CiscoForums.it

Salve a tutti,
chiedo aiuto a voi dopo aver sbattuto dopo circa 1 settimana su questo "problema".
L'infrastruttura sulla quale sto lavorando ha 2 switch catalyst 3650 con 5 vlan e a sua volta collegati a 2 asa 5510 collegati in failover(vi ometto altri dettagli nn necessari).
Bene... i pc che escono su internet usano l'indirizzo ip di uno switch di piano(siamo inglobati in un'organizzazione più grande).
Vi sono dei nat statici x dei server(vlan DATA) che devono essere visti dalla network di questa organizzazione(vlan OUTSIDE).
Ci hanno installato una linea esterna Fastweb con un router proprietario.
L'interfaccia che dall'ASA va ai Catalyst ha 5 sub-interface in modo da poter gestir meglio le vlan(lo so son tante!).
Ho creato una nuova vlan(ADSL) per la network del router fastweb.Il router fastweb è collegato ad uno dei 2 switch. All'ASA ho creato una nuova sub-interface con indirizzamento relativo al router fastweb.
Dico anche che ho fatto nattare tutte le porte (adsl fastweb) sull'ip della sub-interface dell'ASA relativa all'ADSL.
Adesso... fatta questa premessa:
Vorrei che, una richiesta fatta sull'ip pubblico di fastweb sulla porta 80 che a sua volta viene "sparata" sull'ip della sub interface dell'ASA (vlan ADSL) venga forwardata(nattata) su un indirizzo ip di un server della vlan DATA.
Sul mondo ASA mi sono avvicinato da poco, e per questo vi chiedo una mano. Ho provato a fare un classico nat statico con PAT ma niente.
Nel firewall nn è presente nessuna regola... any su any su tutte le vlan.

Grazie anticipatamente per il vostro aiuto
Beppe

visto che nn ho avuto responso... provo ad incollarvi la running

: Saved
: Written by enable_15 at 14:27:55.286 CEDT Wed Jun 18 2008
!
ASA Version 7.2(2)
!
hostname ciscoasa1
domain-name xxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 100
ip address 10.2.125.6 255.255.255.0
!
interface Ethernet0/0.1
vlan 7
nameif ADSL
security-level 0
ip address 192.168.0.3 255.255.255.0
!
interface Ethernet0/1
no nameif
security-level 0
no ip address
!
interface Ethernet0/1.2
vlan 2
nameif DMZ
security-level 100
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet0/1.4
vlan 4
nameif DATA
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1.5
vlan 5
nameif VOCE
security-level 100
ip address 192.168.4.2 255.255.255.0
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup OUTSIDE
dns domain-lookup DMZ
dns domain-lookup DATA
dns domain-lookup VOCE
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.2.8
name-server 192.168.2.9
domain-name xxxxxxxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
object-group network NATTING_SU_OUTSIDE
network-object 10.2.125.64 255.255.255.240
access-list OUTSIDE_access_out extended permit icmp any any
access-list OUTSIDE_access_out extended permit ip any any
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.11 any inactive
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.12 any inactive
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.14 any inactive
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.25 any inactive
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.27 any inactive
access-list DATA_access_out remark
access-list DATA_access_out extended permit ip host 10.2.125.28 any inactive
access-list DATA_access_out extended permit ip any any
access-list DATA_access_out extended permit icmp any any
access-list DATA_access_in extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.0.2
access-list DATA_access_in extended permit icmp 192.168.2.0 255.255.255.0 host 192.168.0.2
access-list DATA_access_in extended permit ip any any
access-list DATA_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit ip any any
access-list management_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list management_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list management_access_out extended permit ip 192.168.2.0 255.255.255.0 any
access-list management_access_out extended permit icmp 192.168.2.0 255.255.255.0 any
access-list management_access_out remark Regola temporanea per l'attivazione dei Load Balancer
access-list management_access_out extended permit icmp 192.168.3.0 255.255.255.0 any
access-list management_access_out remark Regola temporanea per l'attivazione dei Load Balancer
access-list management_access_out extended permit ip 192.168.3.0 255.255.255.0 any
access-list management_access_out remark Regola temporanea per l'accesso alla VLAN voce
access-list management_access_out extended permit ip 192.168.4.0 255.255.255.0 any
access-list management_access_out remark Regola temporanea per l'accesso alla VLAN voce
access-list management_access_out extended permit icmp 192.168.4.0 255.255.255.0 any
access-list management_access_out remark Test WEB VLAN
access-list management_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list management_access_out remark Test WEB VLAN
access-list management_access_out extended permit icmp 192.168.7.0 255.255.255.0 any
access-list management_access_out extended permit ip 192.168.0.0 255.255.255.0 any
access-list management_access_out extended permit icmp 192.168.0.0 255.255.255.0 any
access-list VOCE_access_in extended permit ip any any
access-list VOCE_access_in extended permit icmp any any
access-list VOCE_access_out extended permit ip any any
access-list VOCE_access_out extended permit icmp any any
access-list DMZ_access_in remark Regola temporanea per l'attivazione dei Load Balancer
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in remark Regola temporanea per l'attivazione dei Load Balancer
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_out remark Regola temporanea per l'attivazione dei Load Balancer
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out remark Regola temporanea per l'attivazione dei Load Balancer
access-list DMZ_access_out extended permit icmp any any
access-list ADSL_access_in extended permit ip any any
access-list ADSL_access_in extended permit icmp any any
access-list ADSL_access_out extended permit ip any any
access-list ADSL_access_out extended permit icmp any any
access-list ADSL_access_out_1 extended permit ip any any
access-list ADSL_access_out_1 extended permit icmp any any
access-list ADSL_access_in_1 extended permit ip any any
access-list ADSL_access_in_1 extended permit icmp any any
access-list ADSL_access_in_2 extended permit ip any any
access-list ADSL_access_in_2 extended permit icmp any any
access-list ADSL_access_out_2 extended permit ip any any
access-list ADSL_access_out_2 extended permit icmp any any
access-list ADSL_access_in_3 extended permit ip any any
access-list ADSL_access_in_3 extended permit tcp any any
access-list ADSL_access_out_3 extended permit ip any any
access-list ADSL_access_out_3 extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging standby
logging asdm informational
logging host management 192.168.1.12
logging debug-trace
logging permit-hostdown
mtu OUTSIDE 1500
mtu ADSL 1500
mtu DMZ 1500
mtu DATA 1500
mtu VOCE 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface lan-failover Ethernet0/2
failover key xxxxxx
failover replication http
failover link state-failover Ethernet0/3
failover interface ip lan-failover 172.16.0.1 255.255.255.252 standby 172.16.0.2
failover interface ip state-failover 172.16.1.1 255.255.255.252 standby 172.16.1.2
monitor-interface DMZ
monitor-interface DATA
monitor-interface VOCE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp DATA 192.168.2.76 03bf.c0a8.024c alias
arp timeout 14400
nat-control
static (DATA,ADSL) tcp 192.168.0.2 www 192.168.2.10 www netmask 255.255.255.255
static (VOCE,OUTSIDE) 10.2.125.99 192.168.4.10 netmask 255.255.255.255
static (VOCE,OUTSIDE) 10.2.125.98 192.168.4.12 netmask 255.255.255.255
static (DMZ,OUTSIDE) 10.2.125.10 192.168.3.7 netmask 255.255.255.255
static (DMZ,OUTSIDE) 10.2.125.81 192.168.7.10 netmask 255.255.255.255
static (DMZ,OUTSIDE) 10.2.125.82 192.168.7.11 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.140 192.168.2.140 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.44 192.168.2.12 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.45 192.168.2.13 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.40 192.168.2.8 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.41 192.168.2.9 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.43 192.168.2.11 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.64 192.168.2.64 netmask 255.255.255.248
static (DATA,OUTSIDE) 10.2.125.78 192.168.2.40 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.80 192.168.2.41 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.48 192.168.2.17 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.72 192.168.2.72 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.74 192.168.2.74 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.46 192.168.2.14 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.47 192.168.2.15 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.76 192.168.2.76 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.77 192.168.2.19 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.100 192.168.2.222 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.75 192.168.2.20 netmask 255.255.255.255
static (management,OUTSIDE) 10.2.125.97 192.168.1.13 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.79 192.168.2.16 netmask 255.255.255.255
static (DATA,OUTSIDE) 10.2.125.42 192.168.2.10 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group OUTSIDE_access_out out interface OUTSIDE
access-group ADSL_access_in_3 in interface ADSL
access-group ADSL_access_out_3 out interface ADSL
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group DATA_access_in in interface DATA
access-group DATA_access_out out interface DATA
access-group VOCE_access_in in interface VOCE
access-group VOCE_access_out out interface VOCE
access-group management_access_in in interface management
access-group management_access_out out interface management
route OUTSIDE 0.0.0.0 0.0.0.0 10.2.125.1 1
route DMZ 192.168.7.0 255.255.255.0 192.168.3.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host DATA 192.168.2.236 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.254 management
dhcpd enable management
!
!
class-map management_access_in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.168.2.8
ntp server 192.168.2.9
prompt hostname context
Cryptochecksum:cfba1f0543179305c207fec4e6adb725
: end

