如何为 NAT(动态 PAT)分配第二个可用的公共 ip 到内部网络 Cisco ASA 5516-X

网络工程 思科 防火墙 纳特
2021-07-28 09:50:07

我有一个 xxx200/29 公共 IP 子网。

路由器接口:xxx206 255.255.255.248
ASA 5516-x 外部:xxx201 255.255.255.248
ASA 5516-x 内部:10.111.22.254 255.255.255.0 到

我的所有接口内的流量 tna 255.0

一只忙碌的猫

路由器配置:

接口千兆以太网180/1/0/40
 描述 fw Gi1/2 内部
 交换机端口
 switchport 中继允许 vlan 1
 交换机端口模式访问
 交换机端口接入 vlan 100
 switchport 端口安全违规限制
 switchport 端口-安全老化类型不活动
 无记录事件链接状态
 生成树 portfast 边缘
 生成树 bpduguard 启用
 ip dhcp 侦听限制速率 10
结尾

接口千兆以太网180/1/0/41
 描述 fw Gi1/1 外部
 交换机端口
 switchport 中继允许 vlan 1
 交换机端口模式访问
 交换机端口访问 vlan 99
 switchport 端口安全违规限制
 switchport 端口-安全老化类型不活动
 无记录事件链接状态
 生成树 portfast 边缘
 生成树 bpduguard 启用
 ip dhcp 侦听限制速率 10
结尾

接口Vlan99
 名字 fw 外面
 IP 地址 xxx206 255.255.255.248
 描述 fw 外面
 出口

VLAN 100       
 名称“fw Inside”
 出口

这是 ASA sh run confing:

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address x.x.x.201 255.255.255.248
 !
 interface GigabitEthernet1/2
 description "Inside"
 nameif inside
 security-level 100
 ip address 10.111.22.254 255.255.255.0

自然配置:

object network Nat-xx-205
 subnet 10.111.22.0 255.255.255.0
object network Public_outside
 host x.x.x.x.205
 description Public Outside IP

访问列表

 access-list acl_out extended permit icmp any4 any4 echo-reply
 access-list acl_out extended permit icmp any4 any4 source-quench
 access-list acl_out extended permit icmp any4 any4 unreachable
 access-list acl_out extended permit icmp any4 any4 time-exceeded
 access-list acl_out extended permit udp object-group dance any4 eq snmp
 access-list acl_out extended permit icmp object-group dance any4
 access-list inside_access_in extended permit ip any any

 mtu outside 1500
 mtu inside 1500 
 ip verify reverse-path interface outside
 ip verify reverse-path interface inside

 nat (inside,outside) after-auto source dynamic Nat-xx-205 Public_outside
 access-group acl_out in interface outside
 access-group inside_access_in in interface inside
 route outside 0.0.0.0 0.0.0.0 .x.x.x.206 1


 dhcpd address 10.111.22.1-10.111.22.253 inside
 dhcpd dns x.x.22.60 x.x.22.62 interface inside
 dhcpd lease 300 interface inside
 dhcpd enable inside


class-map inspection_default
 match default-inspection-traffic
 !
 !
 policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 1300
 no tcp-inspection
 policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny
 inspect sunrpc
 inspect xdmcp
 inspect sip
 inspect netbios
 inspect tftp
 inspect ip-options

可能是我配置错误,请帮我修复内部网络上 Nat 的第二个可用公共 IP。

提前致谢。

数据包追踪器

fw# tcp 中的数据包跟踪器输入 10.111.22.10 56789 8.8.8.8 443
阶段1
类型:路由查找
子类型:解析出口接口
结果:允许
配置:
附加信息:
使用外部出口 ifc 找到下一跳 xxx206

阶段2
类型:路由查找
子类型:解析出口接口
结果:允许
配置:
附加信息:
在内部使用出口 ifc 找到下一跳 10.111.22.10

阶段:3
类型:访问列表
子类型:日志
结果:允许
配置:
内部接口中的访问组 inside_access_in
访问列表 inside_access_in 扩展许可 ip 任何任何
附加信息:

