Nie wiem co jest grane ale nie działa mi routing miedzy vlanami z vlan'u 1 do 99
czy moze ktoś zerknąc gdzie robie błąd?
dodam że obydwa vlany są na jednym interfejsie
ustawiłem
Kod: Zaznacz cały
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Kod: Zaznacz cały
sh run
: Saved
:
ASA Version 8.2(2)
!
hostname xxx
domain-name xx
names
name 192.168.120.0 INNSIDENETT
name 192.168.1.0 GJESTENETT
name 192.168.120.254 LANPORT
name xxx DRIFTWANPORT
name xx PCSNETT
name 192.168.120.190 VIDEOWEBSERVER
name xx LOGISTRAWAN
name 172.22.0.0 HOSTING_NETT
name 192.168.1.254 GJESTE_LANPORT
!
interface Vlan1
nameif inside
security-level 100
ip address LANPORT 255.255.255.0
!
interface Vlan2
description Secondary ISP
nameif outside
security-level 0
ip address xx 255.255.255.240
!
interface Vlan3
description Primary ISP
nameif PrimaryISP
security-level 0
ip address xxx 255.255.255.240
!
interface Vlan11
nameif guest
security-level 50
ip address GJESTE_LANPORT 255.255.255.0
!
interface Vlan99
description Maszyny
nameif Maszyny
security-level 100
ip address 192.168.250.254 255.255.255.0
!
interface Vlan100
description WIFI-TIR
nameif WIFI-TIR
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport trunk allowed vlan 1,11,99-100
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
description
switchport trunk allowed vlan 1,11
switchport trunk native vlan 1
switchport mode trunk
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWED_ICMP
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group network BlockedIPtoInternet
description IP's blocked from Internet-access
network-object host 192.168.120.5
network-object host 192.168.120.6
network-object host 192.168.120.7
network-object host 192.168.120.120
network-object host 192.168.120.121
network-object host 192.168.120.122
network-object host 192.168.120.123
access-list inside_access_in extended permit tcp object-group BlockedIPtoInternet any eq 5938
access-list inside_access_in extended permit udp object-group BlockedIPtoInternet any eq domain
access-list inside_access_in extended permit ip object-group BlockedIPtoInternet NRC_HOSTING_NETT 255.255.255.224
access-list inside_access_in extended deny ip object-group BlockedIPtoInternet any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any object-group ALLOWED_ICMP
access-list outside_access_in extended permit tcp host DRIFTWANPORT interface outside eq 3389
access-list outside_access_in extended permit icmp any any object-group ALLOWED_ICMP
access-list outside_access_in extended permit tcp any interface outside eq 5050
access-list outside_access_in extended permit tcp any interface outside eq 5052
access-list outside_access_in extended permit tcp any interface outside eq 5938
access-list outside_access_in extended permit tcp any interface outside eq 5080
access-list outside_access_in extended permit tcp any interface outside eq 53777
access-list trafikk_inn extended permit tcp any interface outside eq 4550
access-list trafikk_inn extended permit tcp any interface outside eq 5550
access-list trafikk_inn extended permit tcp any interface outside eq 6550
access-list trafikk_inn extended permit tcp host xxx interface outside eq 3389
access-list outside_cryptomap extended permit ip INNSIDENETT 255.255.255.0 NRC_HOSTING_NETT 255.255.255.224
access-list inside_nat0_outbound extended permit ip any xx 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.122.0 255.255.255.0
access-list AL-Priority extended permit ip NRC_HOSTING_NETT 255.255.255.224 any
access-list block-vpn-to-local extended permit ip any any
access-list cryptomap_mi extended permit ip INNSIDENETT 255.255.255.0 192.168.122.0 255.255.255.0
access-list inside_maszyny_in extended permit ip any any
access-list inside_wifi-tir_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging list error-events level errors class vpn
logging list error-events message 713120
logging buffered notifications
logging trap notifications
logging asdm notifications
logging mail error-events
logging host outside 172.22.0.2
