取消
显示结果 
搜索替代 
您的意思是: 
cancel
5465
查看次数
0
有帮助
12
回复

ASA5515 ping问题

seasonli72658
Spotlight
Spotlight
我这面有一个asa5515防火墙,下面接了一个S2960交换机,我在交换机里可以Ping通防火墙的内网接口地址,也就是网关,但是交换机下面接的pc电脑就ping不通防火墙的网关,是什么原因呢
12 条回复12

kingisme
Spotlight
Spotlight
因为你没有配inspect icmp

seasonli72658
Spotlight
Spotlight
kingisme 发表于 2019-6-28 08:53
因为你没有配inspect icmp

icmp unreachable rate-limit 1 burst-size 1
是这条吗

YilinChen
Spotlight
Spotlight
policy-map global_policy
class inspection_default
inspect icmp

2095316477
Level 1
Level 1
cisco asa 防火墙,如果不想 permit icmp any any,那就 inspect icmp:
policy-map global_policy
class inspection_default
inspect icmp

seasonli72658
Spotlight
Spotlight
2095316477 发表于 2019-6-30 09:14
cisco asa 防火墙,如果不想 permit icmp any any,那就 inspect icmp:
policy-map global_policy

去都已经写了这些了,但是还是Ping不通也不能SSH,别的分公司的都是正常的只有这一个,我只能连接防火墙的下联设备路由,在SSH进防火墙,直接SSH防火墙是不可以的,Telnet也是不可以的这是为什么呢,
class-map url_class
match access-list url_filter_list
class-map type regex match-any url_class_regex
match regex url_filter1
match regex url_filter2
match regex url_filter3
match regex url_filter4
match regex url_filter5
match regex url_filter6
match regex url_filter7
match regex url_filter8
match regex url_filter9
match regex url_filter10
match regex url_filter11
match regex url_filter12
match regex url_filter13
match regex url_filter14
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all url_class_inspect
match request header host regex class url_class_regex
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
drop-connection log
policy-map url_policy
class url_class
inspect http url_policy_inspect
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any outside
no asdm history enable
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 5

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-6-29 19:17
policy-map global_policy
class inspection_default
inspect icmp

去都已经写了这些了,但是还是Ping不通也不能SSH,别的分公司的都是正常的只有这一个,我只能连接防火墙的下联设备路由,在SSH进防火墙,直接SSH防火墙是不可以的,Telnet也是不可以的这是为什么呢,
class-map url_class
match access-list url_filter_list
class-map type regex match-any url_class_regex
match regex url_filter1
match regex url_filter2
match regex url_filter3
match regex url_filter4
match regex url_filter5
match regex url_filter6
match regex url_filter7
match regex url_filter8
match regex url_filter9
match regex url_filter10
match regex url_filter11
match regex url_filter12
match regex url_filter13
match regex url_filter14
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all url_class_inspect
match request header host regex class url_class_regex
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect http url_policy_inspect
parameters
class url_class_inspect
drop-connection log
policy-map url_policy
class url_class
inspect http url_policy_inspect
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any outside
no asdm history enable
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 5

YilinChen
Spotlight
Spotlight
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过ssh ?查看一下相关命令。

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-7-1 14:06
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过s ...

跨网段我只有不能访问防火墙地址,但是他下面的下联交换机所有都可以访问,现光是通过SSH不能访问,就连PING也ping不通的,例如A防火墙是上海,B防火墙是北京的。我A防火墙能ping通B防火墙下面所有的交换机,就是ping 不通B防火墙,而且B防火墙下面所有的交换机也能PING通A防火墙。这是什么原因呢

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-7-1 14:06
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过s ...

A防火墙和B防火墙是做的IPSEC通道的,我看了通道建立已经成功了

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-7-1 14:06
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过s ...

3366711079 能JIA上我吗,这样时间太久了,希望帮助我解决,谢谢

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-7-1 14:06
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过s ...

能帮我判断一下还会有什么原因,会导致这样吗

seasonli72658
Spotlight
Spotlight
YilinChen 发表于 2019-7-1 14:06
看楼上描述,直连通,跨网段访问不行,建议检查一下路由;
还有另一种可能,是SSH需要匹配加密算法,通过s ...

还有其他的解决方案吗
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接