Автор Тема: доступ из одной подсети в другую. asa 5506  (Прочитано 1342 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн mist8r

  • Новичок
  • *
  • Сообщений: 1
  • Рейтинг: 0
  • Пол: Мужской
    • Просмотр профиля
  • Откуда: SPb
Добрый день. Есть сеть настроенная на Cisco ASA 5506(настроена не мной и опыта в настройке нет). В ней две подсети разделённые по vlan'ам 192.168.1.0 - vlan 11(nameif buh); 192.168.10.0 - vlan 10(nameif inside). На ASA два порта сгруппированы в Etherchannel. Vlan'ы привязаны к сабинтерфейсам interface Port-channel1.1(vlan 11) interface Port-channel1.10 (vlan 10). К Etherchannel портам ASA подключён L3 коммутатор HP V1910, к нему в свою очередь L2 HP 1820. Нужно настроить доступ с хоста(192.168.1.15) одной подсети к локальным папкам винды хоста(192.168.10.24) в другой подсети. Для чего настроено правило
access-list buh_access_in line 9 extended permit ip object buh-network host 192.168.10.24 (hitcnt=28) 0xa5ea9276
  access-list buh_access_in line 9 extended permit ip 192.168.1.0 255.255.255.0 host 192.168.10.24 (hitcnt=28) 0xa5ea9276
Пробую с разных хостов из 192.168.1.0 и подключение не проходит.  Подскажите пожалуйста в чём может быть проблема, куда смотреть?

