This is the 389th serialized article in the growth diary of a network engineer. It records every bit of the network engineer industry and makes friends with people in the IT industry.
In order to ensure customer network information, this article deletes all configured confidential information and IP address (hidden in XXXX format) and other information
Under the arrangement of the boss, I and two other classmates went to do the project. The location was the Disciplinary Inspection and Supervision Bureau of a county in Shangluo City. The main task was to install and debug the Cisco ASA 5505 equipment.
This is the first project I took at the company, and I must be nervous, and the more nervous is yet to come. At 8:30 am on the 24th, we came to the company.
Originally, Wang was talking about debugging PIX equipment, but the equipment that could be entrusted to us was written with the words Cisco ASA 5505 Series, and he was suddenly dumbfounded.
Due to limited time, Wang probably explained to us how to use this ASA and some important configuration notes.
Before leaving, I told us: After completing the task, if the customer has any requirements, we must be patient. In case of problems, please feel free to contact.
At 10:30, we arrived at Xi'an Railway Station and bought tickets. 10:50, take a long-distance bus to a certain place.
After asking the driver, I knew that we would have a 5-hour trip.
In this way, we left Xi'an and embarked on a journey.
On the road, in order to understand the boredom, I searched the Internet for some information about ASA: ASA, Adaptive Security Appliance (adaptive security product), is a new product launched by Cisco in May 2005.
The interface is similar to PIX, but there is a big difference in performance between the two.
Even the lowest ASA model provides much higher performance than the basic PIX.
To be honest, I had no idea at the time, because even PIX, I only understand some basic configuration, let alone ASA.
After this long journey, at 4:30 in the afternoon, we finally arrived at a certain bus station.
Since it is in Shangluo, compared with Xi'an, both the environment and the economy are really incomparable.
The driver told us: There is no train here, and I only have to take a bus to go back to Xi'an. The last departure every day is 6 pm.
Now that I am here, I will start working.
The local contact was called, and under his leadership, we came to the first place of work----
A place where a primary school and a hospital.
After all, it’s for technology, so we didn’t ask too much about off-network topics.
Came to the computer room, put on shoe covers, and began to listen to customers' requirements.
It is roughly as follows:
This unit has pulled two optical fibers in China Telecom, one of which is normally connected to the Internet. The other is to form a local area network with several other units.
(It feels like a ***) The current network is not faulty, and the external network (the optical fiber they call normal Internet access) is protected by Lenovo's firewall.
Now they have a newly purchased PIX firewall and want to protect the internal network (the "local area network" they call).
After hearing it, it seemed very simple, and the customer on the other side was more anxious, so after the three of us discussed, I went to the second place of work first, which is the real purpose of this trip-a county's Disciplinary Inspection and Supervision Bureau , Install the ASA equipment we brought.
The two places are still far apart, and I took a motorcycle to the past. After verifying my identity, I was led by the person on duty at the Discipline Inspection Bureau to their computer room.
What I didn't expect was that the computer room of this amazing local government unit was so simple that it couldn't even compare to the computer room of the elementary school just now.
The person on duty was very polite, brought me water and smoked (I don't know how to smoke), which surprised me a bit.
I thought that when I heard that when I did a project, it was like doing miscellaneous work for others. The people in the elementary school just now were not very polite, so I feel a little flattered now.
(Our identity this time is here as a technical engineer from an outsourcing company in Xi'an. For unnecessary trouble, we try to speak as little as possible, for fear of letting customers know our true identity)
The equipment here is still relatively small: through the optical fiber transponder + D-LINK broadband routing, attract the external network.
Next is the network expansion by five switches of different models. In addition to the client, there are only two servers.
Just understand these and start work. (For the specific configuration and process, see the configuration chapter)
That day (the school and the hospital) was successfully completed, but I did not solve it smoothly, and finally got to 10 o'clock.
The three of us only ate breakfast, and now we haven't even drunk water. And seeing the problem is not solved, my heart is very confused, and my head is dizzy. No way, I had to do it the next day.
In the evening, we found a small stall on the side of the road, a bowl of noodles per person, and a drink. Then we went back to the hotel arranged for us. 30 night, the conditions inside are really...
In the room, we began to think about what went wrong today and contacted the company. In the end, we drew up two plans and then fell asleep.
In this way, it ended on October 25, which was my sister's birthday.
Hey, I was thinking about going home to celebrate her, but I didn't expect the journey and the project to be so unsatisfactory. I feel that the work of a network engineer on business trips is really tiring, hard, and thankless.
I remembered that night I thought a lot, and my heart was messed up...
I woke up at 7:30 the next morning. I didn't even have the conditions for washing and combing. I could only rinse with cold water.
The weather in Xi'an has become cold recently, and it is even colder in a certain area. This cold water is really cold. (Unfortunately not Sprite)
For breakfast, we found a snack bar on our own. Steamed buns, porridge, eggs, and pickles were better than dinner.
Sleep well, eat well, and now the mental state has returned. The enthusiasm is up too, OK, L's GO! ! !
