取消
显示结果 
搜索替代 
您的意思是: 
cancel
3556
查看次数
0
有帮助
4
回复

5515防火墙外网地址ping不通

zhangjijun
Level 1
Level 1
各位大神:
本人有一个思科5515防火墙,配置完成后,内网地址访问互联网,SSL VPN 等都可以,就是内网用户无法Ping通防火墙的出接口地址,请问是什么鬼?
需要开启什么吗?
防火墙版本9-2
4 条回复4

one-time
Level 13
Level 13
感谢您的提问!稍后会有小伙伴为您解答的!

shlei
Cisco Employee
Cisco Employee
Preventing IP Spoofing
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/protect_tools.html?bookSearch=true

13nash
Level 8
Level 8
在inspect 里加上icmp

zhangjijun
Level 1
Level 1
13nash 发表于 2017-6-9 10:11
在inspect 里加上icmp

已经加过了,包括ACL放心icmp
access-list Test2 extended permit tcp any host 192.168.1.99 eq 3389
access-list Test2 extended permit tcp any host 172.17.20.253 eq www
access-list Test2 extended permit icmp any any
access-list Test2 extended permit tcp any host 172.17.20.253 eq 8861
access-list Test2 extended permit tcp any host 172.17.20.253 range 8000 8090
access-group Test2 in interface outside
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接