routing miedzy vlanami asa

Problemy związane z routingiem
ODPOWIEDZ
Wiadomość
Autor
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

routing miedzy vlanami asa

#1

#1 Post autor: Rafael »

Witam
Nie wiem co jest grane ale nie działa mi routing miedzy vlanami z vlan'u 1 do 99
czy moze ktoś zerknąc gdzie robie błąd?

dodam że obydwa vlany są na jednym interfejsie

ustawiłem

Kod: Zaznacz cały

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Kod: Zaznacz cały

sh run
: Saved
:
ASA Version 8.2(2) 
!
hostname xxx
domain-name xx
names
name 192.168.120.0 INNSIDENETT
name 192.168.1.0 GJESTENETT
name 192.168.120.254 LANPORT
name xxx DRIFTWANPORT
name xx PCSNETT
name 192.168.120.190 VIDEOWEBSERVER
name xx LOGISTRAWAN
name 172.22.0.0 HOSTING_NETT
name 192.168.1.254 GJESTE_LANPORT
!
interface Vlan1
 nameif inside
 security-level 100
 ip address LANPORT 255.255.255.0 
!             
interface Vlan2
 description Secondary ISP
 nameif outside
 security-level 0
 ip address xx 255.255.255.240 
!             
interface Vlan3
 description Primary ISP
 nameif PrimaryISP
 security-level 0
 ip address xxx 255.255.255.240 
!             
interface Vlan11
 nameif guest 
 security-level 50
 ip address GJESTE_LANPORT 255.255.255.0 
!             
interface Vlan99
 description Maszyny
 nameif Maszyny
 security-level 100
 ip address 192.168.250.254 255.255.255.0 
!             
interface Vlan100
 description WIFI-TIR
 nameif WIFI-TIR
 security-level 100
 ip address 192.168.254.254 255.255.255.0 
!             
interface Ethernet0/0
 switchport access vlan 2
!             
interface Ethernet0/1
!             
interface Ethernet0/2
 switchport trunk allowed vlan 1,11,99-100
 switchport trunk native vlan 1
 switchport mode trunk
!             
interface Ethernet0/3
 switchport access vlan 3
!             
interface Ethernet0/4
!             
interface Ethernet0/5
!             
interface Ethernet0/6
!             
interface Ethernet0/7
 description 
 switchport trunk allowed vlan 1,11
 switchport trunk native vlan 1
 switchport mode trunk
!             
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWED_ICMP
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group network BlockedIPtoInternet
 description IP's blocked from Internet-access
 network-object host 192.168.120.5
 network-object host 192.168.120.6
 network-object host 192.168.120.7
 network-object host 192.168.120.120
 network-object host 192.168.120.121
 network-object host 192.168.120.122
 network-object host 192.168.120.123
access-list inside_access_in extended permit tcp object-group BlockedIPtoInternet any eq 5938 
access-list inside_access_in extended permit udp object-group BlockedIPtoInternet any eq domain 
access-list inside_access_in extended permit ip object-group BlockedIPtoInternet NRC_HOSTING_NETT 255.255.255.224 
access-list inside_access_in extended deny ip object-group BlockedIPtoInternet any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any object-group ALLOWED_ICMP 
access-list outside_access_in extended permit tcp host DRIFTWANPORT interface outside eq 3389 
access-list outside_access_in extended permit icmp any any object-group ALLOWED_ICMP 
access-list outside_access_in extended permit tcp any interface outside eq 5050 
access-list outside_access_in extended permit tcp any interface outside eq 5052 
access-list outside_access_in extended permit tcp any interface outside eq 5938 
access-list outside_access_in extended permit tcp any interface outside eq 5080 
access-list outside_access_in extended permit tcp any interface outside eq 53777 
access-list trafikk_inn extended permit tcp any interface outside eq 4550 
access-list trafikk_inn extended permit tcp any interface outside eq 5550 
access-list trafikk_inn extended permit tcp any interface outside eq 6550 
access-list trafikk_inn extended permit tcp host xxx interface outside eq 3389 
