Tym razem ja napotkałem problem którego przeskoczyć nie potrafię (sam). Mianowicie chodzi o nową funkcjonalność w Cisco ASA a mianowicie PBR.
Skonfigurowałem go i wyglądał że działa dobrze, a mianowicie z wewnątrz ruch do internetu wychodzi, nie jest natowany, hosty mają przypisane publiczne adresy IP.
Lecz się okazało że ruch do tych hostów z internetu nie dociera, ale ICMP już tak.
Poniżej przedstawię logi i być może coś się uda na to zaradzić.
Platforma: CISCO ASA 5508
Software: 9.52, próbowałem również z 9.51, 9.42 (też nie działało)
W logu wyświetla się natomiast taki komunikat:
Kod: Zaznacz cały
Routing failed to locate next hop for TCP from Network2_LOCAL_101:1.1.1.68/80 to Network_OUT:10.10.10.129/5149
sh conn address 1.1.1.68 | i 10.10.10.129
Kod: Zaznacz cały
TCP Network_OUT 10.10.10.129:10027 Network2_LOCAL_101 1.1.1.68:80, idle 0:00:02, bytes 0, flags aXB
TCP Network_OUT 10.10.10.129:10026 Network2_LOCAL_101 1.1.1.68:80, idle 0:00:03, bytes 0, flags aXB
- nie ma tam nata
- ACLka wszystko puszcza (dawałem do testów permit ip any any)
- packet trace też pokazuje że ruch przechodzi, jak w jedną i drugą stronę
Konfiguracja PBR:
Kod: Zaznacz cały
interface GigabitEthernet1/3.101
vlan 101
nameif Network2_LOCAL_101
security-level 20
ip address 1.1.1.94 255.255.255.224
policy-route route-map PBR
!
interface GigabitEthernet1/3.103
vlan 103
nameif Network3_LOCAL_103
security-level 20
ip address 1.1.1.102 255.255.255.248
policy-route route-map PBR
interface GigabitEthernet1/4.529
vlan 529
nameif Network_OUT
security-level 0
ip address 1.1.1.61 255.255.255.252
route-map PBR permit 10
match ip address ACLka
set ip next-hop 1.1.1.62
set interface Network_OUT
access-list ACLka extended deny ip 1.1.1.64 255.255.255.224 192.168.21.0 255.255.255.0
access-list ACLka extended deny ip 1.1.1.96 255.255.255.248 192.168.21.0 255.255.255.0
access-list ACLka extended permit ip 1.1.1.64 255.255.255.224 any
access-list ACLka extended permit ip any 1.1.1.64 255.255.255.224
access-list ACLka extended permit ip 1.1.1.96 255.255.255.248 any
access-list ACLka extended permit ip any 1.1.1.96 255.255.255.248
access-list ACLka extended deny ip any any
Kod: Zaznacz cały
policy-map global_policy
class inspection_default
inspect icmp
Jeśli ktoś spyta to jest tam SFR, dałem go w monitor only, ale po logach widać że to problem z routingiem bo pakiet jest dropowany a na hoście który odpytuje pojawiają się timeouty na tcp.
Pytanie dlaczego jest tam PBR?
- bo część podsieci wychodzi innym operatorem do internetu (zwykły routing 0 0 na IP), i wszystko tam działa, ruch z podsieci jak i z internetu do hostów natowanych
- dlaczego nie użyłem contextów, bo wymagany jest anyconnect
Jeszcze dorzucę packet-trace:
Z inside do outside: (ten ruch działa, daje dla przykładu)
Kod: Zaznacz cały
packet-tracer input Network2_LOCAL_101 tcp 1.1.1.68 http 10.10.10.129 http
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a709ea60, priority=1, domain=permit, deny=false
hits=22944, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Network2_LOCAL_101, output_ifc=any
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map Network permit 10
match ip address RouteNetwork
set ip next-hop 1.1.1.62
set interface Network_OUT
Additional Information:
Matched route-map Network, sequence 10, permit
Found next-hop 1.1.1.62 using egress ifc Network_OUT
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Network_drukarki in interface Network2_LOCAL_101
access-list Network_drukarki extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a7427550, priority=13, domain=permit, deny=false
hits=6122, user_data=0x7fd09f3e8a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Network2_LOCAL_101, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a643c390, priority=0, domain=nat-per-session, deny=false
hits=8610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a70a6f20, priority=0, domain=inspect-ip-options, deny=true
hits=11799, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Network2_LOCAL_101, output_ifc=any
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match any
policy-map global_policy
class SFR
sfr fail-open monitor-only
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a814b0b0, priority=71, domain=sfr, deny=false
hits=5940, user_data=0x7fd0a8148170, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Network2_LOCAL_101, output_ifc=any
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fd0a8155150, priority=18, domain=flow-export, deny=false
hits=6125, user_data=0x7fd0a6e69d90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Network2_LOCAL_101, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd0a643c390, priority=0, domain=nat-per-session, deny=false
hits=8612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fd0a71a5ff0, priority=0, domain=inspect-ip-options, deny=true
hits=11773, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Network_OUT, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 17753, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Network2_LOCAL_101
input-status: up
input-line-status: up
output-interface: Network_OUT
output-status: up
output-line-status: up
Action: allow
Kod: Zaznacz cały
packet-tracer input Network_OUT tcp 10.10.10.129 http 1.1.1.68 http
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.68 using egress ifc Network2_LOCAL_101
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Network_OUT_access_in in interface Network_OUT
access-list Network_OUT_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match any
policy-map global_policy
class SFR
sfr fail-open monitor-only
service-policy global_policy global
Additional Information:
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 258829, packet dispatched to next module
Result:
input-interface: Network_OUT
input-status: up
input-line-status: up
output-interface: Network2_LOCAL_101
output-status: up
output-line-status: up
Action: allow
Za wszelkie pomysły, uwagi z góry dzięki!
Mam nadzieje że to nie jakiś bug w sofcie...