ASA-vlan-interface

 

ASA-vlan-interface

   咱們都應該瞭解在路由器上的單臂路由來作多vlan間路由，那麼在ASA之中又如何作呢，如何在ASA中開啓子接口等等，帶着問題咱們來看一個top：

 

具體需求：

1，ASA只經過一條物理線理去路由兩個內網的數據，

2，如何不讓e0/1去接受未打標的數據，

3，內部能夠與外部通訊經過NAT，

4，內網用戶不能ping通網關，而網關能ping網內用戶

 

具體網絡配置：

R2：

Interface fa0/0

Ip add 192.168.1.2 255.255.255.0

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

 

 

R3:

Interface fa0/0

Ip add 192.168.2.2 255.255.255.0

No sh

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.2.1

 

R1:

Interface fa0/0

Ip add 192.168.3.2 255.255.255.0

Ip rout 0.0.0.0 0.0.0.0 192.168.3.1

 

SW1:

Interface fa1/0

No sh

Switchport mode access

Switchport access vlan 2

Exit

Interface fa1/1

Switchport mode access

Switchport access vlan 3

Exit

Interface fa1/2

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan all

Exi

Vlan database

Vlan 2

Vlan 3

Exit

 

 

ASA:

Interface e0/0

No sh

Nameif outside

Security-level 0

Ip add 192.168.3.1 255.255.255.0

Exit

Interface e0/1

No sh

Exit

Interface e0/1.1

No sh

Vlan 2

Nameif inside1

Security-level 100

Ip add 192.168.1.1 255.255.255.0

Exit

Interface e0/1.2

Vlan 3

Nameif inside2

Security-level 100

Ip add 192.168.2.1 255.255.255.0

Exit

Same-security-traffic permit inter-interface/容許內網相同級別vlan之間流量互訪。

 

Access-list outacl permit icmp any any

Access-group outacl in interface outside

Icmp deny any echo inside1/拒絕各VLANping各自的網關，但網關能夠ping客戶。

Icmp deny any echo inside2

Icmp permit any echo-reply inside1

Icmp permit any echo-reply inside2

Nat (inside1) 1 192.168.1.0/內網作PAT出去。

Nat (inside2) 1 192.168.2.0

Global (outside) 1 interface

僅僅只有如上配置，仍是不夠的，你會發現雖然各個VLAN能PAT出去，可是各個VLAN之間是不能互相通訊的。固然若是不用NAT去轉換的話他們是能夠互相PING的。

 

 

要解決一個ASA內網相同安全級別的互相訪問不可達問題，咱們能夠這樣，

由於若是在insideX上啓用了NAT，VLAN2去VLAN3的話，可能也要檢察NAT，那麼，沒有相應的NAT去進行轉換，那麼可能會丟棄報文。方案以下：

利用靜態static：

static (inside1,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Static (inside2,inside1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

這樣就能夠實現NAT以後各內網VLAN之間互訪。

NAT測試：

ciscoasa(config)# show xlate

7 in use, 12 most used

Global 192.168.1.0 Local 192.168.1.0

Global 192.168.2.0 Local 192.168.2.0

PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096

PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095

PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094

PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093

PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092

ciscoasa(config)# show xlate

7 in use, 12 most used

Global 192.168.1.0 Local 192.168.1.0

Global 192.168.2.0 Local 192.168.2.0

PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096

PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095

PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094

PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093

PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092

ciscoasa(config)#

 

 

R2 ping R3,R1:與網關

 

r2#ping 192.168.3.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/36 ms

r2#ping 192.168.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/20/40 ms

r2#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

r2#

需求知足，實驗完畢！