access-list outside_cryptomap extended permit ip INNSIDENETT 255.255.255.0 NRC_HOSTING_NETT 255.255.255.224 
access-list inside_nat0_outbound extended permit ip any xx 255.255.255.224 
access-list inside_nat0_outbound extended permit ip any 192.168.122.0 255.255.255.0 
access-list AL-Priority extended permit ip NRC_HOSTING_NETT 255.255.255.224 any 
access-list block-vpn-to-local extended permit ip any any 
access-list cryptomap_mi extended permit ip INNSIDENETT 255.255.255.0 192.168.122.0 255.255.255.0 
access-list inside_maszyny_in extended permit ip any any 
access-list inside_wifi-tir_in extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging list error-events level errors class vpn
logging list error-events message 713120
logging buffered notifications
logging trap notifications
logging asdm notifications
logging mail error-events
logging host outside 172.22.0.2
logging host inside 192.168.120.220
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305006
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu PrimaryISP 1500
mtu guest 1500
mtu Maszyny 1500
mtu WIFI-TIR 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp Maszyny 192.168.250.1 0014.d11f.f03b 
arp timeout 14400
global (outside) 1 interface
global (PrimaryISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
nat (Maszyny) 1 0.0.0.0 0.0.0.0
nat (WIFI-TIR) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4550 VIDEOWEBSERVER 4550 netmask 255.255.255.255 
static (inside,outside) tcp interface 5550 VIDEOWEBSERVER 5550 netmask 255.255.255.255 
static (inside,outside) tcp interface 6550 VIDEOWEBSERVER 6550 netmask 255.255.255.255 
static (inside,outside) tcp interface 5050 192.168.120.243 5050 netmask 255.255.255.255 
static (inside,outside) tcp interface 5052 192.168.120.242 5052 netmask 255.255.255.255 
static (inside,outside) tcp interface 5080 192.168.120.229 5080 netmask 255.255.255.255 
static (inside,outside) tcp interface 53777 192.168.120.229 53777 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_in in interface PrimaryISP
access-group inside_maszyny_in in interface Maszyny
access-group inside_wifi-tir_in in interface WIFI-TIR
route PrimaryISP 0.0.0.0 0.0.0.0 xx 1 track 1
route outside 0.0.0.0 0.0.0.0 xxx 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http INNSIDENETT 255.255.255.0 inside
snmp-server host outside 81.26.32.11 community *****
snmp-server host PrimaryISP 81.26.32.11 community *****
snmp-server host outside DRIFTWANPORT community *****
snmp-server host PrimaryISP DRIFTWANPORT community *****
snmp-server host outside 81.26.32.51 community *****
snmp-server host PrimaryISP 81.26.32.51 community *****
snmp-server host outside 81.26.53.10 community *****
snmp-server host PrimaryISP 81.26.53.10 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
 type echo protocol ipIcmpEcho xxx interface PrimaryISP
 num-packets 3
 timeout 1000 
 frequency 10 
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs group5
crypto map outside_map0 1 set peer HOSTING_WANPORT 
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address cryptomap_mi
crypto map outside_map0 2 set pfs group5
crypto map outside_map0 2 set peer xxx
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto map outside_map0 interface PrimaryISP
crypto isakmp enable outside
crypto isakmp enable PrimaryISP
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha     
 group 5      
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha     
 group 2      
 lifetime 86400
!             
track 1 rtr 10 reachability
telnet INNSIDENETT 255.255.255.0 inside
telnet timeout 10
ssh timeout 30
console timeout 0
dhcpd dns 194.204.159.1
dhcpd ping_timeout 750
dhcpd domain guest.xx
!             
dhcpd address 192.168.1.100-192.168.1.200 guest
dhcpd enable guest
!             
dhcpd address 192.168.250.1-192.168.250.10 Maszyny
dhcpd enable Maszyny
!             
dhcpd address 192.168.254.1-192.168.254.240 WIFI-TIR
dhcpd enable WIFI-TIR
!             
              
