取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

835
查看次数
0
有帮助
2
回复
yujun
Beginner

3750核心交换机无法访问外网的问题请教

本帖最后由 YuJun64206140 于 2020-12-28 14:03 编辑
目前在数据中心搞了个网络环境,防火墙(内网IP172.16.200.2)是ASA5525,核心交换机(vlan1 ip 172.16.200.1)是3750,接入交换机(vlan1 ip 172.16.200.19)是C2960X.
目前客户端连接到接入交换机可以ping通核心交换机和防火墙,但是无法访问互联网;
核心交换机无法ping外网:
IDC_Core#ping 122.224.XXX.XXX
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 122.224.XXX.XXX, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
防火墙可以ping通外网IP:
fw# ping 122.224.xxx.xxx
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 122.224.xxx.xxx, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
不知道是什么原因,烦请大神帮忙分析下,感谢!
核心交换机配置:
!
! Last configuration change at 09:18:09 CST Fri Apr 1 2011
! NVRAM config last updated at 09:34:32 CST Fri Apr 1 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IDC_Core
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Sefg$Iep2dKlI2XTrjFbSpDh9i1
enable password 7 09786C235A04131F0202547E7A73
!
no aaa new-model
clock timezone CST 8 0
switch 1 provision ws-c3750x-48
system mtu routing 1500
ip routing
!
!
no ip domain-lookup
ip domain-name tbj.idc
!
!
crypto pki trustpoint TP-self-signed-4137863552
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137863552
revocation-check none
rsakeypair TP-self-signed-4137863552
!
!
crypto pki certificate chain TP-self-signed-4137863552
省略。。。
quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
interface GigabitEthernet1/0/1
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/3
switchport mode access
!
interface GigabitEthernet1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/5
spanning-tree portfast
!
interface GigabitEthernet1/0/6
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 5
spanning-tree portfast
!
interface GigabitEthernet1/0/8
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
!
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport trunk encapsulation dot1q
switchport mode trunk
shutdown
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/18
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet1/0/20
spanning-tree portfast
!
interface GigabitEthernet1/0/21
spanning-tree portfast
!
interface GigabitEthernet1/0/22
spanning-tree portfast
!
interface GigabitEthernet1/0/23
spanning-tree portfast
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
spanning-tree portfast
!
interface GigabitEthernet1/0/26
spanning-tree portfast
!
interface GigabitEthernet1/0/27
spanning-tree portfast
!
interface GigabitEthernet1/0/28
spanning-tree portfast
!
interface GigabitEthernet1/0/29
spanning-tree portfast
!
interface GigabitEthernet1/0/30
spanning-tree portfast
!
interface GigabitEthernet1/0/31
spanning-tree portfast
!
interface GigabitEthernet1/0/32
spanning-tree portfast
!
interface GigabitEthernet1/0/33
spanning-tree portfast
!
interface GigabitEthernet1/0/34
spanning-tree portfast
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/44
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/45
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/46
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface TenGigabitEthernet1/1/1
no switchport
no ip address
shutdown
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
description manager
ip address 172.16.200.1 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan4
ip address 172.16.4.251 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan10
ip address 172.16.10.251 255.255.255.0
no ip redirects
no ip proxy-arp
!
interface Vlan20
ip address 172.16.20.250 255.255.255.0
no ip redirects
no ip proxy-arp
!
i
!
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.200.2
!
access-list 100 permit ip any 172.16.0.0 0.0.255.255
access-list 100 permit ip any any
!
!
!
line con 0
exec-timeout 30 0
logging synchronous
line vty 0 4
exec-timeout 30 0
password 7 09786C235A04131F0202547E7A73
logging synchronous
login
transport input ssh
line vty 5 15
password 7 09786C235A04131F0202547E7A73
login
!
end
防火墙配置:
: Saved
: Written by enable_15 at 03:00:12.096 UTC Fri Dec 25 2020
!
ASA Version 9.1(2)
!
hostname fw
enable password PXDmVCMkku4ixZWg encrypted
names
ip local pool vpn-pool 10.10.10.100-10.10.10.199 mask 255.255.255.0
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description Connect-To-Outside
nameif outside
security-level 0
ip address 122.224.XXX.XXX 255.255.255.224
!
interface GigabitEthernet0/2
description Connect-To-Coreswitch
nameif inside
security-level 100
ip address 172.16.200.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif zone-30
security-level 30
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
nameif zone-out
security-level 90
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service fort-dst-ports
service-object tcp destination eq ssh
service-object tcp destination eq ssh
access-list out-access-in-1.0 extended permit ip any any
access-list vpnclient_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
access-list ICMP extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu zone-30 1500
mtu zone-out 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
access-group out-access-in-1.0 in interface outside
route outside 0.0.0.0 0.0.0.0 122.224.XXX.XXX 1
route inside 172.16.0.0 255.255.0.0 172.16.200.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
crypto ipsec ikev1 transform-set vpnset esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside-dyn-map 10 set ikev1 transform-set vpnset
crypto dynamic-map outside-dyn-map 10 set reverse-route
crypto dynamic-map outside-dyn-mat 10 set security-association lifetime seconds 28800
crypto map outside-map 10 ipsec-isakmp dynamic outside-dyn-map
crypto map outside-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 zone-out
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 202.101.172.46
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
default-domain value XXX.com
username zhixin password HRq.67qzp67x3vej encrypted
username zhixin attributes
vpn-group-policy vpnclient
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpn-pool
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
ikev1 pre-shared-key XXX.com
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:05296b2f19c5e470d36d6a08ccc8603d
: end
1 个已接受解答

已接受的解答
ilay
Rising star

防火墙上没有将交换机的地址映射出去,默认是访问不出去的,需要做一个NAT或Dynamic PAT
以PAT为例:
object network TEST
subnet 172.16.200.0 255.255.255.0 //如果其他的地址也需要访问外网,可以将掩码范围写大一些
nat (inside,outside) dynamic interface
!
配置完成之后可以用交换机ping互联网的地址。(交换机ping防火墙的接口地址默认是不通的)
nat配置参考:https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#71793

在原帖中查看解决方案

2 条回复2
ilay
Rising star

防火墙上没有将交换机的地址映射出去,默认是访问不出去的,需要做一个NAT或Dynamic PAT
以PAT为例:
object network TEST
subnet 172.16.200.0 255.255.255.0 //如果其他的地址也需要访问外网,可以将掩码范围写大一些
nat (inside,outside) dynamic interface
!
配置完成之后可以用交换机ping互联网的地址。(交换机ping防火墙的接口地址默认是不通的)
nat配置参考:https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#71793

在原帖中查看解决方案

yujun
Beginner

gengchunlin 发表于 2020-12-28 09:18
防火墙上没有将交换机的地址映射出去,默认是访问不出去的,需要做一个NAT或Dynamic PAT
以PAT为例:
obj ...

是的,我上午对照了单位的防火墙配置,已经弄好了,就是您说的这个问题。
谢谢啦!
创建
认可您的同行
Content for Community-Ad