After 4 hours of hard work, the problem was finally solved.
The project is finally done! The mood at the time was really high and the customers were very satisfied. Seeing the affirmation of the results of my labor, I also felt satisfied.
Excited, we didn't even care about lunch, just bought some snacks, and took the mini bus to Xi'an.
That day (October 26), it happened to be a highway between Xi'an and a certain highway, and it was originally 3 hours to return.
In the end, something went wrong. The road was open, but the toll system had not been adjusted, so it was not allowed to pass. Hey, I can only go back the same way and endure the five hours of suffering.
It was 6 o'clock when we arrived in Xi'an, and Manager Li picked us up.
At that time, the sky was also dark, and we did not return to the company, and went home separately. I am really tired. On the K600, I just want to go back to have a good meal, take a shower, and sleep comfortably.
I remember that Wang was still calling and greeting.
Although I didn't use much of the routing and exchange knowledge I learned this time, and the ASA firewall I had never seen before, it left me with valuable experience and memories.
I learned a lot of things and upgraded my theoretical knowledge again.
I am very grateful to the company for giving me this opportunity to improve my ability. Thank you to the classmates and Tian Gong and Zhang Gong who supported our trip behind the scenes. I will work harder in the future.
To adjust or maintain a local network, you must first understand the network topology.
But because the people at the work place do not understand the network, we cannot obtain a complete network topology map.
You can only infer the topology by looking at the connections on your own. Fortunately, there are relatively few network equipment here, only one cabinet.
The approximate topological situation is this: through fiber optic transponder + D-LINK broadband routing, the external network is attracted.
Then there are five (not very clear, because we are not here to exchange) different models of switches for network expansion. In addition to the client, there are only two servers.
We are divided into two groups, so I will deal with it here first.
During my processing, a man on duty was playing a server next to it. (Play QQ game with PC. Note: there is a suspense here)
I connected the ASA between the D-LINK and the switch, and the installation was as simple as that. The next step is configuration.
The device has 8 Ethernet interfaces, first divide the VLAN, separate the internal network interface and the external network interface.
Among them, Ethernet0/0 belongs to VLAN2, and the rest are all classified into VLAN1. The switch is connected to the interface of VLAN1, and then other machines use the IP address of VLAN1 as the gateway.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0 (intranet address)
!
interface Vlan2
nameif outside
security-level 0
ip address xxxx 255.255.255.0 (external network address)
Then add a static route and two ACLs to ensure the interoperability and security of the internal and external networks.
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
access-list in-out extended permit ip 192.168.0.0 255.255.255.0 any
access-list out-in extended permit ip any 192.168.0.0 255.255.255.0
access-group out-in in interface outside
access-group in-out in interface inside
After getting here, I feel OK, but big trouble is coming.
I connected my notebook to a switch with an address of 192.168.0.0/24, but it couldn't get online. Dizzy, I don't know where the problem is.
After Show run, it still cannot be seen.
At this time, I found that the man on duty next to him was still playing QQ games.
I asked him: "Just now, did you have a network interruption while playing the game?" He replied; "No, it's been fine."
I'm wondering, let alone that I can't connect to the Internet now. Just when I configured the ASA just now, all the machines and D-LINK should not be able to communicate. How come there is no network disconnection?
I still can't figure out this problem. Although I saw that server is a proxy server, it should also be connected to a switch, and then connected to D-LINK, to get online.
After all, there is only one optical fiber here, and it is still connected to D-LINK.
After thinking about it, I don't understand. Had to call Tian Gong and them for help. They said they were on their way, and they said it when they arrived.
Then I thought about it, and went online to check the information.
So I took off the ASA and reconnected the switch to D-LINK, which restored everything to its original state.
Oh my God, this time I couldn't access the Internet, and even the master on duty was disconnected.
This makes me even more panicked. If I didn't go online just now, I can accept it. After all, I don't know ASA, but how can I not go online now?
The IP of the proxy server is 192.168.0.250, which is the gateway of other machines. And his own gateway is 192.168.0.254, which is the address of D-LINK.
I haven't changed the settings of their equipment at all.
After calming down, I slowly began to find errors. First of all, I used this to ping the proxy server and it worked.
Prove that the internal network is fine. And all the machines cannot ping D-LINK. So I thought of looking at its configuration.
It seems that people there really don't care about these devices. The user and password of D-LINK are actually factory settings-two admins.
After entering, the customer list inside was found to be empty.
No wonder, if other machines use it to access the Internet, they will automatically be recorded in this list. So I tried to add a user manually.
In fact, it is IP/MAC binding. After setting it up, my laptop can go online. In any case, I felt a little more relaxed.
But can't figure out why the list is empty? I accidentally discovered that D-LINK's address pool had no IP to assign, so I simply gave it some addresses.
Sure enough, all machines can access the Internet. But I still don’t understand, why I didn’t change the configuration of these devices, and after returning to the initial state, I can’t connect to the Internet?
While thinking, Tian Gong and the others came in. It feels like reinforcements have arrived, and my heart is relieved a lot.
