WebEx : Cisco Expressway

配置在ASA的NAT反射网真设备的

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 6 月 19 日) | 反馈

简介

本文描述如何实现在思科可适应安全工具(ASA)的一网络地址转换(NAT)反射配置要求这种在防火墙的特殊思科网真方案的(FW)的NAT配置。

贡献由基督徒埃尔南德斯, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

  • 思科ASA基本NAT配置

  • 思科网真视频通信服务器(VC)控制和VC高速公路基本配置

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • 运行软件版本8.3及以后的Cisco ASA 5500和5500-X系列设备

  • Cisco VC x版本8.5

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

根据思科网真文档,有两NAT反射配置在FW要求为了允许VC控制与VC高速公路联络通过VC高速公路公网IP地址的网真方案。

使用单个VC高速公路LAN接口的第一个方案介入单个子网非敏感区域(DMZ),并且第二个场景介入使用单个VC高速公路LAN接口的3波尔特FW DMZ。

提示:为了得到关于网真实施的更多详细信息,参考思科网真视频通信服务器基本配置(控制用高速公路)部署指南。

与单个VC高速公路LAN接口的单个子网DMZ

在此方案中, FW A能路由流量对FW B (反之亦然)。VC高速公路允许通过FW将通过的视频流量B,不用对通信流的减少在FW B从自内部接口的外面。VC高速公路也处理在其公共侧的FW穿越。

示例如下:

此部署使用这些组件:

  • 包含的单个子网DMZ (10.0.10.0/24) :

    • 内部接口FW A (10.0.10.1)
    • 外部接口FW B (10.0.10.2)
    • VC高速公路(10.0.10.3)的LAN1接口
  • 包含的LAN子网(10.0.30.0/24) :

    • 内部接口FW B (10.0.30.1)
    • VC控制(10.0.30.2)的LAN1接口
    • 思科网真管理服务器(TMS) (10.0.30.3)的网络接口

静态一对一的NAT在FW A配置,执行公共地址的64.100.0.10 NAT对VC高速公路的LAN1 IP地址。静态NAT模式为在VC高速公路的LAN1接口启用,用64.100.0.10的一个静态NAT IP地址。

注意:您必须输入VC高速公路的完全合格的域名(FQDN)。被看到从网络之外,在VC控制安全穿越区域的对等地址。对此的原因是那在静态NAT模式, VC高速公路请求Inbound信令和媒体流量发送对其外部FQDN而不是其私有名称。这也意味着外部FW必须允许从VC控制的流量到VC高速公路外部FQDN。这叫作NAT反射,并且也许不由FW的所有类型支持。

在本例中, FW A必需允许来自VC控制为外部IP地址流量的NAT反射(64.100.0.10)是注定的VC高速公路。VC控制的穿越区域必须有64.100.0.10作为对等地址。

应该用10.0.10.1默认网关配置VC高速公路。静态路由是否在此方案要求取决于FW A和FW B.功能和设置。从VC控制的通信到VC高速公路通过VC高速公路的64.100.0.10 IP地址发生;并且从VC高速公路的回程数据流到VC控制也许必须通过默认网关通过。

如果静态路由被添加到VC高速公路,以便回复流量穿过从VC高速公路和直接地FW B对10.0.30.0/24子网,意味着不对称路由出现。这也许不工作,从属在FW功能。

VC高速公路可以被添加到与IP地址10.0.10.3的Cisco TMS (或与IP地址64.100.0.10,如果FW A允许此),因为Cisco TMS管理通讯没有影响的是受静态NAT模式设置的在VC高速公路。

与单个VC高速公路LAN接口的3波尔特FW DMZ

这是此方案示例:

在此部署, 3波尔特FW用于为了创建:

  • 包含的DMZ子网(10.0.10.0/24) :

    • DMZ接口FW A (10.0.10.1)
    • VC高速公路(10.0.10.2)的LAN1接口
  • 包含的LAN子网(10.0.30.0/24) :

    • LAN接口FW A (10.0.30.1)
    • VC控制(10.0.30.2)的LAN1接口
    • 思科TMS (10.0.30.3)的网络接口

静态一对一的NAT在FW A配置,执行公网IP地址64.100.0.10 NAT对VC高速公路的LAN1 IP地址。静态NAT模式为在VC高速公路的LAN1接口启用,用64.100.0.10的一个静态NAT IP地址。

