Cisco ASA - permite a comunicação entre o mesmo nível de segurança

2

Eu herdei recentemente uma rede com um Cisco ASA (executando a versão 8.2).

Estou tentando configurá-lo para permitir a comunicação entre duas interfaces configuradas com o mesmo nível de segurança (DMZ-DMZ)

"inter-interface de autorização de tráfego de mesma segurança" foi definida, mas os hosts não conseguem se comunicar entre as interfaces. Estou assumindo que algumas configurações de NAT estão causando meu problema. Abaixo está minha configuração em execução:

ASA Version 8.2(3) 
!
hostname asa
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 400
!
interface Ethernet0/1
 switchport access vlan 400
!
interface Ethernet0/2
 switchport access vlan 420
!
interface Ethernet0/3
 switchport access vlan 420
!
interface Ethernet0/4
 switchport access vlan 450
!
interface Ethernet0/5
 switchport access vlan 450
!
interface Ethernet0/6
 switchport access vlan 500
!
interface Ethernet0/7
 switchport access vlan 500
!
interface Vlan400
 nameif outside
 security-level 0
 ip address XX.XX.XX.10 255.255.255.248 
!
interface Vlan420
 nameif public
 security-level 20
 ip address 192.168.20.1 255.255.255.0 
!
interface Vlan450
 nameif dmz
 security-level 50
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan500
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object host XX.XX.XX.11
 network-object host XX.XX.XX.13
object-group service ssh_2220 tcp
 port-object eq 2220
object-group service ssh_2251 tcp
 port-object eq 2251
object-group service ssh_2229 tcp
 port-object eq 2229
object-group service ssh_2210 tcp
 port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
 group-object ssh_2210
 group-object ssh_2220
object-group service zabbix tcp
 port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 group-object zabbix
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service http_8029 tcp
 port-object eq 8029
object-group network DM_INLINE_NETWORK_2
 network-object host 192.168.20.10
 network-object host 192.168.20.30
 network-object host 192.168.20.60
object-group service imaps_993 tcp
 description Secure IMAP
 port-object eq 993
object-group service public_wifi_group
 description Service allowed on the Public Wifi Group. Allows Web and Email.
 service-object tcp-udp eq domain 
 service-object tcp-udp eq www 
 service-object tcp eq https 
 service-object tcp-udp eq 993 
 service-object tcp eq imap4 
 service-object tcp eq 587 
 service-object tcp eq pop3 
 service-object tcp eq smtp 
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www 
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host XX.XX.XX.11 object-group ssh_2251 
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group ssh_2229 
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group http_8029 
access-list outside_access_in remark ssh from outside to internal hosts
access-list outside_access_in extended permit tcp any host XX.XX.XX.13 object-group DM_INLINE_TCP_1 
access-list outside_access_in remark dns service to internal host
access-list outside_access_in extended permit object-group TCPUDP any host XX.XX.XX.13 eq domain 
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any 
access-list dmz_access_in extended permit tcp any host 192.168.10.29 object-group DM_INLINE_TCP_2 
access-list public_access_in remark Web access to DMZ websites
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www 
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and  Email)
access-list public_access_in extended permit object-group public_wifi_group any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255 
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255 
static (dmz,outside) XX.XX.XX.13 192.168.10.10 netmask 255.255.255.255 dns 
static (dmz,outside) XX.XX.XX.11 192.168.10.30 netmask 255.255.255.255 dns 
static (dmz,inside) 192.168.0.29 192.168.10.29 netmask 255.255.255.255 
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns 
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns 
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns 
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
!
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
!
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
    
por Conor 31.01.2012 / 04:46

2 respostas

1

Eles estão logicamente na mesma DMZ, portanto, o firewall só deve ver o tráfego como camada 2 e não aplicar nenhuma política a ele. Você pode tentar o comando same-security-traffic permit intra-interface para ver se isso alivia o problema, mas suspeito de um erro de configuração em um de seus hosts. Verifique se as máscaras de sub-rede em seus hosts estão corretas e se um firewall baseado em host não está bloqueando suas solicitações.

    
por 31.01.2012 / 15:21
0

Vá para o ADDM e veja se você tem a caixa de seleção ativada na parte inferior do Configuração > Página Interfaces.

A caixa de seleção diz

Ative o tráfego entre dois ou mais hosts conectados à mesma interface

    
por 09.10.2015 / 21:38