Eu herdei recentemente uma rede com um Cisco ASA (executando a versão 8.2).
Estou tentando configurá-lo para permitir a comunicação entre duas interfaces configuradas com o mesmo nível de segurança (DMZ-DMZ)
"inter-interface de autorização de tráfego de mesma segurança" foi definida, mas os hosts não conseguem se comunicar entre as interfaces. Estou assumindo que algumas configurações de NAT estão causando meu problema. Abaixo está minha configuração em execução:
ASA Version 8.2(3)
!
hostname asa
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 400
!
interface Ethernet0/1
switchport access vlan 400
!
interface Ethernet0/2
switchport access vlan 420
!
interface Ethernet0/3
switchport access vlan 420
!
interface Ethernet0/4
switchport access vlan 450
!
interface Ethernet0/5
switchport access vlan 450
!
interface Ethernet0/6
switchport access vlan 500
!
interface Ethernet0/7
switchport access vlan 500
!
interface Vlan400
nameif outside
security-level 0
ip address XX.XX.XX.10 255.255.255.248
!
interface Vlan420
nameif public
security-level 20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan450
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Vlan500
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
ftp mode passive
clock timezone JST 9
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host XX.XX.XX.11
network-object host XX.XX.XX.13
object-group service ssh_2220 tcp
port-object eq 2220
object-group service ssh_2251 tcp
port-object eq 2251
object-group service ssh_2229 tcp
port-object eq 2229
object-group service ssh_2210 tcp
port-object eq 2210
object-group service DM_INLINE_TCP_1 tcp
group-object ssh_2210
group-object ssh_2220
object-group service zabbix tcp
port-object range 10050 10051
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
group-object zabbix
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service http_8029 tcp
port-object eq 8029
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.20.10
network-object host 192.168.20.30
network-object host 192.168.20.60
object-group service imaps_993 tcp
description Secure IMAP
port-object eq 993
object-group service public_wifi_group
description Service allowed on the Public Wifi Group. Allows Web and Email.
service-object tcp-udp eq domain
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp-udp eq 993
service-object tcp eq imap4
service-object tcp eq 587
service-object tcp eq pop3
service-object tcp eq smtp
access-list outside_access_in remark http traffic from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq www
access-list outside_access_in remark ssh from outside to web1
access-list outside_access_in extended permit tcp any host XX.XX.XX.11 object-group ssh_2251
access-list outside_access_in remark ssh from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group ssh_2229
access-list outside_access_in remark http from outside to penguin
access-list outside_access_in extended permit tcp any host XX.XX.XX.10 object-group http_8029
access-list outside_access_in remark ssh from outside to internal hosts
access-list outside_access_in extended permit tcp any host XX.XX.XX.13 object-group DM_INLINE_TCP_1
access-list outside_access_in remark dns service to internal host
access-list outside_access_in extended permit object-group TCPUDP any host XX.XX.XX.13 eq domain
access-list dmz_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 192.168.10.29 object-group DM_INLINE_TCP_2
access-list public_access_in remark Web access to DMZ websites
access-list public_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_2 eq www
access-list public_access_in remark General web access. (HTTP, DNS & ICMP and Email)
access-list public_access_in extended permit object-group public_wifi_group any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu public 1500
mtu dmz 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 60
global (outside) 1 interface
global (dmz) 2 interface
nat (public) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2229 192.168.0.29 2229 netmask 255.255.255.255
static (inside,outside) tcp interface 8029 192.168.0.29 www netmask 255.255.255.255
static (dmz,outside) XX.XX.XX.13 192.168.10.10 netmask 255.255.255.255 dns
static (dmz,outside) XX.XX.XX.11 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,inside) 192.168.0.29 192.168.10.29 netmask 255.255.255.255
static (dmz,public) 192.168.20.30 192.168.10.30 netmask 255.255.255.255 dns
static (dmz,public) 192.168.20.10 192.168.10.10 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.10.0 192.168.0.0 netmask 255.255.255.0 dns
access-group outside_access_in in interface outside
access-group public_access_in in interface public
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 61.122.112.97 61.122.112.1
dhcpd auto_config outside
!
dhcpd address 192.168.20.200-192.168.20.254 public
dhcpd enable public
!
dhcpd address 192.168.0.200-192.168.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 130.54.208.201 source public
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Eles estão logicamente na mesma DMZ, portanto, o firewall só deve ver o tráfego como camada 2 e não aplicar nenhuma política a ele. Você pode tentar o comando same-security-traffic permit intra-interface para ver se isso alivia o problema, mas suspeito de um erro de configuração em um de seus hosts. Verifique se as máscaras de sub-rede em seus hosts estão corretas e se um firewall baseado em host não está bloqueando suas solicitações.
Vá para o ADDM e veja se você tem a caixa de seleção ativada na parte inferior do Configuração > Página Interfaces.
A caixa de seleção diz
Ative o tráfego entre dois ou mais hosts conectados à mesma interface
Tags networking security cisco-asa