priority-queue inside
  tx-ring-limit 256
no threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xx source outside
webvpn        
group-policy block-vpn-to-local-policy internal
group-policy block-vpn-to-local-policy attributes
 vpn-filter value block-vpn-to-local
 vpn-tunnel-protocol IPSec 
tunnel-group xx type ipsec-l2l
tunnel-group xx general-attributes
 default-group-policy block-vpn-to-local-policy
tunnel-group xx ipsec-attributes
 pre-shared-key *****
tunnel-group xx type ipsec-l2l
tunnel-group xx ipsec-attributes
 pre-shared-key *****
!             
class-map CM-Priority
 match access-list AL-Priority
class-map inspection_default
 match default-inspection-traffic
!             
!             
policy-map type inspect dns preset_dns_map
 parameters   
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect pptp 
  inspect ip-options 
!             
service-policy global_policy global
smtp-server xx
prompt hostname context 
call-home     
 profile CiscoTAC-1
  no active   
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:18b46c9524127b625bc4b42e26f3a7b2
: end
[/code]
Na górę
Awatar użytkownika
drake
CCIE
CCIE
Posty: 1593
Rejestracja: 06 maja 2005, 01:32
Lokalizacja: Dortmund, DE
Kontakt:
Skontaktuj się z drake

#2

#2 Post autor: drake »

Dodaj statyczne reguly NAT lub nat exclusion, dla ruchu miedzy interesujacymi cie interfejsami.

Pozdruffka! :)
Never stop exploring :)

https://iverion.de
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#3

#3 Post autor: Rafael »

dzięki Drake

a tak nie skromnie zapytam mozesz podac przykład tego wykluczenia nat?
Na górę
dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:
Skontaktuj się z dorvin

#4

#4 Post autor: dorvin »

Przecież masz przykład w swojej własnej konfiguracji.


A tak w kwestii formalnej: "exemption", nie "exclusion". Łatwiej w dokumentacji znaleźć. :)
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#5

#5 Post autor: Rafael »

kurde cos jescze robie zle nadal nie moge przekazac ruchu z vlan,u 1 do 99
dodałem nat

Kod: Zaznacz cały

static (inside,Maszyny) 192.168.120.0 192.168.250.0 netmask 255.255.255.0
moze ktoś pomóc?
Na górę
Awatar użytkownika
Dzastiz
CCIE
CCIE
Posty: 74
Rejestracja: 25 wrz 2011, 13:36
Lokalizacja: Warszawa

#6

#6 Post autor: Dzastiz »

Rafael pisze:dodałem nat [...]
Dodałeś na odwrót - w kodzie 8.2, dla zmyłki, najpierw podajesz adres IP sieci z drugiego interfejsu, a potem pierwszego :wink: Czyli powinno być:

Kod: Zaznacz cały

static (inside,Maszyny) 192.168.250.0 192.168.120.0 netmask 255.255.255.0
Tylko że powyższe spowoduje, że przy przejściu z 'inside' do 'Maszyny', adresy z 192.168.120.0/24 będą NAT-owane na 192.168.250.0/24. A, jak rozumiem, tak naprawdę nie chcesz zmieniać źródłowego adresu IP, więc może lepiej tak:

Kod: Zaznacz cały

static (inside,Maszyny) 192.168.120.0 192.168.120.0 netmask 255.255.255.0
Ale prościej Ci będzie dodać ten ruch do ACL inside_nat0_outbound:

Kod: Zaznacz cały

access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.250.0 255.255.255.0
Druga sprawa, że wpisem:

Kod: Zaznacz cały

access-list inside_access_in extended deny ip object-group BlockedIPtoInternet any
blokujesz sobie ruch z niektórych adresów 192.168.120.0/24 (tych, które są w object-group BlockedIPtoInternet) do sieci 192.168.250.0/24. Sprawdź, które adresy IP testujesz.