应该用10.0.10.1默认网关配置VC高速公路。因为必须用于此网关留下VC高速公路的所有流量,静态路由在此种部署没有要求。

必须配置VC控制的穿越客户端区域与匹配VC高速公路的对等地址(在本例中的64.100.0.10的)静态NAT地址原因的和在前一场景描述的那些一样。

注意:这意味着FW A必需允许从VC控制的流量有64.100.0.10目的IP地址的。亦称这是NAT反射,并且值得注意的是,这不由FW的所有类型支持。

VC高速公路可以被添加到Cisco TMS用10.0.10.2的IP地址(或与IP地址64.100.0.10,如果FW A允许此),因为Cisco TMS管理通讯没有影响的是受静态NAT模式设置的在VC高速公路。

配置

此部分描述如何配置两个不同的网真实施方案的NAT反射。

与单个VC高速公路LAN接口的单个子网DMZ

对于第一个方案,您必须运用在FW A的此NAT反射配置为了允许入站数据流的NAT反射从为外部地址的VC控制的(64.100.0.10)是注定的VC高速公路:

在本例中, VC控制IP地址是10.0.30.2/24,并且VC高速公路IP地址是10.0.10.3/24

如果假设10.0.30.2的VC控制IP地址翻译对IP地址10.0.10.2,当从里面移动向FW B时外部接口,则您在FW B应该实现的NAT反射配置在以下的示例显示。

ASA版本8.3和以上:

object network obj-10.0.30.2
host 10.0.30.2

object network obj-10.0.10.3
host 10.0.10.3

object network obj-64.100.0.10
host 64.100.0.10

nat (inside,outside) source static obj-10.0.30.2 interface destination static
obj-64.100.0.10 obj-10.0.10.3

NOTE: After this NAT is applied you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

ASA版本8.2和以下:

access-list IN-OUT-INTERFACE extended permit ip host 10.0.30.2 host 64.100.0.10
static (inside,outside) interface access-list IN-OUT-INTERFACE

access-list OUT-IN-INTERFACE extended permit ip host 10.0.10.3 host 10.0.10.2
static (outside,inside) 64.100.0.10 access-list OUT-IN-INTERFACE

注意:它是可选翻译数据包的源IP地址此通信流的。此NAT反射转换主要目标将允许VC控制到达VC高速公路,但是使用VC高速公路公网IP地址而不是其专用IP地址。

与单个VC高速公路LAN接口的3波尔特FW DMZ

对于第二个场景,您必须运用在FW A的此NAT反射配置为了允许入站数据流的NAT反射从为外部IP地址的VC控制的(64.100.0.10)是注定的VC高速公路:

在本例中, VC控制IP地址是10.0.30.2/24,并且VC高速公路IP地址是10.0.10.2/24

如果假设10.0.30.2的VC控制IP地址翻译对IP地址10.0.10.1,当从里面移动向FW A时DMZ接口,则您在FW A应该实现的NAT反射配置在以下的示例显示。

ASA版本8.3和以上: 

object network obj-10.0.30.2
host 10.0.30.2

object network obj-10.0.10.2
host 10.0.10.2

object network obj-64.100.0.10
host 64.100.0.10

nat (inside,DMZ) source static obj-10.0.30.2 interface destination static
obj-64.100.0.10 obj-10.0.10.2

NOTE: After this NAT is applied you will receive a warning message as the following:

WARNING: All traffic destined to the IP address of the DMZ interface is being redirected.
WARNING: Users may not be able to access any service enabled on the DMZ interface.

ASA版本8.2和以下:

access-list IN-DMZ-INTERFACE extended permit ip host 10.0.30.2 host 64.100.0.10
static (inside,DMZ) interface access-list IN-DMZ-INTERFACE

access-list DMZ-IN-INTERFACE extended permit ip host 10.0.10.2 host 10.0.10.1
static (DMZ,inside) 64.100.0.10 access-list DMZ-IN-INTERFACE

