文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >通过模式下的Meraki在ASA之后

通过模式下的Meraki在ASA之后
EN

Network Engineering用户
提问于 2019-05-14 12:28:13
回答 1查看 969关注 0票数 3

我很难通过ASA 5508-X后的梅拉基盒子获得双向流量。我可以看到来自客户端VPN的请求从客户端设备到我们局域网上的服务器,服务器响应,但是Meraki从未将它发送到客户端。( Meraki处于传递模式。)不确定是否有必要更清楚地定义远程子网,我以前在本地定义了客户端子网,但这也不是更好。作为参考,192.168.3.0/24是客户端,192.168.129.0/24是另一个站点。

我想我已经把合适的港口转过来了。我已经为站点到站点和客户端添加了默认路径。我想这可能是NAT的问题。这是ASA Config。

代码语言:javascript
运行
复制
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password $xxx
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.252 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.254.0 
!
interface GigabitEthernet1/2.2
 description Isolated Guest traffic
 vlan 2
 nameif Guest
 security-level 60
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 nameif VOIP
 security-level 100
 ip address 172.16.0.99 255.255.255.0 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network inside
 subnet 192.168.0.0 255.255.254.0
object network phones
 subnet 172.16.0.0 255.255.255.0
object network Guests
 subnet 192.168.2.0 255.255.255.0
 description Isolated guest traffic
object network Meraki
 host 192.168.0.1
object network Meraki_natt
 host 192.168.0.1
object network bossVPN
 host 192.168.3.0
 description 255.255.255.0

access-list global_access extended permit udp any object Meraki eq isakmp 
access-list global_access extended permit udp any object Meraki eq 4500 
access-list internal extended permit ip any any 
access-list internal extended permit icmp any any 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 8.8.8.8 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 8.8.4.4 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 9.9.9.9 eq domain 
access-list internal extended permit udp 192.168.0.0 255.255.254.0 host 75.75.76.76 eq domain 
access-list internal extended permit udp object Meraki any eq isakmp 
access-list internal extended permit udp object Meraki any eq 4500 
access-list external extended permit ip any any 
access-list external extended permit icmp any any 
access-list Guest_access_in extended deny ip any 192.168.0.0 255.255.254.0 
access-list Guest_access_in extended permit ip any any 
access-list Guest_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu Guest 1500
mtu VOIP 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!

object network inside
 nat (inside,outside) dynamic interface
object network phones
 nat (VOIP,outside) dynamic interface
object network Guests
 nat (Guest,outside) dynamic interface
object network Meraki
 nat (any,outside) static interface service udp isakmp isakmp 
object network Meraki_natt
 nat (any,outside) static interface service udp 4500 4500 
access-group external in interface outside
access-group internal in interface inside
access-group Guest_access_in in interface Guest
access-group internal in interface VOIP
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.3.0 255.255.255.0 192.168.0.1 1
route inside 192.168.129.0 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.249 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 86400 interface inside
dhcpd domain BII interface inside
dhcpd enable inside
!
dhcpd address 192.168.2.100-192.168.2.149 Guest
dhcpd dns 9.9.9.9 8.8.8.8 interface Guest
dhcpd lease 86400 interface Guest
dhcpd domain Guest interface Guest
dhcpd enable Guest
!
dhcpd address 172.16.0.120-172.16.0.219 VOIP
dhcpd dns 8.8.8.8 interface VOIP
dhcpd lease 86400 interface VOIP
dhcpd domain voip interface VOIP
dhcpd enable VOIP
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

编辑将内部网络上的服务器上的静态路由添加到客户端VPN子网允许该服务器与vpn一起工作。我宁愿ASA上的静态路线很重要。

奇怪的是,如果加载PBX (172.16.0.35),我会在“客户端VPN pcap”上看到双向通信量,但是192.168.0.0/23流量都不能工作。

从ASA的路线必须传播到工作吗?重新启动连接的设备什么的?

编辑2一些上下文。梅拉基是在千兆以太网1/2之间的ASA和我们的52端口L2交换机。

编辑3我现在倾向于NAT再次成为问题。

Meraki WAN流量(受客户端VPN IP地址限制)

Meraki局域网流量(受客户端VPN IP地址限制)

Meraki客户端VPN流量

有人能帮我把192.168.3.0/24的交通通过192.168.0.1发送到NAT声明(S)吗?

cisco-asa
vpn
meraki
EN

回答 1

Network Engineering用户

回答已采纳

发布于 2019-06-03 18:00:19

事实证明,Meraki上的传递模式不会在ASA后面工作。Meraki不会通过ASA转发流量,因此TCP握手中断,即VPN流量直接发送SYN到网络机器,但网络机器通过ASA响应,而ASA由于没有得到第一个SYN而丢弃数据包。(在这种模式下,Meraki只会转发指向它的流量,否则它就是L2设备。)

我的解决方案是在相同的安全级别上将Meraki中断到它自己的接口上,并调整路由以指向它的新IP地址。在Meraki文档中,这称为"VPN集中器“模式。作为参考,除了静态IP之外,我不需要更改Meraki配置中的任何内容,而ASA的配置只是添加了另一个接口,具有关联的NAT和路由。

票数 2
EN
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://networkengineering.stackexchange.com/questions/59137

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档