A jak dalej nie będzie działać, sprawdź co pokazuje output z poniższych poleceń (gdzie się ruch zatrzymuje):

Kod: Zaznacz cały

packet-tracer input inside icmp 192.168.120.10 8 0 192.168.250.10 detailed
packet-tracer input inside tcp 192.168.120.10 1024 192.168.250.10 22 detailed
Knowledge is power.
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#7

#7 Post autor: Rafael »

dzieki, dodałem nat0

Kod: Zaznacz cały

access-list inside_nat0_outbound extended permit ip 192.168.120.0 255.255.255.0 192.168.250.0 255.255.255.0
i nadal nie przekazuje ruchu,
ponizej wynik packet tracera

Kod: Zaznacz cały

packet-tracer input inside icmp 192.168.120.10 8 0 192.168.250.10 d$

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd822c3f8, priority=1, domain=permit, deny=false
        hits=86211, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW 
Config:       
Additional Information:
in   192.168.250.0   255.255.255.0   Maszyny
              
Phase: 4      
Type: ACCESS-LIST
Subtype: log  
Result: ALLOW 
Config:       
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd840a140, priority=12, domain=permit, deny=false
        hits=3110, user_data=0xd64ef7e0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Phase: 5      
Type: IP-OPTIONS
Subtype:      
Result: ALLOW 
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd822eb30, priority=0, domain=inspect-ip-options, deny=true
        hits=3747, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Phase: 6      
Type: INSPECT 
Subtype: np-inspect
Result: ALLOW 
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd822e7a8, priority=66, domain=inspect-icmp-error, deny=false
        hits=222, user_data=0xd822e690, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Phase: 7      
Type: NAT-EXEMPT
Subtype:      
Result: ALLOW 
Config:       
  match ip inside INNSIDENETT 255.255.255.0 Maszyny 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd7ea39e8, priority=6, domain=nat-exempt, deny=false
        hits=1, user_data=0xd8febb30, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=INNSIDENETT, mask=255.255.255.0, port=0
        dst ip=192.168.250.0, mask=255.255.255.0, port=0, dscp=0x0
              
Phase: 8      
Type: NAT     
Subtype:      
Result: ALLOW 
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any Maszyny any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd83ef098, priority=1, domain=nat, deny=false
        hits=1, user_data=0xd83eefd8, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Phase: 9      
Type: NAT     
Subtype: host-limits
Result: ALLOW 
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd83ed468, priority=1, domain=host, deny=false
        hits=3203, user_data=0xd83ed050, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Phase: 10     
Type: NAT     
Subtype: rpf-check
Result: DROP  
Config:       
nat (Maszyny) 1 0.0.0.0 0.0.0.0
  match ip Maszyny any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd83f25b8, priority=1, domain=nat-reverse, deny=false
        hits=1, user_data=0xd83f2348, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: Maszyny
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule
Na górę
Awatar użytkownika
Dzastiz
CCIE
CCIE
Posty: 74
Rejestracja: 25 wrz 2011, 13:36
Lokalizacja: Warszawa

#8

#8 Post autor: Dzastiz »

Rafael pisze:

Kod: Zaznacz cały

packet-tracer input inside icmp 192.168.120.10 8 0 192.168.250.10 d$

[...]
Phase: 10     
Type: NAT     
Subtype: rpf-check
Result: DROP  
Config:       
nat (Maszyny) 1 0.0.0.0 0.0.0.0
  match ip Maszyny any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd83f25b8, priority=1, domain=nat-reverse, deny=false
        hits=1, user_data=0xd83f2348, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
W 'Phase: 10' masz odpowiedź. Powrotny ruch łapie Ci się w NAT na interfejsie 'Maszyny':

Kod: Zaznacz cały

nat (Maszyny) 1 0.0.0.0 0.0.0.0
Dodaj jeszcze analogiczną konfigurację nat 0 dla tego interfejsu:

Kod: Zaznacz cały

access-list maszyny_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 192.168.120.0 255.255.255.0

nat (Maszyny) 0 access-list maszyny_nat0_outbound
I powinno być OK.
Knowledge is power.
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#9

#9 Post autor: Rafael »

kurde teraz packet tracer na asie pokazuje ze ruch jest ok.

natomiast jak próbuje pingowac z komputera interface na asie 192.168.250.254 to ping nie odpowiada

komputer ---->switch ----> asa

FastEthernet0/46 jest portem trunk do asy
FastEthernet0/32 jest podłaczony komputer

konfiguracja switcha

Kod: Zaznacz cały

sh run
Building configuration...

