Chinaunix
标题:
CISCO ASA防火墙的怪问题
[打印本页]
作者:
fsoldier
时间:
2008-11-18 09:37
标题:
CISCO ASA防火墙的怪问题
单位新买了一台ASA, 内网口接一台华为交换机,再接出3台服务器,它们的网关都指向ASA(这个网段再无其他设备).出现一个怪现象:
只要在一台服务器上ping另一台服务器,只有一个包通,过一会就全部timeout了.然后我用arp -a看了一下,
几乎显示都是对方那台服务器的MAC对应的是ASA的内网口MAC,ping包都发向了ASA,在每台上ping都是这样,最终服务器的mac都错误的指向ASA.这就跟CISCO ASA发起了arp毒化一样.
然后,我一把CISCO ASA断开网络,LAN就正常,一接上去,就不正常.
请大家HELP ME,帮我想想办法,是需要再在asa上做什么配置吗? 设备是CISCO ASA 5550
作者:
ssffzz1
时间:
2008-11-18 10:27
1、你3台服务器确实掩码和网关配置没问题吗,确信是在同一个网段吗?
2、交换机没做PVLAN之类的特殊配置吧。
3、关闭ASA那个网口的ARP代理功能。
作者:
fsoldier
时间:
2008-11-18 11:30
华为的是3526交换机.除了划出一个VLAN,没做任何配置
--------------------
ASA5540配置如下(只使用了DMZ所在段,所有服务器,交换机都接在DMZ,没有使用inside口):
ASA550(config)# sh run
: Saved
:
ASA Version 7.1(2)
!
hostname ASA550 (主机名)
enable password xxxx encrypted (enable 密码 )
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240 {外网口IP地址}
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0 {DMZ口IP地址}
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only {管理口IP地址}
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxx encrypted
ftp mode passive
access-list outside extended permit tcp any host x.x.x.x eq www {允许外部主机访问xx 80端口}
access-list outside extended permit tcp any host x.x.x.x eq 4899 {允许外部主机访问xx 4899端口}
access-list outside extended permit tcp any host x.x.x.x eq ftp {允许外部主机访问xx FTP端口}
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu dmz 1500
no failover
asdm image disk0:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface {PAT出口地址}
global (dmz) 1 192.168.100.10-192.168.100.14
nat (dmz) 1 192.168.0.0 255.255.0.0 {PAT内网地址}
static (dmz,outside) x.x.x.x 192.168.100.13 netmask 255.255.255.255 {内网.13映射公网x.x.x.x}
static (dmz,outside) x.x.x.x 192.168.100.10 netmask 255.255.255.255 {内网.10映射公网x.x.x.x}
route outside 0.0.0.0 0.0.0.0 x.x.x.241 1 {缺省路由}
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.100.0 255.255.255.0 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum
xxxxxxxxb48bxxxx
: end
作者:
inhell
时间:
2008-11-21 13:25
把你防火墙DHCP关了呢
欢迎光临 Chinaunix (http://bbs.chinaunix.net/)
Powered by Discuz! X3.2
xxxxxxxxb48bxxxx