CISCO ASA防火墙有关ARP解析的怪问题

fsoldier

单位新买了一台ASA, 内网口接一台华为交换机,再接出3台服务器,它们的网关都指向ASA(这个网段再无其他设备).出现一个怪现象:\r\n\r\n只要在一台服务器上ping另一台服务器,只有一个包通,过一会就全部timeout了.然后我用arp -a看了一下,\r\n几乎显示都是对方那台服务器的MAC对应的是ASA的内网口MAC,ping包都发向了ASA,在每台上ping都是这样,最终服务器的mac都错误的指向ASA.这就跟CISCO ASA发起了arp毒化一样.\r\n\r\n然后,我一把CISCO ASA断开网络,LAN就正常,一接上去,就不正常.\r\n\r\n请大家HELP ME,帮我想想办法,是需要再在asa上做什么配置吗? 设备是CISCO ASA 5550

xinye1031

ASA 和交换机的具体配置请贴出来

fsoldier

华为的是3526交换机.除了划出一个VLAN,没做任何配置\r\n--------------------\r\nASA5540配置如下(只使用了DMZ所在段,所有服务器,交换机都接在DMZ,没有使用inside口):\r\nASA550(config)# sh run\r\n: Saved\r\n:\r\nASA Version 7.1(2) \r\n!\r\nhostname ASA550 (主机名）\r\nenable password xxxx encrypted （enable 密码 ）\r\nnames\r\n!\r\ninterface GigabitEthernet0/0\r\nnameif outside\r\nsecurity-level 0\r\nip address x.x.x.x 255.255.255.240 {外网口IP地址}\r\n!\r\ninterface GigabitEthernet0/1\r\nnameif dmz\r\nsecurity-level 50\r\nip address 192.168.100.1 255.255.255.0 {DMZ口IP地址}\r\n!\r\ninterface GigabitEthernet0/2\r\nshutdown\r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\ninterface GigabitEthernet0/3\r\nshutdown \r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\ninterface Management0/0\r\nnameif management\r\nsecurity-level 100\r\nip address 192.168.1.1 255.255.255.0 \r\nmanagement-only {管理口IP地址}\r\n!\r\ninterface GigabitEthernet1/0\r\nshutdown\r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\ninterface GigabitEthernet1/1\r\nshutdown\r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\ninterface GigabitEthernet1/2\r\nshutdown \r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\ninterface GigabitEthernet1/3\r\nshutdown\r\nno nameif\r\nno security-level\r\nno ip address\r\n!\r\npasswd xxxxx encrypted\r\nftp mode passive\r\naccess-list outside extended permit tcp any host x.x.x.x eq www {允许外部主机访问xx 80端口}\r\naccess-list outside extended permit tcp any host x.x.x.x eq 4899 {允许外部主机访问xx 4899端口}\r\naccess-list outside extended permit tcp any host x.x.x.x eq ftp {允许外部主机访问xx FTP端口}\r\npager lines 24 \r\nlogging asdm informational\r\nmtu management 1500\r\nmtu outside 1500\r\nmtu dmz 1500\r\nno failover\r\nasdm image disk0:/asdm-512.bin\r\nno asdm history enable\r\narp timeout 14400\r\nglobal (outside) 1 interface {PAT出口地址} \r\nglobal (dmz) 1 192.168.100.10-192.168.100.14\r\nnat (dmz) 1 192.168.0.0 255.255.0.0 {PAT内网地址}\r\nstatic (dmz,outside) x.x.x.x 192.168.100.13 netmask 255.255.255.255 {内网.13映射公网x.x.x.x}\r\nstatic (dmz,outside) x.x.x.x 192.168.100.10 netmask 255.255.255.255 {内网.10映射公网x.x.x.x}\r\nroute outside 0.0.0.0 0.0.0.0 x.x.x.241 1 {缺省路由}\r\ntimeout xlate 3:00:00\r\ntimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02\r\ntimeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00\r\ntimeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00\r\ntimeout uauth 0:05:00 absolute\r\nhttp server enable\r\nhttp 192.168.1.0 255.255.255.0 management\r\nno snmp-server location\r\nno snmp-server contact\r\nsnmp-server enable traps snmp authentication linkup linkdown coldstart\r\ntelnet 192.168.100.0 255.255.255.0 dmz\r\ntelnet timeout 5\r\nssh timeout 5\r\nconsole timeout 0\r\ndhcpd address 192.168.1.2-192.168.1.254 management\r\ndhcpd lease 3600\r\ndhcpd ping_timeout 50\r\ndhcpd enable management\r\n!\r\nclass-map inspection_default\r\nmatch default-inspection-traffic\r\n!\r\n!\r\npolicy-map global_policy\r\nclass inspection_default\r\ninspect dns maximum-length 512 \r\ninspect ftp \r\ninspect h323 h225 \r\ninspect h323 ras \r\ninspect rsh \r\ninspect rtsp \r\ninspect esmtp \r\ninspect sqlnet \r\ninspect skinny \r\ninspect sunrpc \r\ninspect xdmcp \r\ninspect sip \r\ninspect netbios \r\ninspect tftp \r\ninspect icmp \r\n!\r\nservice-policy global_policy global\r\nCryptochecksum:xxxxxxxxxb48bxxxx\r\n: end\r\n\r\n--------------------

nemoadmin

我也遇到同样的问题，不过，把主机网卡禁用再启用，过一段就正常了，但是一段时间后又不正常了，问楼主现在是否解决了该问题，谢谢！如何解决的？