ASA/PIX同一接口中转同区域流量测试（pix8.0）

1.拓扑图：

 

2.接口配置：

PC1：
eth0:202.1.1.1/24

ASA:
ASA(config)# int e0
ASA(config-if)# ip add 10.1.1.1 255.255.255.0
ASA(config-if)# no sh
ASA(config-if)# ip add 10.1.1.10 255.255.255.0
ASA(config-if)# nameif inside

ASA(config-if)# int e1
ASA(config-if)# ip add 202.1.1.10 255.255.255.0
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# no sh

R1:
R1(config)#int f0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no sh

R1(config-if)#int f0/1
R1(config-if)#ip add 20.1.1.1 255.255.255.0
R1(config-if)#no sh

R2:
R2(config)#int f0/0
R2(config-if)#ip add 10.1.1.2 255.255.255.0
R2(config-if)#no sh

R3:
R3(config)#int f0/0
R3(config-if)#ip add 20.1.1.3 255.255.255.0
R3(config-if)#no sh

3.路由配置：
ASA(config)# route inside 20.1.1.0 255.255.255.0 10.1.1.1
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.10 
R2(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.10
R3(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1


4.防火墙NAT及策略配置：

ASA(config)# nat (inside) 1 0 0
ASA(config)# global (outside) 1 in
ASA(config)# global (outside) 1 interface 


ASA(config)# access-list outside permit icmp any any echo-reply 
ASA(config)# access-group outside in interface outside

5.公网访问测试：

R1#ping 202.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/52 ms

R2#ping 202.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/68 ms

R3#ping 202.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/52/72 ms

6. 配置R2和R3互访：

A.R2 ping R3，防火墙有如下日志：
%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-3-106014: Deny inbound icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-6-302010: 0 in use, 2 most used

B.防火墙开启相同区域互访：
ASA(config)# same-security-traffic permit intra-interface 

再次ping，仍然不通，防火墙日志如下：
%PIX-7-609001: Built local-host inside:10.1.1.2
%PIX-7-609001: Built local-host inside:20.1.1.1
%PIX-3-305006: portmap translation creation failed for icmp src inside:10.1.1.2 dst inside:20.1.1.1 (type 8, code 0)
%PIX-7-609002: Teardown local-host inside:10.1.1.2 duration 0:00:00
%PIX-7-609002: Teardown local-host inside:20.1.1.1 duration 0:00:00

C.配置NAT免除：

ASA(config)# access-list nonat permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0 
ASA(config)# access-list nonat  permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
ASA(config)#  nat (inside) 0 access-list nonat


7.验证

A.ping数据包双向正常通行

R2#ping 20.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/92 ms

R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/70/120 ms

B.TCP数据包不正常通
R2#telnet 20.1.1.3
Trying 20.1.1.3 ... 
% Connection timed out; remote host not responding

R2#

%PIX-6-106015: Deny TCP (no connection) from 10.1.1.2/35246 to 20.1.1.3/23 flags RST  on interface inside

C.分析不通的原因
1）R3主动访问R2
R3 telnetR2，TCP三次握手的时候，R1有去R2的直连路由，TCP/SYN数据包没有经过防火墙，而回来时候，因为不是直连网段，R2将TCP/SYN-ACK数据包扔给了默认网关防火墙，而防火墙没有检查到之前的TCP/SYNK包所以拒绝通过。
2)R2主动访问R3

R2 telnet R3，TCP三次握手的时候，R2将TCP/SYN数据包扔给了防火墙，防火墙放行，并且修改了数据包的序列号；而TCP/SYN-ACK包未经过防火墙，但是R2检测到数据包序列号与之前发出的不对应，导致R2将数据包丢弃。（估计即使设置防火墙不修改数据包的序列号，TCP三次握手能成功建立，后续会话也不会被防火墙放行）

参见如下链接:

http://www.8-p.org/wiki/doku.php?id=asahairpinning

8. 两种解决方式：

A.来回的数据包都不经过防火墙：

1)R2上添加去往20.1.1.0的路由器走R1
R2(config)#ip route 20.1.1.0 255.255.255.0 10.1.1.1

----TELNET测试正常
R3#  telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Password:

2)想在防火墙接口设定icmp 重定向，但是防火墙不支持该功能

B.来回的数据包都经过防火墙：

1）R1上添加主机路由，指向防火墙

R1(config)#ip route 10.1.1.2 255.255.255.255 10.1.1.10

----TELNET测试正常
R3#telnet 10.1.1.2
Trying 10.1.1.2 ... Open


User Access Verification

Password: 

2)R1上面与防火墙非直接接口设置route-map

-----设定与防火墙相连网段的下一跳地址为防火墙接口地址

interface e1
  ip policy route-map inside

ip access-list extended inside
  permit ip any 10.1.1.0 0.0.0.255

route-map inside permit 10
 match ip address inside
 set ip next-hop 10.1.1.10

3）R1上设定101.1.2的mac地址为防火墙inside接口的mac地址

ASA# show interface e0
Interface Ethernet0 "inside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 00ab.bffb.c400, MTU 1500
        IP address 10.1.1.10, subnet mask 255.255.255.0

R1(config)#arp 10.1.1.2 00ab.bffb.c400 arpa

----TELNET测试正常
R2#telnet 20.1.1.3
Trying 20.1.1.3 ... Open


User Access Verification

Password: 
 

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/856558，如需转载请自行联系原作者