使用数据包跟踪器的ASA配置

我正在尝试配置下面的网络。

我无法打开http://142.12.56.68来自公共笔记本电脑。

我能够从VLAN20 laptop0 ping到防火墙192.158.99.1。

我在asa和多交换机上有以下配置。请让我知道我还需要做什么来完成这个网络。

ciscoasa(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif dmz
security-level 50
ip address 172.16.1.0 255.255.255.0
ospf authentication message-digest
ospf message-digest-key 1 md5 *****
!
!
interface Management1/1
management-only
nameif outside
security-level 0
ip address 148.12.56.67 255.255.255.0
ospf authentication message-digest
ospf message-digest-key 1 md5 *****
!
webvpn
enable outside
object network DMZ
subnet 172.16.1.0 255.255.255.0
object network LAN
subnet 192.168.20.0 255.255.255.0
object network webserver
host 172.16.1.10
object network webserver-external-ip
host 148.12.56.68
!
route outside 192.168.99.0 255.255.255.252 148.12.56.68 1
!
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit tcp any object webserver eq www
access-list OUTSIDE extended permit tcp any host 148.12.56.68 eq www
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
!
!
access-group OUTSIDE in interface outside
object network DMZ
nat (dmz,outside) dynamic interface
object network LAN
nat (inside,outside) dynamic interface
object network webserver
nat (dmz,outside) static 148.12.56.68
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
network 192.168.99.0 255.255.255.252 area 0
network 148.12.56.0 255.255.255.0 area 0
network 171.16.1.0 255.255.255.0 area 1
network 172.16.1.0 255.255.255.0 area 1
!

对于MultiSwitch，我有以下内容：

> S1#show run
Building configuration...
Current configuration : 1840 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S1
!
ip routing
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/5
no switchport
ip address 192.168.99.2 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 000c.8551.6601
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
mac-address 000c.8551.6602
ip address 192.168.20.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 192.0.0.0 0.255.255.255 area 0
network 172.16.1.0 0.0.0.255 area 1
end

`网络图

您在仅管理模式下使用管理界面，因此您只能使用此界面来管理ASA。正如我所知，您无法从管理界面中删除仅管理选项。

数据包跟踪器命令示例：

packet-tracer input outside tcp <laptop_ip> 148.12.56.68 80

在输出的末尾，您可以看到Action行，其中显示了最终操作。如果操作是drop，下一行将显示原因。

您也可以检查ASA日志条目。您应该始终配置日志记录功能！！！最小日志记录配置：

logging enable
logging timestamp
logging buffered informational
logging buffer-size 16384

上述配置将为所有日志消息添加时间戳，日志严重性级别是信息性的，并缓冲16M的日志消息。

有关ASA日志记录的更多信息：https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-syslog.html

您可以找到有关日志严重性级别的详细信息：https://en.wikipedia.org/wiki/Syslog#Severity_level

向中央日志服务器发送日志消息：

logging host <asa_interface> <remote_log_server_ip> <protocol/port/>

例如，日志消息将从接口内的发送到192.168.1.1远程服务器到udp/514端口(标准/遗留系统日志协议和端口(：

logging host inside 192.168.1.1 udp

我认为日志消息是您进行故障排除的最佳朋友之一

相关内容

最新更新

热门标签：