阶段:4
类型:NAT
子类型:
结果:允许
配置:
nat (inside,outside) after-auto 源动态 Nat-xx-205 Public_outside
附加信息:
动态转换 10.111.22.10/56789 到 xxx205/56789

阶段:5
类型:NAT
子类型:每个会话
结果:允许
配置:
附加信息:

阶段:6
类型:IP-OPTIONS
子类型:
结果:允许
配置:
附加信息:

阶段:7
类型:NAT
子类型:rpf-check
结果:允许
配置:
nat (inside,outside) after-auto 源动态 Nat-xx-205 Public_outside
附加信息:

阶段:8
类型:NAT
子类型:每个会话
结果:允许
配置:
附加信息:

阶段:9
类型:IP-OPTIONS
子类型:
结果:允许
配置:
附加信息:

阶段:10
类型:流动创造
子类型:
结果:允许
配置:
附加信息:
使用 ID 34702 创建的新流,将数据包分派到下一个模块

结果:
输入接口:内部
输入状态:向上
输入线状态:向上
输出接口:外部
输出状态:向上
输出线状态:向上
行动:允许



fw# sh 日志记录 | 我 10.111.22.13
 Teardown UDP connection 18078 for external:130.83.22.62/53 to inside:10.111.22.13/57559 duration 0:02:07 bytes 141
2018 年 3 月 2 日 12:58:14:%ASA-6-302016:拆除 UDP 连接 18075 用于外部:8.8.8.8/53 到内部:10.111.22.13/57559 持续时间 0:02:08 字节 188
2018 年 3 月 2 日 12:58:14:%ASA-6-305012:拆解动态 UDP 从内部转换:10.111.22.13/57559 到外部:XXX205/57559 持续时间 0:02:08
2018 年 3 月 2 日 12:58:15:%ASA-6-302016:拆除 UDP 连接 18086 用于外部:8.8.8.8/53 到内部:10.111.22.13/52482 持续时间 0:02:03 字节 96
2018 年 3 月 2 日 12:58:15:%ASA-6-302016:外部的拆卸 UDP 连接 18089:130.83.22.62/53 到内部:10.111.22.13/56808 持续时间 0:02:01 字节 47
2018 年 3 月 2 日 12:58:15:%ASA-6-305012:拆解动态 UDP 从内部转换:10.111.22.13/52482 到外部:XXX205/52482 持续时间 0:02:03
2018 年 3 月 2 日 12:58:16:%ASA-6-302016:拆除 UDP 连接 18087 用于外部:8.8.8.8/53 到内部:10.111.22.13/56808 持续时间 0:02:03 字节 94
2018 年 3 月 2 日 12:58:16:%ASA-6-302016:拆除 UDP 连接 18090 用于外部:8.8.8.8/53 到内部:10.111.22.13/54385 持续时间 0:02:01 字节 42
2018 年 3 月 2 日 12:58:16:%ASA-6-305012:拆解动态 UDP 从内部转换:10.111.22.13/56808 到外部:XXX205/56808 持续时间 0:02:03
2018 年 3 月 2 日 12:58:16:%ASA-6-305012:拆解动态 UDP 从内部转换:10.111.22.13/54385 到外部:XXX205/54385 持续时间 0:02:01
2018 年 3 月 2 日 12:58:16:%ASA-7-609002:拆解本地主机内部:10.111.22.13 持续时间 0:03:01
转发#

fw# 显示捕获 asp-drop

 50: 12:46:40.626493 221.226.82.226.5104 > XXX201.5060: udp 412 Drop-reason: (acl-drop) 流被配置的规则拒绝

  51: 12:48:07.739936 116.21.88.116.15000 > XXX201.45139: udp 20 Drop-reason: (acl-drop) 流被配置的规则拒绝

  52: 12:48:07.760031 116.21.88.116.15000 > XXX201.45139: udp 114 Drop-reason: (acl-drop) 流被配置的规则拒绝

  53: 12:48:07.760382 116.21.88.116.15000 > XXX201.45139: udp 20 Drop-reason: (acl-drop) 流被配置的规则拒绝