注意:它是可选翻译数据包的源IP地址此通信流的。此NAT反射转换主要目标将允许VC控制到达VC高速公路,但是使用VC高速公路公网IP地址而不是其专用IP地址。

验证

此部分提供您能使用为了确认在两个的正确NAT反射配置网真方案的数据包跟踪程序输出。

与单个VC高速公路LAN接口的单个子网DMZ

这是为ASA版本8.3和以上输出的FW B数据包跟踪程序:

FW-B# packet-tracer input inside tcp 10.0.30.2 1234 64.100.0.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.0.30.2 obj-10.0.10.2 destination static
obj-64.100.0.10 obj-10.0.10.3
Additional Information:
NAT divert to egress interface inside
Untranslate 64.100.0.10/80 to 10.0.10.3/80

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.0.30.2 obj-10.0.10.2 destination static
obj-64.100.0.10 obj-10.0.10.3
Additional Information:
Static translate 10.0.30.2/1234 to 10.0.10.2/1234

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.0.30.2 obj-10.0.10.2 destination static
obj-64.100.0.10 obj-10.0.10.3
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 421, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

这是为ASA版本8.2和以下输出的FW B数据包跟踪程序: 

FW-B# packet-tracer input inside tcp 10.0.30.2 1234 64.100.0.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (outside,inside) 64.100.0.10 access-list OUT-IN-INTERFACE
match ip outside host 10.0.10.3 inside host 10.0.10.2
static translation to 64.100.0.10
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface outside
Untranslate 64.100.0.10/0 to 10.0.10.3/0 using netmask 255.255.255.255

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) interface access-list IN-OUT-INTERFACE
match ip inside host 10.0.30.2 outside host 64.100.0.10
static translation to 10.0.10.2
translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.0.30.2/0 to 10.0.10.2/0 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) interface access-list IN-OUT-INTERFACE
match ip inside host 10.0.30.2 outside host 64.100.0.10
static translation to 10.0.10.2
translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (outside,inside) 64.100.0.10 access-list OUT-IN-INTERFACE
match ip outside host 10.0.10.3 inside host 10.0.10.2
static translation to 64.100.0.10
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 316, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

与单个VC高速公路LAN接口的3波尔特FW DMZ

这是为ASA版本8.3和以上输出的FW A数据包跟踪程序: 

FW-A# packet-tracer input inside tcp 10.0.30.2 1234 64.100.0.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-10.0.30.2 obj-10.0.10.1 destination static
obj-64.100.0.10 obj-10.0.10.2
Additional Information:
NAT divert to egress interface DMZ
Untranslate 64.100.0.10/80 to 10.0.10.2/80

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-10.0.30.2 obj-10.0.10.1 destination static
obj-64.100.0.10 obj-10.0.10.2
Additional Information:
Static translate 10.0.30.2/1234 to 10.0.10.1/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,DMZ) source static obj-10.0.30.2 obj-10.0.10.1 destination static
obj-64.100.0.10 obj-10.0.10.2
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 424, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

这是为ASA版本8.2和以下输出的FW A数据包跟踪程序: 

FW-A# packet-tracer input inside tcp 10.0.30.2 1234 64.100.0.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ,inside) 64.100.0.10 access-list DMZ-IN-INTERFACE
match ip DMZ host 10.0.10.2 inside host 10.0.10.1
static translation to 64.100.0.10
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface DMZ
Untranslate 64.100.0.10/0 to 10.0.10.2/0 using netmask 255.255.255.255

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: SSM-DIVERT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,DMZ) interface access-list IN-DMZ-INTERFACE
match ip inside host 10.0.30.2 DMZ host 64.100.0.10
static translation to 10.0.10.1
translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 10.0.30.2/0 to 10.0.10.1/0 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) interface access-list IN-DMZ-INTERFACE
match ip inside host 10.0.30.2 DMZ host 64.100.0.10
static translation to 10.0.10.1
translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 8
Type: SSM_SERVICE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ,inside) 64.100.0.10 access-list DMZ-IN-INTERFACE
match ip DMZ host 10.0.10.2 inside host 10.0.10.1
static translation to 64.100.0.10
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,inside) 64.100.0.10 access-list DMZ-IN-INTERFACE
match ip DMZ host 10.0.10.2 inside host 10.0.10.1
static translation to 64.100.0.10
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 750, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

故障排除

您能配置ASA接口的数据包捕获为了确认源和目的数据包转换,当数据包进入并且离开是包含的FW接口时。


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118992