altro progresso...
con il logging dell'ASA... faccio una richiesta http verso l'ip pubblico e mi viene fuori questo...

3 Jun 18 2008 15:40:11 710003 217.222.xxx.xx 192.168.0.2 TCP access denied by ACL from 217.222.xxx.xx/42139 to ADSL:192.168.0.2/80

Ma sulle regole dell'interfaccia c'è any su any... come può essere mai "negata"????

Beppe

Riepilogo...

IP interno?
IP pubblico?
porta da pubblicare?

l'ip interno è 192.168.2.17 sulla vlan data
l'ip "pubblico"(nat di fastweb) 192.168.0.2 sulla vlan adsl
default gw sul router proprietario fastweb 192.168.0.1
porta da pubblicare 443(https)

nei log...quando tento di far acceso dal mio ip pubblico a quello di fastweb(poi nattato su 192.168.0.2) con il nat fatto da me... ho...

6 Jun 19 2008 11:04:10 302013 217.222.223.xx 192.168.2.17 Built inbound TCP connection 11273133 for ADSL:217.222.223.xx/56894 (217.222.223.xx/56894) to DATA:192.168.2.17/443 (192.168.0.2/443)

6 Jun 19 2008 11:04:10 110001 No route to 217.222.223.35 from 192.168.0.2

A quando pare non riesce a tornare indietro il pacchetto... se nn dico male...

Grazie!
Beppe

Wizard ha scritto:Riepilogo...

IP interno?
IP pubblico?
porta da pubblicare?

static (DATA,OUTSIDE) 10.2.125.48 192.168.2.17 netmask 255.255.255.255

Da qui l'ip di nat è 10.2.125.48 e non 192.168.0.2

grazie dell'attenzione wizard...

fai cmq riferimento a questo nat...

static (DATA,ADSL) tcp 192.168.0.2 www(oppure https) 192.168.2.10 www(oppure https) netmask 255.255.255.255

il 2.17 è un altro ip che ho usato x prova.

Beppe

Wizard ha scritto:

static (DATA,OUTSIDE) 10.2.125.48 192.168.2.17 netmask 255.255.255.255

Da qui l'ip di nat è 10.2.125.48 e non 192.168.0.2