  54: 12:48:09.781774 116.21.88.116.15000 > XXX201.45139: udp 114 Drop-reason: (acl-drop) 流被配置的规则拒绝

  55: 12:48:13.794743 116.21.88.116.15000 > XXX201.45139: udp 114 Drop-reason: (acl-drop) 流被配置的规则拒绝

  56: 12:48:21.818332 116.21.88.116.15000 > XXX201.45139: udp 114 Drop-reason: (acl-drop) 流被配置的规则拒绝

  57: 12:48:28.583176 5.101.40.48.56539 > XXX201.46791: S 1576709658:1576709658(0) win 1024 Drop-reason: (acl-drop) 流被拒绝

  58: 12:50:57.464636 109.248.9.18.46061 > XXX201.13403: S 3931032209:3931032209(0) win 1024 Drop-reason: (acl-drop) 流被拒绝

  59: 12:51:15.630140 181.128.5.172.40668 > XXX201.23: S 2249883442:2249883442(0) win 38613 Drop-reason: (acl-drop) 流被拒绝





fw#cap capin 接口内实时

警告:在较慢的控制台连接中使用此选项可能会
         导致大量未显示的数据包
         由于性能限制。

使用 ctrl-c 终止实时捕获


 67: 12:45:32.501011 10.111.22.13 > 8.8.8.8: icmp: 回声请求
  68: 12:45:32.700983 10.111.22.13.57394 > 8.8.8.8.53: UDP 58
  69: 12:45:32.700998 10.111.22.13.62577 > 8.8.8.8.53: UDP 58
  70: 12:45:33.240984 10.111.22.13.53046 > 8.8.8.8.53: UDP 43
  71: 12:45:33.780950 10.111.22.13.56683 > 8.8.8.8.53: UDP 34
  72: 12:45:34.011016 10.111.22.13.55006 > 8.8.8.8.53: UDP 42
  73: 12:45:34.052319 10.111.22.13.61513 > 8.8.8.8.53: UDP 42
  74: 12:45:35.111017 10.111.22.13.55682 > 8.8.8.8.53: UDP 45
  75: 12:45:35.380870 10.111.22.13.64752 > 8.8.8.8.53: UDP 45
  76: 12:45:36.050992 10.111.22.13.61513 > 8.8.8.8.53: UDP 42
  77: 12:45:36.381022 10.111.22.13.59965 > 8.8.8.8.53: UDP 45
  78: 12:45:36.459265 10.111.22.13.56933 > 8.8.8.8.53: UDP 47
  79: 12:45:36.701028 10.111.22.13.62577 > 8.8.8.8.53: UDP 58
  80: 12:45:36.701044 10.111.22.13.57394 > 8.8.8.8.53: UDP 58
  81: 12:45:36.751410 10.111.22.13.55956 > 8.8.8.8.53: UDP 55
  82: 12:45:37.241061 10.111.22.13.53046 > 8.8.8.8.53: UDP 43
  83: 12:45:37.501057 10.111.22.13 > 8.8.8.8: icmp: 回声请求
  84: 12:45:37.780980 10.111.22.13.56683 > 8.8.8.8.53: UDP 34
  85: 12:45:38.051053 10.111.22.13.61513 > 8.8.8.8.53: UDP 42
  86: 12:45:38.450995 10.111.22.13.56933 > 8.8.8.8.53: UDP 47
  87: 12:45:38.750998 10.111.22.13.55956 > 8.8.8.8.53: UDP 55
  88: 12:45:39.062344 10.111.22.13.50905 > 8.8.8.8.53: UDP 42
  89: 12:45:40.382197 10.111.22.13.59598 > 8.8.8.8.53: UDP 45
  90: 12:45:40.451056 10.111.22.13.56933 > 8.8.8.8.53: UDP 47
  91: 12:45:40.751044 10.111.22.13.55956 > 8.8.8.8.53: UDP 55
  92: 12:45:41.061032 10.111.22.13.50905 > 8.8.8.8.53: UDP 42
  93: 12:45:41.241610 10.111.22.13.59419 > 8.8.8.8.53: UDP 43
  94: 12:45:41.242373 10.111.22.13.63309 > 8.8.8.8.53: UDP 43
  95: 12:45:41.782094 10.111.22.13.62649 > 8.8.8.8.53: UDP 35
  96: 12:45:42.051068 10.111.22.13.61513 > 8.8.8.8.53: UDP 42
