Добрый день!Есть 2 ASA 5506, объединенных в statefull failover по EtherChannel (порты Gi1/3,4). Порт Gi1/1 - outside, Gi1/2 - внутренняя сеть, на нем создано несколько подинтерфейсов. Gi1/2 смотрит в некую технологическую сеть. Gi1/1 подключен к Cisco 2950, тот - к маршрутизатору, идущему в другую сеть.
Проблема: хосты (в основном ОС Windows) в разных подсетях внутренней сети не видят шлюза, ASA не пингует их. Шлюз для каждого VLAN прописан на хостах (адрес на соответствующем подинтерфейсе Gi1/2). Через внешний интерфейс пинги идут нормально.
Настройка еще не закончена, будут прикручиваться ACL для фильтрации. Пока застрял на данном этапе (я новичок в работе с ASA, прошу строго не судить).
Конфиг:
---------------------
ASA Version 9.7(1)4
!
hostname FRW1
domain-name ***
enable password ***
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.203.5.63 255.255.255.0
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10
vlan 10
nameif TM
security-level 100
ip address 10.203.4.30 255.255.255.224
!
interface GigabitEthernet1/2.20
vlan 20
nameif RAS
security-level 100
ip address 10.203.4.46 255.255.255.240
!
interface GigabitEthernet1/2.30
vlan 30
nameif RAS_RSDU
security-level 100
ip address 10.203.4.54 255.255.255.248
!
interface GigabitEthernet1/2.31
vlan 31
nameif TM_RDU
security-level 100
ip address 10.203.4.62 255.255.255.248
!
interface GigabitEthernet1/2.40
vlan 40
nameif SCADA
security-level 100
ip address 10.203.4.94 255.255.255.224
!
interface GigabitEthernet1/2.100
vlan 100
nameif IT_MANAGEMENT
security-level 100
ip address 10.203.4.110 255.255.255.240
!
interface GigabitEthernet1/3
channel-group 1 mode on
!
interface GigabitEthernet1/4
channel-group 1 mode on
!
interface Management1/1
management-only
nameif manage
security-level 100
ip address 10.203.4.117 255.255.255.252
!
interface Port-channel1
description LAN/STATE Failover Interface
lacp max-bundle 8
port-channel load-balance src-mac
!
ftp mode passive
clock timezone MSK 3
dns server-group DefaultDNS
domain-name ***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network SCADA_NAT_LAN
subnet 10.203.4.64 255.255.255.224
object network TM_NAT_LAN
subnet 10.203.4.0 255.255.255.224
object network RAS_NAT_LAN
subnet 10.203.4.32 255.255.255.240
object network RAS_RSDU_NAT_LAN
subnet 10.203.4.48 255.255.255.248
object network TM_RDU_NAT_LAN
subnet 10.203.4.56 255.255.255.248
object network IT_MANAGEMENT_NAT_LAN
subnet 10.203.4.96 255.255.255.240
object network NAT_RAS_2404
host 10.203.4.33
object network NAT_RAS_FTP
host 10.203.4.33
object network NAT_CS1
host 10.203.4.1
object network NAT_CS2
host 10.203.4.2
object-group network TM
network-object 10.203.4.0 255.255.255.224
object-group network RAS
network-object 10.203.4.32 255.255.255.240
object-group network RAS_RSDU
network-object 10.203.4.48 255.255.255.248
object-group network TM_RDU
network-object 10.203.4.56 255.255.255.248
object-group network SCADA
network-object 10.203.4.64 255.255.255.224
object-group network IT_MANAGEMENT
network-object 10.203.4.96 255.255.255.240
object-group network ARM_RAS
network-object host 10.203.4.38
object-group network ARM_SCADA
network-object host 10.203.4.77
object-group network ARM_SOTI
network-object host 10.203.4.104
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_RAS_2404 eq 2404
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_RAS_FTP eq ftp
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_CS1 eq 2404
access-list ACL_OUTSIDE_IN extended permit tcp any object NAT_CS2 eq 2404
access-list ACL_OUTSIDE_IN extended deny ip any any
pager lines 24
logging enable
logging buffer-size 16386
logging monitor critical
logging buffered informational
mtu manage 1500
mtu outside 1500
mtu TM 1500
mtu RAS 1500
mtu RAS_RSDU 1500
mtu TM_RDU 1500
mtu SCADA 1500
mtu IT_MANAGEMENT 1500
failover
failover lan unit primary
failover lan interface STATE Port-channel1
failover polltime unit 1 holdtime 3
failover polltime interface msec 500 holdtime 5
failover link STATE Port-channel1
failover interface ip STATE 10.203.4.113 255.255.255.252 standby 10.203.4.114
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network SCADA_NAT_LAN
nat (SCADA,outside) dynamic interface
object network TM_NAT_LAN
nat (TM,outside) dynamic interface
object network RAS_NAT_LAN
nat (RAS,outside) dynamic interface
object network RAS_RSDU_NAT_LAN
nat (RAS_RSDU,outside) dynamic interface
object network TM_RDU_NAT_LAN
nat (TM_RDU,outside) dynamic interface
object network IT_MANAGEMENT_NAT_LAN
nat (IT_MANAGEMENT,outside) dynamic interface
object network NAT_RAS_2404
nat (RAS,outside) static 10.203.5.11 service tcp 2404 2404
object network NAT_RAS_FTP
nat (RAS,outside) static 10.203.5.11 service tcp ftp ftp
object network NAT_CS1
nat (TM,outside) static 10.203.5.12 service tcp 2404 2404
object network NAT_CS2
nat (TM,outside) static 10.203.5.13 service tcp 2404 2404
access-group ACL_OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.203.5.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.203.4.27 255.255.255.255 manage
ssh 10.203.4.96 255.255.255.240 IT_MANAGEMENT
ssh 10.203.4.104 255.255.255.255 IT_MANAGEMENT
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.203.4.79
dynamic-access-policy-record DfltAccessPolicy
username *** password *** privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cb9dc30b5c780c8d2a78334ea2cabb7e
: end
---------------------
Вывод packet-tracer'а:
---------------------
FRW1# packet-tracer input TM icmp 10.203.4.30 0 0 10.203.4.27 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.203.4.27 using egress ifc TM
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac26fbc80, priority=501, domain=permit, deny=true
hits=7, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.203.4.30, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=any
Result:
input-interface: TM
input-status: up
input-line-status: up
output-interface: TM
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-----------------------------
FRW1# packet-tracer input TM icmp 10.203.4.27 8 0 10.203.4.30 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.203.4.30 using egress ifc identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2a95280, priority=120, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1deeb40, priority=0, domain=nat-per-session, deny=true
hits=84, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2a97020, priority=0, domain=inspect-ip-options, deny=true
hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=any
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2a90d90, priority=208, domain=cluster-redirect, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=identity
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2a96040, priority=66, domain=inspect-icmp, deny=false
hits=1, user_data=0x2aaac2b3d140, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=identity
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2a96830, priority=66, domain=inspect-icmp-error, deny=false
hits=1, user_data=0x2aaac2b3bec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=TM, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2655, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: TM
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow
------------------
Прошу помощи в настройке!