Result of the command: "show running-config"
Спойлер для скрыто:
: Saved

:
: Serial Number:
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)
!
hostname ciscoasa
enable password
names
ip local pool anyconnect-network 192.168.100.10-192.168.100.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 
!
interface GigabitEthernet1/2
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/5
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/6
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/7
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/8
 no nameif
 security-level 100
 no ip address
!
interface Management1/1
 management-only
 nameif mgmt
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Port-channel1
 lacp max-bundle 8
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.1
 vlan 11
 nameif buh
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Port-channel1.3
 vlan 3
 nameif wifi
 security-level 20
 ip address 192.168.3.1 255.255.255.0
!
interface Port-channel1.10
 vlan 10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
boot system disk0:/asa992-lfbff-k8.SPA
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network users-network
 subnet 192.168.10.0 255.255.255.0
object network buh-network
 subnet 192.168.1.0 255.255.255.0
object network wifi-network
 subnet 192.168.3.0 255.255.255.0
object network backup-server-01
 host 192.168.10.201
object network backup-server-02
 host 192.168.1.201
object network navigator
 host 192.168.10.8
object service navigator-bd
 service tcp source eq 3055 destination eq 3055
object service navigator-hhtp-inside
 service tcp source eq www destination range 1024 64000
object service navigator-http-outside
 service tcp source range 1024 64000 destination eq 8088
object network navigator-02
 host 192.168.10.8
object network backup-server-rdp
 host 192.168.10.201
object network buhprt01
 host 192.168.1.231
object network navigator-rdp
 host 192.168.10.8
object network filalex-network
 subnet 192.168.24.0 255.255.255.0
object network pcn1
 host 192.168.10.9
object network pcn2
 host 192.168.10.10
object network 1c-server-01
 host 192.168.1.200
object network NETWORK_OBJ_192.168.100.0_25
 subnet 192.168.100.0 255.255.255.128
object network Irina-PC
 host 192.168.1.12
object network Elena-PC
 host 192.168.1.11
object network Oksana-PC
 host 192.168.1.15
object network Ivan-PC
 host 192.168.1.13
object network Svetlana
 host 192.168.10.24
object-group network DM_INLINE_NETWORK_1
 network-object object navigator
 network-object object backup-server-01
 network-object object 1c-server-01
object-group network management
 network-object object management-01
 network-object object management-02
 network-object object management-03
 network-object object management-04
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3055
 port-object eq www
object-group network DM_INLINE_NETWORK_2
 network-object object opendns-01
 network-object object opendns-02
object-group network DM_INLINE_NETWORK_3
 network-object object navigator
 network-object object backup-server-01
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_5
 network-object object opendns-01
 network-object object opendns-02
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object tcp destination eq pptp
object-group service DM_INLINE_SERVICE_2
 service-object esp
 service-object udp destination eq 1701
 service-object udp destination eq 4500
 service-object udp destination eq isakmp
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object udp destination eq ntp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_4
 network-object object opendns-01
 network-object object opendns-02
object-group network DM_INLINE_NETWORK_8
 network-object object 1c-server-01
 network-object object Oksana-PC
object-group service NetBiosUDP udp
 description NetBiosUDP 135-139
 port-object range 135 139
object-group service NetBiosandSMB tcp
 description TCP135-139,445
 port-object range 135 netbios-ssn
 port-object eq 445
object-group service DM_INLINE_SERVICE_6
 service-object tcp destination eq 9443
 service-object udp destination eq 9443
access-list buh_access_in extended permit ip object Elena-PC any
access-list buh_access_in extended permit ip object Irina-PC any
access-list buh_access_in extended permit ip object Ivan-PC any
access-list buh_access_in extended permit tcp object Oksana-PC any object-group DM_INLINE_TCP_2
access-list buh_access_in extended permit object-group TCPUDP object Oksana-PC object-group DM_INLINE_NETWORK_4 eq domain
access-list buh_access_in remark sberbank
access-list buh_access_in extended permit object-group DM_INLINE_SERVICE_6 object Oksana-PC any
access-list buh_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_8 any4 eq 5938
access-list buh_access_in extended permit ip object buh-network host 192.168.10.24
access-list buh_access_in extended permit ip object 1c-server-01 any4
access-list buh_access_in extended deny ip object buh-network any4
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object users-network any
access-list inside_access_in extended permit ip object users-network object buhprt01
access-list inside_access_in extended permit tcp host 192.168.10.250 object 1c-server-01 eq 3389
access-list inside_access_in extended deny ip object users-network object buh-network
access-list inside_access_in extended permit object-group TCPUDP object users-network object-group DM_INLINE_NETWORK_2 eq domain
access-list inside_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_3 any4 eq domain
access-list inside_access_in extended deny object-group TCPUDP object users-network any4 eq domain
access-list inside_access_in extended permit ip object users-network any
access-list wifi-guest_access_in extended deny ip object wifi-network object buh-network
access-list wifi-guest_access_in extended permit tcp object wifi-network object navigator eq www
access-list wifi-guest_access_in extended deny ip object wifi-network object users-network
access-list wifi-guest_access_in extended permit object-group TCPUDP object wifi-network object-group DM_INLINE_NETWORK_5 eq domain
access-list wifi-guest_access_in extended deny object-group TCPUDP object wifi-network any4 eq domain
access-list wifi-guest_access_in extended permit udp object wifi-network any4 eq ntp
access-list wifi-guest_access_in extended permit ip object wifi-network any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object backup-server-01
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object backup-server-01 inactive
access-list outside_access_in extended permit ip object-group management object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit tcp any object navigator object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object pcn1 eq 3057
access-list outside_access_in extended permit tcp any object pcn2 eq 3058
access-list outside_access_in extended permit icmp any any echo-reply
access-list buh_access_in_1 extended permit ip object-group management any
access-list buh_access_in_1 extended permit ip object users-network any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu mgmt 1500
mtu buh 1500
mtu wifi 1500
mtu inside 1500
no failover
no monitor-interface buh
no monitor-interface wifi
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any mgmt
icmp permit any inside
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25 no-proxy-arp route-lookup
!
object network users-network
 nat (inside,outside) dynamic interface
object network buh-network
 nat (buh,outside) dynamic interface
object network wifi-network
 nat (wifi,outside) dynamic interface
object network backup-server-01
 nat (inside,outside) static interface service tcp pptp pptp
object network navigator
 nat (inside,outside) static interface service tcp www 8088
object network navigator-02
 nat (inside,outside) static interface service tcp 3055 3055
object network backup-server-rdp
 nat (inside,outside) static interface service tcp 3389 38766
object network navigator-rdp
 nat (inside,outside) static interface service tcp 3389 38765
object network pcn1
 nat (inside,outside) static interface service tcp 3057 3057
object network pcn2
 nat (inside,outside) static interface service tcp 3058 3058
object network 1c-server-01
 nat (buh,outside) static interface service tcp 3389 38767
access-group outside_access_in in interface outside
access-group buh_access_in_1 in interface buh control-plane
access-group buh_access_in in interface buh
access-group wifi-guest_access_in in interface wifi
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0  1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
http server enable 4443
http 0.0.0.0 0.0.0.0 mgmt
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 mgmt
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.1.101-192.168.1.199 buh
dhcpd dns  interface buh
dhcpd enable buh
!
dhcpd address 192.168.3.11-192.168.3.199 wifi
dhcpd dns  interface wifi
dhcpd enable wifi
!
dhcpd address 192.168.10.101-192.168.10.199 inside
dhcpd dns  interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 145.238.203.14 source outside prefer
ntp server 128.9.176.30 source outside
ntp server 85.21.78.23 source outside
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 buh
ssl trust-point ASDM_TrustPoint0 wifi
ssl trust-point ASDM_TrustPoint0 inside
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
 anyconnect profiles anyconnect-prof_client_profile disk0:/anyconnect-prof_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_anyconnect-prof internal
group-policy GroupPolicy_anyconnect-prof attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ikev2 ssl-client
 default-domain none
 webvpn
  anyconnect profiles value anyconnect-prof_client_profile type user
dynamic-access-policy-record DfltAccessPolicy

tunnel-group anyconnect-prof type remote-access
tunnel-group anyconnect-prof general-attributes
 address-pool anyconnect-network
 default-group-policy GroupPolicy_anyconnect-prof
tunnel-group anyconnect-prof webvpn-attributes
 group-alias anyconnect-prof enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect icmp
  inspect pptp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command eigrp
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context
!
jumbo-frame reservation
!
no call-home reporting anonymous
Cryptochecksum:436f9367e67ad638d662c184dd57932b
: end

Result of the command: "packet-tracer input buh tcp 192.168.1.15 139 192.168.10.24 139"
Спойлер для скрыто:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.24 using egress ifc  inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group buh_access_in in interface buh control-plane
access-list buh_access_in extended permit ip object buh-network host 192.168.10.24
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 5916981, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.24 using egress ifc  inside

Phase: 9
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 9829.a693.3ac4 hits 64 reference 2

Result:
input-interface: buh
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
« Последнее редактирование: 30 июля 2019, 16:59:56 от mist8r »