  97: 12:45:42.381053 10.111.22.13.59598 > 8.8.8.8.53: UDP 45
  98: 12:45:43.060894 10.111.22.13.50905 > 8.8.8.8.53: UDP 42
  99: 12:45:43.241045 10.111.22.13.63309 > 8.8.8.8.53: UDP 43
 100: 12:45:43.241091 10.111.22.13.59419 > 8.8.8.8.53: UDP 43
 101: 12:45:43.781011 10.111.22.13.62649 > 8.8.8.8.53: UDP 35
 102: 12:45:44.001113 10.111.22.13.61752 > 8.8.8.8.53: UDP 45
 103:12:45:44.291809 10.111.22.13 > XXX201:icmp:回声请求
 104: 12:45:44.381083 10.111.22.13.59598 > 8.8.8.8.53: UDP 45
 105: 12:45:44.451179 10.111.22.13.56933 > 8.8.8.8.53: UDP 47
 106: 12:45:44.751105 10.111.22.13.55956 > 8.8.8.8.53: UDP 55
 107: 12:45:45.001068 10.111.22.13.61752 > 8.8.8.8.53: UDP 45
 108: 12:45:45.071132 10.111.22.13.49824 > 8.8.8.8.53: UDP 45
 109: 12:45:45.241076 10.111.22.13.59419 > 8.8.8.8.53: UDP 43
 110: 12:45:45.241122 10.111.22.13.63309 > 8.8.8.8.53: UDP 43
 111: 12:45:45.781072 10.111.22.13.62649 > 8.8.8.8.53: UDP 35
 112: 12:45:46.071087 10.111.22.13.49824 > 8.8.8.8.53: UDP 45
 113: 12:45:46.261125 10.111.22.13.62787 > 8.8.8.8.53: UDP 48
 114: 12:45:47.001098 10.111.22.13.61752 > 8.8.8.8.53: UDP 45
 115: 12:45:47.051129 10.111.22.13.62200 > 8.8.8.8.53: UDP 42
 116: 12:45:47.061077 10.111.22.13.50905 > 8.8.8.8.53: UDP 42
 117: 12:45:47.261079 10.111.22.13.62787 > 8.8.8.8.53: UDP 48
 118: 12:45:48.051099 10.111.22.13.62200 > 8.8.8.8.53: UDP 42
 119: 12:45:48.071148 10.111.22.13.49824 > 8.8.8.8.53: UDP 45
 120: 12:45:48.381099 10.111.22.13.59598 > 8.8.8.8.53: UDP 45
 121: 12:45:48.691126 10.111.22.13.51262 > 8.8.8.8.53: UDP 50
 122: 12:45:49.001174 10.111.22.13 > XXX201: icmp: 回声请求
 123: 12:45:49.241137 10.111.22.13.59419 > 8.8.8.8.53: UDP 43
 124: 12:45:49.241167 10.111.22.13.63309 > 8.8.8.8.53: UDP 43
 125: 12:45:49.261110 10.111.22.13.62787 > 8.8.8.8.53: UDP 48
 126: 12:45:49.691080 10.111.22.13.51262 > 8.8.8.8.53: UDP 50
 127: 12:45:49.781087 10.111.22.13.62649 > 8.8.8.8.53: UDP 35
 128: 12:45:49.951122 10.111.22.13.64903 > 8.8.8.8.53: UDP 47
 129: 12:45:50.051144 10.111.22.13.62200 > 8.8.8.8.53: UDP 42
 130: 12:45:50.951076 10.111.22.13.64903 > 8.8.8.8.53: UDP 47
 131: 12:45:51.001144 10.111.22.13.61752 > 8.8.8.8.53: UDP 45
 132: 12:45:51.691248 10.111.22.13.51262 > 8.8.8.8.53: UDP 50
 133: 12:45:51.751166 10.111.22.13.52300 > 8.8.8.8.53: UDP 53
 134: 12:45:52.061169 10.111.22.13.57546 > 8.8.8.8.53: UDP 42
 135: 12:45:52.071163 10.111.22.13.49824 > 8.8.8.8.53: UDP 45
 136: 12:45:52.751136 10.111.22.13.52300 > 8.8.8.8.53: UDP 53
 137: 12:45:52.951137 10.111.22.13.64903 > 8.8.8.8.53: UDP 47
 138: 12:45:53.061108 10.111.22.13.57546 > 8.8.8.8.53: UDP 42
 139: 12:45:53.261155 10.111.22.13.62787 > 8.8.8.8.53: UDP 48
 140: 12:45:54.001251 10.111.22.13 > XXX201: icmp: 回声请求