Current configuration : 5506 bytes
!
! Last configuration change at 21:42:29 GMT+1 Sun Dec 14 2014
! NVRAM config last updated at 21:42:30 GMT+1 Sun Dec 14 2014
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

!
boot-start-marker
boot-end-marker
!
enable secret 
!
no aaa new-model
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
system mtu routing 1500
vtp domain 
vtp mode transparent
ip subnet-zero
!
!
ip name-server 
ip name-server 
!
!
crypto pki trustpoint TP-self-signed-3885639040
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3885639040
 revocation-check none
 rsakeypair TP-self-signed-3885639040
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
vlan 99
 name Maszyny
!
vlan 100
 name WIFI-TIR
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
 switchport mode trunk
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface FastEthernet0/27
!
interface FastEthernet0/28
!
interface FastEthernet0/29
!
interface FastEthernet0/30
!
interface FastEthernet0/31
!
interface FastEthernet0/32
!
interface FastEthernet0/33
!
interface FastEthernet0/34
!
interface FastEthernet0/35
!
interface FastEthernet0/36
!
interface FastEthernet0/37
!
interface FastEthernet0/38
!
interface FastEthernet0/39
!
interface FastEthernet0/40
!
interface FastEthernet0/41
!
interface FastEthernet0/42
!
interface FastEthernet0/43
!
interface FastEthernet0/44
!
interface FastEthernet0/45
!
interface FastEthernet0/46
 description FW1
 switchport mode trunk
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
 description SW5
 switchport mode trunk
 spanning-tree portfast disable
!
interface GigabitEthernet0/2
 description SW2
 switchport mode trunk
!
interface Vlan1
 ip address 192.168.120.249 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.120.254
no ip http server
ip http secure-server
logging trap debugging
logging origin-id string K
logging 192.168.120.220
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 password 
 login
 transport input telnet
line vty 5 15
 exec-timeout 5 0
 password 
 login
 transport input telnet
!
ntp clock-period 36028999
ntp server 81.26.32.148
end
Na górę
Awatar użytkownika
Dzastiz
CCIE
CCIE
Posty: 74
Rejestracja: 25 wrz 2011, 13:36
Lokalizacja: Warszawa

#10

#10 Post autor: Dzastiz »

Rafael pisze:kurde teraz packet tracer na asie pokazuje ze ruch jest ok.

natomiast jak próbuje pingowac z komputera interface na asie 192.168.250.254 to ping nie odpowiada
Jak rozumiem, pingujesz z komputera w VLAN 1? Nie pinguj interfejsu ASA (Vlan 99), tylko realny host po stronie sieci VLAN 99. ASA Ci nie odpowie.

Dopóki hosty po stronie VLAN1 pingują interfejs ASA Vlan1 (ich default gateway), hosty po stronie VLAN99 pingują interfejs ASA Vlan99 (ich default gateway), a packet-tracer pokazuje, że ruch przechodzi, to konfiguracja powinna być już OK.

A jako lektura do poduszki ciekawa dyskusja: ASA outside interface from inside host doesn't ping; why?, tudzież podobna: Cant ping outside ASA 5520 interface from inside host.
Knowledge is power.
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#11

#11 Post autor: Rafael »

no fakt default gateway, dzieki za rozjasnienie

jutro sprawdze w firmie,

jeszcze raz Ci dziekuje,

pozdrawiam
Na górę
Rafael
wannabe
wannabe
Posty: 87
Rejestracja: 21 lis 2013, 21:47

#12

#12 Post autor: Rafael »

Dzastiz dzieki jest ok

faktycznie ten default gateway

pozdrawiam
Na górę
ODPOWIEDZ

Wróć do „Routing”