多vlan上网问题

sbliw · 发表于 2019-7-26 11:11:05

大家好，本人用思科模拟器在模拟三层交换机和asa防火墙组网的情况（见拓扑图）。遇到了问题，请大神指导，谢谢
情况：内网有Vlan10，Vlan20，Vlan30三个，客户端IP地址由DHCP服务器提供,内网有三层交换机，出口是思科的asa防火墙，外网是路由器及一台服务器(8.8.8.8)
问题：现在Vlan10能ping通（访问）外网服务器，其他两个Vlan不行
希望：所有Vlan都能访问外网服务器

网络设备配置如下：

三层交换机：
Switch>en
Switch#show run
Building configuration...

Current configuration : 2751 bytes
!
version 16.3.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
!
!
ip cef
ip routing
!
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/2
switchport access vlan 10
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/11
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/12
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/13
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/14
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/15
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/16
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/17
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/18
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/19
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/20
switchport access vlan 30
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 0004.9ab8.0101
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.10
!
interface Vlan20
mac-address 0004.9ab8.0102
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.10.10
!
interface Vlan30
mac-address 0004.9ab8.0103
ip address 192.168.30.1 255.255.255.0
ip helper-address 192.168.10.10
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.2
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
!
end

Switch#

asa防火墙：

ciscoasa#show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 203.1.1.2 255.255.255.0
!
object network lan10
subnet 192.168.10.0 255.255.255.0
object network lan20
subnet 192.168.20.0 255.255.255.0
object network lan30
subnet 192.168.30.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 203.1.1.1 1
route inside 192.168.10.0 255.255.255.0 0.0.0.0 1
route inside 192.168.20.0 255.255.255.0 0.0.0.0 1
route inside 192.168.30.0 255.255.255.0 0.0.0.0 1
!
access-list intoout extended permit tcp any any
access-list intoout extended permit icmp any any
!
!
access-group intoout in interface outside
object network lan10
nat (inside,outside) dynamic interface
object network lan20
nat (inside,outside) dynamic interface
object network lan30
nat (inside,outside) dynamic interface
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!

ciscoasa#

路由器：

Router#show run
Building configuration...

Current configuration : 643 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 203.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 8.8.8.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router rip
network 8.0.0.0
network 192.168.0.0
network 203.1.1.0
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Router#

layout102 · 发表于 2019-7-26 11:11:06

請查看 FW 有無 CoreSwitch各vlan (v20 v30)網段的路由，
由於 CoreSW vlan 10 是與FW直連的，所以底下enduser 到外網的路徑是沒問題的

hlhpla · 发表于 2019-7-28 16:16:45

要靠跟踪路由来查，看代码比较难啊

sbliw · 发表于 2019-7-29 10:43:05

hlhpla 发表于 2019-7-28 16:16
要靠跟踪路由来查，看代码比较难啊

感谢您的回复

sbliw · 发表于 2019-7-29 10:43:34

layout102 发表于 2019-7-28 19:55
請查看 FW 有無 CoreSwitch各vlan (v20 v30)網段的路由，
由於 CoreSW vlan 10 是與FW直連的，所以底下 ...

感谢您的回复

cwruo · 发表于 2019-8-1 13:17:53

多重錯誤哦, 轉址在ASA2, 所以ASA2要有 192.168.20.2與192.168.30.2 的 IP, L3 Switch 的 Gi 1/0/2 也要設 Trunk, 至於ASA 的 Trunk 我沒設過, 你自己去找找吧. 測試時先用Vlan20的PC 去 ping 192.168.20.2, 然後是 ping 203.1.1.2, 最後是 ping 8.8.8.1

暑假妹子别走 · 发表于 2019-12-20 21:15:12

为了60积分回复，见谅

zjiaxuan · 发表于 2019-12-26 09:55:28

学习中~~~

OCEANsea · 发表于 2020-4-21 10:08:45

ASA和核心交换机之间跑trunk，但是一般建议，还是跑三层结构，全部通过IP 路由表转发流量，这样虽然中间多了一跳，但是好确定和排查问题（个人理解）

账号		自动登录	找回密码
密码			论坛注册

[求助] 多vlan上网问题

最佳答案

客服中心

投诉建议