 141: 12:45:54.051190 10.111.22.13.62200 > 8.8.8.8.53: UDP 42
 142: 12:45:54.241167 10.111.22.13.62793 > 8.8.8.8.53: UDP 43
 143: 12:45:54.241366 10.111.22.13.50398 > 8.8.8.8.53: UDP 45
 144: 12:45:54.751181 10.111.22.13.52300 > 8.8.8.8.53: UDP 53
 145: 12:45:55.061001 10.111.22.13.57546 > 8.8.8.8.53: UDP 42
 146: 12:45:55.241152 10.111.22.13.50398 > 8.8.8.8.53: UDP 45
 147: 12:45:55.241198 10.111.22.13.62793 > 8.8.8.8.53: UDP 43
 148: 12:45:55.691324 10.111.22.13.51262 > 8.8.8.8.53: UDP 50
 149: 12:45:56.951183 10.111.22.13.64903 > 8.8.8.8.53: UDP 47
 150: 12:45:57.241198 10.111.22.13.50398 > 8.8.8.8.53: UDP 45
 151: 12:45:57.241228 10.111.22.13.62793 > 8.8.8.8.53: UDP 43
 152: 12:45:57.261812 10.111.22.13.55743 > 8.8.8.8.53: UDP 48
 153: 12:45:58.051694 10.111.22.13.64847 > 8.8.8.8.53: UDP 43
 154: 12:45:58.751181 10.111.22.13.52300 > 8.8.8.8.53: UDP 53
 155: 12:45:59.001281 10.111.22.13 > XXX201: icmp: 回声请求
 156: 12:45:59.061169 10.111.22.13.57546 > 8.8.8.8.53: UDP 42
 157: 12:45:59.261201 10.111.22.13.55743 > 8.8.8.8.53: UDP 48
 158: 12:46:00.051205 10.111.22.13.64847 > 8.8.8.8.53: UDP 43
 159: 12:46:01.241259 10.111.22.13.62793 > 8.8.8.8.53: UDP 43
 160: 12:46:01.241290 10.111.22.13.50398 > 8.8.8.8.53: UDP 45
 161: 12:46:01.261216 10.111.22.13.55743 > 8.8.8.8.53: UDP 48
 162: 12:46:01.452155 10.111.22.13.56590 > 8.8.8.8.53: UDP 47
 163: 12:46:01.484319 10.111.22.13.50446 > 8.8.8.8.53: UDP 45
 164: 12:46:02.051266 10.111.22.13.64847 > 8.8.8.8.53: UDP 43
 165: 12:46:02.751654 10.111.22.13.64981 > 8.8.8.8.53: UDP 55
 166: 12:46:03.451179 10.111.22.13.56590 > 8.8.8.8.53: UDP 47
 167: 12:46:03.481176 10.111.22.13.50446 > 8.8.8.8.53: UDP 45
 168: 12:46:04.751242 10.111.22.13.64981 > 8.8.8.8.53: UDP 55
 169: 12:46:05.241763 10.111.22.13.65118 > 8.8.8.8.53: UDP 43
 170: 12:46:05.261262 10.111.22.13.55743 > 8.8.8.8.53: UDP 48
 171: 12:46:05.451285 10.111.22.13.56590 > 8.8.8.8.53: UDP 47
 172: 12:46:05.481237 10.111.22.13.50446 > 8.8.8.8.53: UDP 45
 173: 12:46:06.051282 10.111.22.13.64847 > 8.8.8.8.53: UDP 43
 174: 12:46:06.751273 10.111.22.13.64981 > 8.8.8.8.53: UDP 55
 175: 12:46:07.241274 10.111.22.13.65118 > 8.8.8.8.53: UDP 43
 176: 12:46:09.241335 10.111.22.13.65118 > 8.8.8.8.53: UDP 43
 177: 12:46:09.266801 10.111.22.13.55921 > 8.8.8.8.53: UDP 48
 178: 12:46:09.451285 10.111.22.13.56590 > 8.8.8.8.53: UDP 47
 179: 12:46:09.481267 10.111.22.13.50446 > 8.8.8.8.53: UDP 45
 180: 12:46:10.751319 10.111.22.13.64981 > 8.8.8.8.53: UDP 55
 181: 12:46:11.261323 10.111.22.13.55921 > 8.8.8.8.53: UDP 48
 182: 12:46:13.241335 10.111.22.13.65118 > 8.8.8.8.53: UDP 43