I briefly described the environment here to them, and Zhang Gong began to do it himself.
Later, after PAT was added, everything was normal.
ciscoasa# show xlate
11 in use, 70 most used
PAT Global X.X.X.X(1051) Local 192.168.0.100(1794)
PAT Global X.X.X.X(1050) Local 192.168.0.100(1792)
PAT Global X.X.X.X(1049) Local 192.168.0.100(1788)
PAT Global X.X.X.X(1048) Local 192.168.0.100(1787)
PAT Global X.X.X.X(1045) Local 192.168.0.100(6009)
PAT Global X.X.X.X(1038) Local 192.168.0.100(6002)
PAT Global X.X.X.X(1037) Local 192.168.0.100(1642)
PAT Global X.X.X.X(1033) Local 192.168.0.100(1702)
PAT Global X.X.X.X(1029) Local 192.168.0.100(10000)
PAT Global X.X.X.X(1028) Local 192.168.0.100(4008)
PAT Global X.X.X.X(1026) Local 192.168.0.100(31946)
It turned out that there was an error in the IP conversion between the internal and external networks. Hey, I was really negligent.
Later, a person who looked like the boss came. After explaining to him, we asked if there were any other requirements.
He said. After two days, people from the telecommunications bureau will take that D-LINK away, so I hope we don’t use D-LINK to access the Internet and use ASA to replace it.
Thinking of it is quite simple, just assign the IP on D-LINK to ASA.
After we did this, we tried baidu, OK, normal.
So we cross again. That person also tried baidu, well, not bad.
But when the person clicked on the MP3 label, he found that the webpage could not be opened.
We were a little puzzled. We tried other web pages, and it really couldn't be opened except Baidu. What's even stranger is that pinging any address can work, which is really hell.
After thinking about it, I really don't understand. I called the company and asked for support. But the problem is still unresolved, even Wang finds it incredible. Finally, because of this problem has been entangled.
Later, I found out that once all computers got the IP address by themselves, they got the wrong gateway, but even after changing it manually, they still couldn't open the webpage.
Later, under the guidance of many parties, I learned that a command in the ASA limits the number of TCP connections. Therefore, when the Internet is normally connected, the TCP connection with the destination server cannot be established normally, so of course the web page cannot be opened.
And ping does not use the TCP protocol, so "escape the catastrophe". In this case, as long as the IP address is correct, the gateway is OK.
Now the problem of Internet access has been solved, but the problem of IP allocation is still unclear. What can be determined is that another server ---- WEB server is acting as the DHCP role. Because as long as it is connected to the exchange, all the machines get the wrong gateway and point to its own 192.168.0.2; and when it is disconnected, no other machine can get an IP address. But I found that the machine is not equipped with DHCP service components, so how to realize the IP allocation? There is no related third-party software in Add/Delete. Hey, the questions are really one after another. The head is really big.
Finally, it's luck. People there said that there are still a lot of computers in the lower part of the country, and they are usually not allowed to go online, but occasionally they are also asked to go online to upgrade viruses and check information. We thought about it, and then asked them how to achieve this goal before. He said it was by changing the IP.
This is very guarded to see Yueming. Isn't that the case now? As long as the other machines are turned on, they will get the wrong gateway, so they will definitely not be able to access the Internet. Just change the gateway and it's OK. Then the man said, leaving 10 IPs with internet access is enough. I'm afraid that everyone will be able to access the Internet. Easy, just write more ACLs on the ASA. So even if the people below know the gateway, it will not help. But if the lower person sets up the 10 IPs earlier than the upper person, then the upper person can't get up. After we explained the problem to him, he didn't expect him to say very clearly: "We know that as long as there is an IP conflict in the lower right foot, it proves to be a low-level person." It seems that they are familiar with this method of changing IP Up. So we left him with 10 fixed IP addresses, and let him set a static IP on the above machine in the future.
OK, so everything is done. It's a small perfection that makes sense.
(Note: All devices, except ASA, have not been powered off, so the argument that the configuration is disordered due to power interruption is excluded)
However, I still don't understand something about this project. I haven't had time to ask for advice lately. I hope you can explain if you know.
①After I added the ASA, why the configuration has not been successful, but the person on duty (ie the proxy server) can play QQ games without being affected?
②The scarlet part. I didn't change any of their devices. I just connected the ASA and debugged it, but it was unsuccessful. Then I took it off and restored it to the original state, but why couldn't I get online. In other words, why is the customer list in D-LINK empty? (The IP of the machine at this time is normal. Whether it is obtained manually or automatically)
③It is still the scarlet part. At the beginning (I haven't gotten the ASA yet), I first connected my notebook directly to their switch. The IP I got was 192.168.0.0/24 (their internal IP), and the gateway was 192.168.0.250 ( Proxy server), Internet access, etc. everything is normal. But after removing the D-LINK and finally debugging the ASA, why does that WEB server have DHCP function? As I said, there is no related third-party software on this machine, and no DHCP component is installed.