到R1,此时ASA防火墙可能认为来回路径不一致 认为数据包可能存在危险选择丢弃。

解决的方法

1.      修改ASA关于172.16.1.0/24的路由条目,修改ASA E0/1接口下OSPFCost值使其从E0/0学习的更优

2.      outside接口配置ACL 允许所有关于172.16.1.0/24的流量回来(建议采用第一种)

 

 
合作伙伴
             
地址:广东省深圳市罗湖区宝安南路2014号振业大厦A座15A-B(地王大厦旁) Email:kevinzhu#cntimes.biz(将#改为@)
电话:0755-25022500 25025151 传真:0755-25022400  ICP备案:粤ICP备14017173号 网站优化方案