 183: 12:46:13.261323 10.111.22.13.55921 > 8.8.8.8.53: UDP 48
 184: 12:46:13.481756 10.111.22.13.59164 > 8.8.8.8.53: UDP 45
 185: 12:46:13.482107 10.111.22.13.53797 > 8.8.8.8.53: UDP 45
 186: 12:46:13.952160 10.111.22.13.62157 > 8.8.8.8.53: UDP 47
 187: 12:46:14.388209 10.111.22.13 > XXX206: icmp: 回声请求
 188: 12:46:15.125008 10.111.22.13.54169 > 8.8.8.8.53: UDP 46
 189: 12:46:15.481298 10.111.22.13.59164 > 8.8.8.8.53: UDP 45
 190: 12:46:15.481344 10.111.22.13.53797 > 8.8.8.8.53: UDP 45
 191: 12:46:15.951321 10.111.22.13.62157 > 8.8.8.8.53: UDP 47
 192: 12:46:17.121346 10.111.22.13.54169 > 8.8.8.8.53: UDP 46
 193: 12:46:17.242541 10.111.22.13.57573 > 8.8.8.8.53: UDP 43
 194: 12:46:17.261369 10.111.22.13.55921 > 8.8.8.8.53: UDP 48
 195: 12:46:17.481359 10.111.22.13.59164 > 8.8.8.8.53: UDP 45
 196: 12:46:17.481389 10.111.22.13.53797 > 8.8.8.8.53: UDP 45
 197: 12:46:17.951366 10.111.22.13.62157 > 8.8.8.8.53: UDP 47
 198: 12:46:19.001495 10.111.22.13 > XXX206: icmp: 回声请求
 199: 12:46:19.121407 10.111.22.13.54169 > 8.8.8.8.53: UDP 46
 200: 12:46:19.241381 10.111.22.13.57573 > 8.8.8.8.53: udp 43
 201:12:46:21.241412 10.111.22.13.57573 > 8.8.8.8.53:udp 43
 202: 12:46:21.265473 10.111.22.13.61086 > 8.8.8.8.53: UDP 48
 203:12:46:21.481389 10.111.22.13.59164 > 8.8.8.8.53:udp 45
 204:12:46:21.481420 10.111.22.13.53797 > 8.8.8.8.53:udp 45
 205: 12:46:21.951412 10.111.22.13.62157 > 8.8.8.8.53: UDP 47
 206: 12:46:23.121453 10.111.22.13.54169 > 8.8.8.8.53: UDP 46
 207: 12:46:23.261400 10.111.22.13.61086 > 8.8.8.8.53: UDP 48
 208: 12:46:24.001556 10.111.22.13 > XXX206: icmp: 回声请求
 209: 12:46:25.241473 10.111.22.13.57573 > 8.8.8.8.53: UDP 43
 210: 12:46:25.261339 10.111.22.13.61086 > 8.8.8.8.53: UDP 48
 211: 12:46:25.481939 10.111.22.13.53331 > 8.8.8.8.53: UDP 45
 212: 12:46:26.452292 10.111.22.13.57053 > 8.8.8.8.53: UDP 47
 213: 12:46:27.122506 10.111.22.13.53358 > 8.8.8.8.53: UDP 46
 214: 12:46:27.481405 10.111.22.13.53331 > 8.8.8.8.53: UDP 45
 215: 12:46:28.451423 10.111.22.13.57053 > 8.8.8.8.53: UDP 47
 216: 12:46:29.001556 10.111.22.13 > XXX206: icmp: 回声请求
 217: 12:46:29.121453 10.111.22.13.53358 > 8.8.8.8.53: UDP 46
 218: 12:46:29.241930 10.111.22.13.59809 > 8.8.8.8.53: UDP 43
 219: 12:46:29.242251 10.111.22.13.60172 > 8.8.8.8.53: UDP 43
 220: 12:46:29.261476 10.111.22.13.61086 > 8.8.8.8.53: UDP 48
 221: 12:46:29.481450 10.111.22.13.53331 > 8.8.8.8.53: UDP 45
 222: 12:46:30.451468 10.111.22.13.57053 > 8.8.8.8.53: UDP 47
 223: 12:46:31.121468 10.111.22.13.53358 > 8.8.8.8.53: UDP 46
 224: 12:46:31.241442 10.111.22.13.60172 > 8.8.8.8.53: UDP 43
 225: 12:46:31.241488 10.111.22.13.59809 > 8.8.8.8.53: UDP 43
 226: 12:46:31.534777 10.111.22.13.57850 > 8.8.8.8.53: UDP 45
