三层交换机下VLAN用户访问外网问题

richard_kuo

大家好，我在做一个关于企业网络实验时，L3交换机下用户无法访问外网，但L3三层口已经开启，默认路由也都设置好了，就是不能访问internet server 192.168.1.2,其他功能都正常，比如DMZ webserver可以正常被外网访问。实验拓扑图已经上传附件，各设备配置如下：
L3 Configuration:
interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 10
!
interface FastEthernet0/5
switchport access vlan 10
!
interface FastEthernet0/6
switchport access vlan 10
!
interface FastEthernet0/7
switchport access vlan 10
!
interface FastEthernet0/8
switchport access vlan 10
!
interface FastEthernet0/9
switchport access vlan 10
!
interface FastEthernet0/10
switchport access vlan 10
!
interface FastEthernet0/11
switchport access vlan 10
!
interface FastEthernet0/12
switchport access vlan 10
!
interface FastEthernet0/13
switchport access vlan 20
!
interface FastEthernet0/14
switchport access vlan 20
!
interface FastEthernet0/15
switchport access vlan 20
!
interface FastEthernet0/16
switchport access vlan 20
!
interface FastEthernet0/17
switchport access vlan 20
!
interface FastEthernet0/18
switchport access vlan 20
!
interface FastEthernet0/19
switchport access vlan 20
!
interface FastEthernet0/20
switchport access vlan 20
!
interface FastEthernet0/21
switchport access vlan 20
!
interface FastEthernet0/22
switchport access vlan 20
!
interface FastEthernet0/23
switchport access vlan 20
!
interface FastEthernet0/24
switchport access vlan 20
!
interface GigabitEthernet0/1
no switchport
ip address 172.18.30.2 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 0090.2177.c501
ip address 172.18.10.1 255.255.255.0
!
interface Vlan20
mac-address 0090.2177.c502
ip address 172.18.20.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.30.1
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login

防火墙FW 5506配置如下：
ASA Version 9.6(1)
!
hostname ASA5506
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 172.18.30.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif outside
security-level 0
ip address 109.165.200.225 255.255.255.248
!
interface GigabitEthernet1/3
nameif dmz
security-level 50
ip address 172.18.40.1 255.255.255.0
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/5
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/6
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
shutdown
!
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
shutdown
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
object network LAN
subnet 172.18.30.0 255.255.255.0
object network dmz-subnet
subnet 172.18.40.0 255.255.255.0
object network vlan10
subnet 172.18.10.0 255.255.255.0
object network vlan20
subnet 172.18.20.0 255.255.255.0
object network webserver
host 172.18.40.100
!
route outside 0.0.0.0 0.0.0.0 109.165.200.226 1
route inside 172.18.10.0 255.255.255.0 172.18.30.2 1
route inside 172.18.20.0 255.255.255.0 172.18.30.2 1
!
access-list in2out extended permit tcp any any
access-list in2out extended permit icmp any any
access-list out2dmz extended permit tcp any any
access-list out2dmz extended permit icmp any any
access-list out2dmz extended permit tcp any host 109.165.200.227 eq www
!
!
access-group in2out in interface outside
object network LAN
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network vlan10
nat (inside,outside) dynamic interface
object network vlan20
nat (inside,outside) dynamic interface
object network webserver
nat (dmz,outside) static 109.165.200.227
telnet timeout 5

ssh timeout 5

nicebye

你的NP是捡来的吗？跟踪一个 是哪里断了

kma212

follow

itwong

你需要在ISP-router2那里设置静态NAT. so https://164.80.15.2 会被NATed到192.168.1.2