取消
显示结果 
搜索替代 
您的意思是: 
cancel
14346
查看次数
6
有帮助
9
回复

asa 9.7版本 透明模式 inside ping不通 outside

fishlonely
Level 1
Level 1
配置: insidie 192.168.134.253 ping 不通 outside 192.168.134.193( mac-add 00-00-64-9A-EA-27 )
请大神指点下.谢谢!
sh run
: Saved
:
: Serial Number: JAD212908M3
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
firewall transparent
hostname ciscoasa
enable password $sha512$5000$H2uvIKXRpPpffdRllI4AnQ==$98ykhrwuIoQrbileiURFcw== pbkdf2
names
!
interface GigabitEthernet1/1
bridge-group 1
nameif outside
security-level 0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside
security-level 0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
ip address 192.168.134.30 255.255.255.0
!
ftp mode passive
access-list 102 extended permit ip any any
access-list 102 extended permit icmp any any
access-list 102 extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9d8703b9bde0b1922a21c1ca627c17a4
: end
ciscoasa(config)# sh mac-add
ciscoasa(config)# sh mac-address-table
interface mac address type Age(min) bridge-group
----------------------------------------------------------------------------------------------------
outside 0000.649a.f7c1 dynamic 4 1
outside 0000.649a.7f89 dynamic 4 1
outside 0000.649a.7f45 dynamic 4 1
outside 0000.649a.f881 dynamic 4 1
inside 001e.f74d.794b dynamic 3 1
outside 0000.6491.7a19 dynamic 4 1
outside 0000.649a.ea27 dynamic 4 1
outside 0000.649a.ea25 dynamic 4 1
outside 0000.649a.ea7b dynamic 4 1
outside 0000.649a.ea79 dynamic 4 1
outside 0000.649a.ea77 dynamic 4 1
outside 0000.649a.ea75 dynamic 4 1
outside 0000.649a.ea67 dynamic 4 1
outside 0000.649a.ea65 dynamic 4 1
outside 0000.649a.7b9d dynamic 4 1
outside 0000.649a.7b89 dynamic 4 1
ciscoasa(config)#
Windows IP 配置
主机名 . . . . . . . . . . . . . : HIS0664
主 DNS 后缀 . . . . . . . . . . . :
节点类型 . . . . . . . . . . . . : 混合
IP 路由已启用 . . . . . . . . . . : 否
WINS 代理已启用 . . . . . . . . . : 否
以太网适配器 本地连接 3:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Vnet/IP Open Communication Driver (BUS2)
物理地址. . . . . . . . . . . . . : 00-00-64-9A-EA-27
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::3487:72d6:6877:ff82%15(首选)
IPv4 地址 . . . . . . . . . . . . : 192.168.134.193(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.134.253
DHCPv6 IAID . . . . . . . . . . . : 369098852
9 条回复9

wuleihen
Spotlight
Spotlight
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
这策略里面,ASA默认把ICMP关闭了,
inspect icmp
指令加进去就可以了

fishlonely
Level 1
Level 1
wuleihen 发表于 2018-4-11 19:43
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

明天我试下,应该不是这个问题,当时用telnet 端口 也是不通.

fishlonely
Level 1
Level 1
wuleihen 发表于 2018-4-11 19:43
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

跳过防火墙能正常远程桌面
接入防火墙就不能了

wuleihen
Spotlight
Spotlight
access-list 102 extended permit ip any any
access-list 102 extended permit icmp any any
access-list 102 extended permit tcp any any
你这列表都没有调用啊,亲,把列表调用在outside口
ip access-group 102 outside dy
好像是这命令的,具体你查下

wuleihen
Spotlight
Spotlight
interface Management1/1
management-only
shutdown
no nameif
no security-level
ip address 192.168.134.30 255.255.255.0
还有你这口怎么还是shutdown的啊??

fishlonely
Level 1
Level 1
wuleihen 发表于 2018-4-12 09:09
interface Management1/1
management-only
shutdown

这口子一定要开?物理口没有接线

Mansur
Spotlight
Spotlight
在inside区域是ping不了outside口的ip的,这个好像放行也没用。放行之后inside的icmp可以和outside区域通,不包含outside接口。。。
据说是ASA特性,昨天刚google查的。

fishlonely
Level 1
Level 1
maguanghua2013 发表于 2018-4-12 11:19
在inside区域是ping不了outside口的ip的,这个好像放行也没用。放行之后inside的icmp可以和outside区域通, ...

是inside区域的的终端 访问 outside区域的终端 现在acl是全放行 inside和outside区域的终端 不能互访。跳过防火墙都没有问题。
请大神指点!

ilay
VIP
VIP
把inside接口的security-level设置比0大,应该就可以了。
你inside和outside的security-level一样会有问题的,而且你又没有配置same-security-traffic permit inter-interface 。。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接