ASA-vlan-interface

 

ASA-vlan-interface

   咱们都应该了解在路由器上的单臂路由来作多vlan间路由，那么在ASA之中又如何作呢，如何在ASA中开启子接口等等，带着问题咱们来看一个top：

 

具体需求：

1，ASA只经过一条物理线理去路由两个内网的数据，

2，如何不让e0/1去接受未打标的数据，

3，内部能够与外部通讯经过NAT，

4，内网用户不能ping通网关，而网关能ping网内用户

 

具体网络配置：

R2：

Interface fa0/0

Ip add 192.168.1.2 255.255.255.0

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

 

 

R3:

Interface fa0/0

Ip add 192.168.2.2 255.255.255.0

No sh

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.2.1

 

R1:

Interface fa0/0

Ip add 192.168.3.2 255.255.255.0

Ip rout 0.0.0.0 0.0.0.0 192.168.3.1

 

SW1:

Interface fa1/0

No sh

Switchport mode access

Switchport access vlan 2

Exit

Interface fa1/1

Switchport mode access

Switchport access vlan 3

Exit

Interface fa1/2

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan all

Exi

Vlan database

Vlan 2

Vlan 3

Exit

 

 

ASA:

Interface e0/0

No sh

Nameif outside

Security-level 0

Ip add 192.168.3.1 255.255.255.0

Exit

Interface e0/1

No sh

Exit

Interface e0/1.1

No sh

Vlan 2

Nameif inside1

Security-level 100

Ip add 192.168.1.1 255.255.255.0

Exit

Interface e0/1.2

Vlan 3

Nameif inside2

Security-level 100

Ip add 192.168.2.1 255.255.255.0

Exit

Same-security-traffic permit inter-interface/容许内网相同级别vlan之间流量互访。

 

Access-list outacl permit icmp any any

Access-group outacl in interface outside

Icmp deny any echo inside1/拒绝各VLANping各自的网关，但网关能够ping客户。

Icmp deny any echo inside2

Icmp permit any echo-reply inside1

Icmp permit any echo-reply inside2

Nat (inside1) 1 192.168.1.0/内网作PAT出去。

Nat (inside2) 1 192.168.2.0

Global (outside) 1 interface

仅仅只有如上配置，仍是不够的，你会发现虽然各个VLAN能PAT出去，可是各个VLAN之间是不能互相通讯的。固然若是不用NAT去转换的话他们是能够互相PING的。

 

 

要解决一个ASA内网相同安全级别的互相访问不可达问题，咱们能够这样，

由于若是在insideX上启用了NAT，VLAN2去VLAN3的话，可能也要检察NAT，那么，没有相应的NAT去进行转换，那么可能会丢弃报文。方案以下：

利用静态static：

static (inside1,inside2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Static (inside2,inside1) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

这样就能够实现NAT以后各内网VLAN之间互访。

NAT测试：

ciscoasa(config)# show xlate

7 in use, 12 most used

Global 192.168.1.0 Local 192.168.1.0

Global 192.168.2.0 Local 192.168.2.0

PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096

PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095

PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094

PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093

PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092

ciscoasa(config)# show xlate

7 in use, 12 most used

Global 192.168.1.0 Local 192.168.1.0

Global 192.168.2.0 Local 192.168.2.0

PAT Global 192.168.3.1(5) Local 192.168.1.2 ICMP id 2096

PAT Global 192.168.3.1(4) Local 192.168.1.2 ICMP id 2095

PAT Global 192.168.3.1(3) Local 192.168.1.2 ICMP id 2094

PAT Global 192.168.3.1(2) Local 192.168.1.2 ICMP id 2093

PAT Global 192.168.3.1(1) Local 192.168.1.2 ICMP id 2092

ciscoasa(config)#

 

 

R2 ping R3,R1:与网关

 

r2#ping 192.168.3.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/36 ms

r2#ping 192.168.2.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/20/40 ms

r2#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

r2#

需求知足，实验完毕！