logging host inside 192.168.120.220
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305006
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu PrimaryISP 1500
mtu guest 1500
mtu Maszyny 1500
mtu WIFI-TIR 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp Maszyny 192.168.250.1 0014.d11f.f03b
arp timeout 14400
global (outside) 1 interface
global (PrimaryISP) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (guest) 1 0.0.0.0 0.0.0.0
nat (Maszyny) 1 0.0.0.0 0.0.0.0
nat (WIFI-TIR) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4550 VIDEOWEBSERVER 4550 netmask 255.255.255.255
static (inside,outside) tcp interface 5550 VIDEOWEBSERVER 5550 netmask 255.255.255.255
static (inside,outside) tcp interface 6550 VIDEOWEBSERVER 6550 netmask 255.255.255.255
static (inside,outside) tcp interface 5050 192.168.120.243 5050 netmask 255.255.255.255
static (inside,outside) tcp interface 5052 192.168.120.242 5052 netmask 255.255.255.255
static (inside,outside) tcp interface 5080 192.168.120.229 5080 netmask 255.255.255.255
static (inside,outside) tcp interface 53777 192.168.120.229 53777 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside_access_in in interface PrimaryISP
access-group inside_maszyny_in in interface Maszyny
access-group inside_wifi-tir_in in interface WIFI-TIR
route PrimaryISP 0.0.0.0 0.0.0.0 xx 1 track 1
route outside 0.0.0.0 0.0.0.0 xxx 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http INNSIDENETT 255.255.255.0 inside
snmp-server host outside 81.26.32.11 community *****
snmp-server host PrimaryISP 81.26.32.11 community *****
snmp-server host outside DRIFTWANPORT community *****
snmp-server host PrimaryISP DRIFTWANPORT community *****
snmp-server host outside 81.26.32.51 community *****
snmp-server host PrimaryISP 81.26.32.51 community *****
snmp-server host outside 81.26.53.10 community *****
snmp-server host PrimaryISP 81.26.53.10 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho xxx interface PrimaryISP
num-packets 3
timeout 1000
frequency 10
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs group5
crypto map outside_map0 1 set peer HOSTING_WANPORT
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA
crypto map outside_map0 1 set security-association lifetime seconds 28800
crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 2 match address cryptomap_mi
crypto map outside_map0 2 set pfs group5
crypto map outside_map0 2 set peer xxx
crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
crypto map outside_map0 2 set security-association lifetime seconds 28800
crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
crypto map outside_map0 interface outside
crypto map outside_map0 interface PrimaryISP
crypto isakmp enable outside
crypto isakmp enable PrimaryISP
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 10 reachability
telnet INNSIDENETT 255.255.255.0 inside
telnet timeout 10
ssh timeout 30
console timeout 0
dhcpd dns 194.204.159.1
dhcpd ping_timeout 750
dhcpd domain guest.xx
!
dhcpd address 192.168.1.100-192.168.1.200 guest
dhcpd enable guest
!
dhcpd address 192.168.250.1-192.168.250.10 Maszyny
dhcpd enable Maszyny
!
dhcpd address 192.168.254.1-192.168.254.240 WIFI-TIR
dhcpd enable WIFI-TIR
!
priority-queue inside
tx-ring-limit 256
no threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server xx source outside
webvpn
group-policy block-vpn-to-local-policy internal
group-policy block-vpn-to-local-policy attributes
vpn-filter value block-vpn-to-local
vpn-tunnel-protocol IPSec
tunnel-group xx type ipsec-l2l
tunnel-group xx general-attributes
default-group-policy block-vpn-to-local-policy
tunnel-group xx ipsec-attributes
pre-shared-key *****
tunnel-group xx type ipsec-l2l
tunnel-group xx ipsec-attributes
pre-shared-key *****
!
class-map CM-Priority
match access-list AL-Priority
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect ip-options
!
service-policy global_policy global
smtp-server xx
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:18b46c9524127b625bc4b42e26f3a7b2
: end