网络工程师成长日记340-某邮政防火墙
这是我的第340篇原创文章,记录网络工程师行业的点点滴滴,结交IT行业有缘之人
12月24日平安夜的这一天上午出去做工程啦,配置的是ASA5520的防火墙,地点在某邮政公司,这次做工程只有两个人,
我当然还有还有老大。在还没去之前,就在准备cisco防火墙的资料,回顾了一下防火墙配置的内容,大概有了细致的了解,想着这回去应该可以很快的解决吧。
我们走着去工程现场的,那里我们这里不是很远,走路大概20分钟就到了吧。
还好天气还是很不错的,有太阳外面暖暖的,跟上回做工程的天气一样好,还好这次地方不是很难找,一会就到了。
到了工程现场之后,就等那边的工程师给我们一个具体的要求,不一会那边的工程师就到了。
因为是圣诞节啊,所以工程师还戴着圣诞帽,挺有过节的气氛的。
大概了解到客户的需求,我们就准备开始配置防火墙了,看着需求第一感觉是不难,挺简单的,想着应该一会就好了。
没想到当我们配完之后要验证的时候,出现了问题。那就是PAT转换不成功,就是把一个网段的地址,转换成一个IP地址。
然后立马去检查配置,看过配置以后没有发现问题,但就是没有现象出来。
没办法,只有试一下用图形化界面去配置,也就是用SDM登录到防火墙上进行配置。
防火墙有一个管理接口,是出厂之前配好的IP地址,是192.168.1.0网段的,只要手动配置电脑IP地址,就可以用SDM来配置防火墙了。
配完成之后,我们再次去验证PAT转换是否成功,但结果是没有,不知道哪里出了问题。试了很多办法,就是转换不成功,也看了很多的资料,认为配置没有问题,但效果都不明显。
配到人家下班了,问题还是没有找出来,那就只好等着明天再来检查问题了。这时有人来送一送礼物了,当然没有我们的份啦,因为我们不是人家的员工啊。
客户那边下班了,我们没有解决问题,就只有明天再来了,希望明天可以很快的把问题解决了。
第二天找到了问题的所在,其实客户要求方面有点问题,如果按他们的方法把内网设置成outside而外网设置成intside,也就是说外网的安全级别比内网要高,可以实现效果就必须做静态NAT,做起来需要写很多个访空列表,配置起来比较繁琐。
如果改一下方向,配置起来就简单多了。最后的实施的方案跟客户沟通之后就改了一下inside和outside的方向,NAT转换成功。
这次工程的印象实在是太深刻了,不仅在工程当中了解客户的需求之后,给出解决方案。
而且如果当客户给出的方案与实际中有差别的话,应立刻提出问题进行沟通并向客户进行说明,这样在做工程中就会事半功倍。
项目需求:
1、内网访问外网作NAT转换成一个IP地址出去
2、交换机作为内网的网关
拓扑:
配置:
ASA# sh running-config
: Saved
:
ASA Version 7.2(3)
!
hostname ASA
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 101.168.53.160 255.255.255.192
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address X.X.X.254 255.255.255.192
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 2 extended permit icmp any any
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 100
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 101
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 102
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 103
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 104
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.197 eq 105
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 100
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 101
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 102
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 103
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 104
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.129.196 eq 105
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.200 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.201 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.202 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.12.130.203 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.204 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.205 eq www
access-list 2 extended permit tcp X.X.X.0 255.255.255.192 host 101.21.130.206 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/ASDM-523.BIN
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 X.X.X.250 netmask 255.255.255.192
nat (inside) 1 X.X.X.0 255.255.255.192
access-group 2 in interface outside
route outside 101.21.129.197 255.255.255.255 X.X.X.252 1
route outside 101.21.129.196 255.255.255.255 X.X.X.252 1
route outside 101.21.130.200 255.255.255.255 X.X.X.252 1
route outside 101.21.130.201 255.255.255.255 X.X.X.252 1
route outside 101.21.130.202 255.255.255.255 X.X.X.252 1
route outside 101.21.130.203 255.255.255.255 X.X.X.252 1
route outside 101.21.130.204 255.255.255.255 X.X.X.252 1
route outside 101.21.130.205 255.255.255.255 X.X.X.252 1
route outside 101.21.130.206 255.255.255.255 X.X.X.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
Cryptochecksum:b3ff4228ee79bc0299b4a34ed40fb3b2
: end
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 101.168.5.0 255.255.255.192 is directly connected, inside
C 101.168.5.192 255.255.255.192 is directly connected, outside
S 101.21.129.197 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.129.196 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.206 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.204 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.205 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.202 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.203 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.200 255.255.255.255 [1/0] via X.X.X.252, outside
S 101.21.130.201 255.255.255.255 [1/0] via X.X.X.252, outside