Cisco ASA 防火墙同安全级别端口互相访问的问题

@珲 2013-07-18

展开全文

问一个ASA同安全级别端口互相访问的问题 --问题解决了，总结了一下和大家分享！

在输入same-security-traffic permit inter-interface命令之后，如果不添加任何ACL，同安全级别的端口之间所能做到的互相访问是不是应该像在同一台未作任何配置的交换机上面一样？包括FTP之类的应用服务～谢谢啦！
--------------------------------------------------------------------------- 原问题如上 -------------------------------------------------------------------------------------------

首先，一个防火墙上的两个端口之间如果需要建立链接，必须满足两个条件：
1，两个端口对儿上要有相应的地址转换策略；
2，有安全策略对转发数据放行，一般以ACL体现；
这样，
当高安全级别区域访问低安全级别区域的时候，安全策略是允许的；
低安全级别区域访问高安全级别区域就需要ACL放行了；
当2个同安全级别区域互相访问的时候，如果端口没有关联NAT策略，那么通过same-security-traffic permit inter-interface可以实现互访，如果关联的NAT策略的话，就需要对这两个同安全级别端口进行端口之间的NAT调整，我这里使用了 static(natserver,vlan300)192.168.30.0 192.168.30.0 netmask 255.255.255.0，static(vlan300,natserver)192.168.12.0 192.168.12.0 netmask 255.255.255.0这一对儿对应的NAT来实现对2个同安全级别区域自身网段NAT的转换，目的就是让ASA受到packet之后，不只关联到 nat()1，而搞不清楚正确的转发方向。同样对于其他同安全级别互访区域都配置一对儿双向的静态NAT就可以了！
NAT()0我感觉也应该可以实现，试了一下似乎没成，回头再试试看！

现行配置：
ASA Version 7.0(7)
!
hostname 5520
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 2××.1××.1××.×× 255.255.255.248
!
interface GigabitEthernet0/1
speed 100
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
vlan 100
nameif vlan100
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/1.200
vlan 200
nameif vlan200
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface GigabitEthernet0/1.300
vlan 300
nameif vlan300
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface GigabitEthernet0/1.400
vlan 400
nameif vlan400
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface GigabitEthernet0/2
description link_to_server
nameif dmz
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/3
description link_to_natserver
nameif natserver
security-level 100
ip address 192.168.30.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_to_natserver extended permit ip any host 211.142.134.99
access-list outside_to_natserver extended permit ip any host 211.142.134.100
pager lines 24
logging asdm informational
mtu outside 1500
mtu vlan100 1500
mtu vlan200 1500
mtu vlan300 1500
mtu vlan400 1500
mtu dmz 1500
mtu natserver 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 2××.1××.1××.1××
global (outside) 3 2××.1××.1××.××
nat (vlan100) 1 192.168.10.0 255.255.255.0
nat (vlan300) 1 192.168.12.0 255.255.255.0
nat (vlan400) 1 192.168.13.0 255.255.255.0
nat (dmz) 2 192.168.20.0 255.255.255.0
nat (natserver) 3 192.168.30.0 255.255.255.0
static (dmz,outside) 2××.1××.1××.1×× 192.168.20.254 netmask 255.255.255.255
static (natserver,outside) 2××.1××.1××.×× 192.168.30.1 netmask 255.255.255.255
static (natserver,vlan300) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan300,natserver) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
static (natserver,vlan100) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan100,natserver) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (natserver,vlan200) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (vlan200,natserver) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
access-group outside_to_natserver in interface outside
route outside 0.0.0.0 0.0.0.0 211.142.134.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password 3USUcOPFUiMCO4Jk encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
   inspect dns maximum-length 512
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
service-policy global_policy global
Cryptochecksum:736895fa883f241310142e5961872c89
: end