 227: 12:46:32.914839 10.111.22.13.63295 > 8.8.8.8.53: UDP 58
 228: 12:46:33.241518 10.111.22.13.59809 > 8.8.8.8.53: UDP 43
 229: 12:46:33.241534 10.111.22.13.60172 > 8.8.8.8.53: UDP 43
 230: 12:46:33.287811 10.111.22.13.53859 > 8.8.8.8.53: UDP 58
 231: 12:46:33.481496 10.111.22.13.53331 > 8.8.8.8.53: UDP 45
 232: 12:46:33.531527 10.111.22.13.57850 > 8.8.8.8.53: UDP 45
 233:12:46:34.451529 10.111.22.13.57053 > 8.8.8.8.53:udp 47
 234:12:46:34.793934 10.111.22.13.63860 > 8.8.8.8.53:UDP 50
 235: 12:46:34.911482 10.111.22.13.63295 > 8.8.8.8.53: UDP 58
 236: 12:46:35.121560 10.111.22.13.53358 > 8.8.8.8.53: UDP 46
 237: 12:46:35.281494 10.111.22.13.53859 > 8.8.8.8.53: UDP 58
 238: 12:46:35.531542 10.111.22.13.57850 > 8.8.8.8.53: UDP 45
 239: 12:46:36.791493 10.111.22.13.63860 > 8.8.8.8.53: UDP 50
 240: 12:46:36.911543 10.111.22.13.63295 > 8.8.8.8.53: UDP 58
 241: 12:46:37.241579 10.111.22.13.60172 > 8.8.8.8.53: UDP 43
 242: 12:46:37.241595 10.111.22.13.59809 > 8.8.8.8.53: UDP 43
 243: 12:46:37.281555 10.111.22.13.53859 > 8.8.8.8.53: UDP 58
 244:12:46:38.259843 10.111.22.13.57560 > 8.8.8.8.53:UDP 58
 245: 12:46:38.791539 10.111.22.13.63860 > 8.8.8.8.53: UDP 50
 246: 12:46:38.952434 10.111.22.13.56613 > 8.8.8.8.53: UDP 47
 247: 12:46:39.531603 10.111.22.13.57850 > 8.8.8.8.53: UDP 45
 248: 12:46:40.251543 10.111.22.13.57560 > 8.8.8.8.53: UDP 58
 249: 12:46:40.911573 10.111.22.13.63295 > 8.8.8.8.53: UDP 58
 250: 12:46:40.951519 10.111.22.13.56613 > 8.8.8.8.53: UDP 47
 251: 12:46:41.242129 10.111.22.13.50156 > 8.8.8.8.53: UDP 43
 252: 12:46:41.281601 10.111.22.13.53859 > 8.8.8.8.53: UDP 58
 253: 12:46:42.251573 10.111.22.13.57560 > 8.8.8.8.53: UDP 58
 254:12:46:42.791585 10.111.22.13.63860 > 8.8.8.8.53:UDP 50
 255: 12:46:42.951580 10.111.22.13.56613 > 8.8.8.8.53: UDP 47
 256: 12:46:43.241564 10.111.22.13.50156 > 8.8.8.8.53: UDP 43
 257: 12:46:44.001617 10.111.22.13.57638 > 8.8.8.8.53: UDP 45
 258: 12:46:44.531603 10.111.22.13.59669 > 8.8.8.8.53: UDP 45
 259: 12:46:44.531802 10.111.22.13.49900 > 8.8.8.8.53: UDP 45
 260: 12:46:45.001586 10.111.22.13.57638 > 8.8.8.8.53: UDP 45
 261: 12:46:45.241640 10.111.22.13.50156 > 8.8.8.8.53: UDP 43
 262: 12:46:45.531573 10.111.22.13.59669 > 8.8.8.8.53: UDP 45
 263: 12:46:45.531619 10.111.22.13.49900 > 8.8.8.8.53: UDP 45
 264: 12:46:46.251634 10.111.22.13.57560 > 8.8.8.8.53: UDP 58
 265: 12:46:46.951626 10.111.22.13.56613 > 8.8.8.8.53: UDP 47
 266: 12:46:47.001632 10.111.22.13.57638 > 8.8.8.8.53: UDP 45
 267: 12:46:47.531634 10.111.22.13.59669 > 8.8.8.8.53: UDP 45
 268: 12:46:47.531665 10.111.22.13.49900 > 8.8.8.8.53: UDP 45
显示了 268 个数据包。
由于性能限制,0 个数据包未显示。
2个回答


