网络 – 尽管ASA 5510存在安全级别差异,但VLAN之间的流量仍然受阻

我配置了Cisco ASA 5510:

interface Ethernet0/0
 description ### Trunk for inside, wlan ###
 speed 1000
 no nameif
 no security-level
 no ip address

interface Ethernet0/0.10
 description ### OFFICE ###
 vlan 10
 nameif inside
 security-level 100
 ip address 172.18.0.1 255.255.255.0 

interface Ethernet0/0.12
 description ### WIRELESS ###
 vlan 12      
 nameif wlan  
 security-level 20
 ip address 172.18.2.1 255.255.255.128 

interface Ethernet0/3
 description ### Upstream ###
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.252 

access-group WLAN in interface wlan

global (outside) 10 interface

nat (wlan) 0 access-list NONATWIRELESS
nat (wlan) 10 172.18.2.0 255.255.255.128
nat (inside) 0 access-list NONATINSIDE
nat (inside) 10 172.18.0.0 255.255.255.0

dhcprelay server ZZZ inside
dhcprelay enable wlan

access-list WLAN extended permit object-group DNS object-group WLAN host nic 
access-list WLAN extended permit object-group DNS object-group WLAN host idns 
access-list NONATWIRELESS extended permit ip any 172.18.0.0 255.255.255.0 
access-list NONATWIRELESS extended permit ip any 172.18.3.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.2.0 255.255.255.0 
access-list NONATINSIDE extended permit ip any 172.18.3.0 255.255.255.0 

no nat-control

没有静态路由.

在此配置中,允许vlan 10上的主机访问外部世界,但vlan 12上的主机不允许.他们挑起像日志条目:

Jan 13 14:35:02 172.18.0.1 %ASA-4-106023: Deny tcp src wlan:172.18.2.125/48593 dst outside:Y.Y.Y.Y/80 by access-group "WLAN" [0x0, 0x0]

怎么会?

编辑:我想这是因为在wlan上有一个访问列表但在内部没有,但这看起来很愚蠢?如果访问列表中没有匹配的条目,仍应评估安全级别?

最佳答案
嗯,可能是因为你已经将访问组WLAN应用于来自wlan接口的流量,并且该访问组不允许流量到web服务器.

错误消息非常清楚,问题在于访问组WLAN,并且访问列表非常严格.

编辑以回应你的评论:不是我所知道的,因为PIXOS中的所有访问列表都是决定性的(也就是说,所有访问列表都有隐含的拒绝任何结尾) – 所以没有像访问列表这样的东西没有匹配.

转载注明原文:网络 – 尽管ASA 5510存在安全级别差异,但VLAN之间的流量仍然受阻 - 代码日志