我找到了问题所在,我运行了以下命令,一切都按预期完美运行。


外面没有 sysopt noproxyarp




                                

                            







                        

                    

                    

                        

                            


我可以看到您用于 NAT 配置的对象组中有一个错字 - Nat-x-205. 正确的应该是Nat-xx-205double xx


您的以下 DHCP 范围也不正确 - 10.111.22.1 - 10.111.22.253. 正确的范围应该是10.111.20.1 - .253,我们需要为此 DHCP 范围设置路由。


 dhcpd address 10.111.22.1-10.111.22.253 inside
 dhcpd dns x.x.22.60 x.x.22.62 interface inside



请运行以下 packet-tracer 命令并使用输出更新您的问题:


packet-tracer input inside tcp 10.111.20.10 56789 8.8.8.8 443



更新的答案:


请尝试简化 Cat 6807(路由器)上的配置,如下所示:


interface GigabitEthernet180/1/0/40
 description fw Gi1/2 Inside
 switchport
 switchport mode access
 switchport access vlan 100
 no logging event link-status
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 ip dhcp snooping limit rate 10
end
!
interface GigabitEthernet180/1/0/41
 description fw Gi1/1 Outside
 switchport
 switchport mode access
 switchport access vlan 99
 no logging event link-status
 spanning-tree portfast edge
 spanning-tree bpduguard enable
end



同时,请按如下方式在 ASA 上打开您的捕获(我假设您有一台真实主机的 IP 地址为 10.111.22.10,如果没有,请更改以下 IP 以更正)


capture IN interface inside match ip host 10.111.22.5 any



然后测试来自 10.111.22.5 的真实互联网流量,在测试时,请使用以下命令经常检查 ASA 上的连接和 NAT 信息:


show conn | i 10.111.22.5

show xlate local 10.111.22.5



请让我知道这些测试和命令的结果。



                                

                            







                        

                    

            

        

    




其它你可能感兴趣的问题



上一篇Fortigate 200e 作为主干交换机
下一篇路由器、电缆调制解调器和路由