请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

   思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 224|回复: 0

ASA bridge group问题

[复制链接]
发表于 2019-9-9 19:08:52 | 显示全部楼层 |阅读模式
0可用金钱
环境为:ASA为出口网关,下联两个接口连两台交换机。
将这两个接口绑成一个bridge group,设置一个bvi为网关地址。
问题为:从bridge group中的一个口ping另外一个接口下联的交换机可以ping通。
但是从一个接口:AVAYA的话机  到另外一个接口 AVAYA的IPO(类似PBX),话机接起来无声音,从AVAYA接的那个交换机可以ping通IPO。
配置如下:
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside2
security-level 100
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.168.48.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside1
subnet 10.168.48.0 255.255.255.0
object network inside2
subnet 10.168.48.0 255.255.255.0
object-group network vpnsrc
network-object 10.168.48.0 255.255.255.0
object-group network vpndest
network-object 10.0.0.0 255.0.0.0
access-list inside2outside extended permit ip any any
access-list vpnlist extended permit ip object-group vpnsrc object-group vpndest
pager lines 24
logging enable
logging buffer-size 102400
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside1,outside) source static vpnsrc vpnsrc destination static vpndest vpndest route-lookup
nat (inside2,outside) source static vpnsrc vpnsrc destination static vpndest vpndest route-lookup
!
object network inside1
nat (inside1,outside) dynamic interface
object network inside2
nat (inside2,outside) dynamic interface
access-group inside2outside in interface inside1
access-group inside2outside in interface inside2
access-group inside2outside in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.0.0.0 inside1
http 10.0.0.0 255.0.0.0 inside2
snmp-server host inside 192.168.1.40 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps memory-threshold
snmp-server enable traps cpu threshold rising
service sw-reset-button
crypto ipsec ikev1 transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpnlist
crypto map vpnmap 10 set peer x.x.x.x
crypto map vpnmap 10 set ikev1 transform-set vpnset
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2      
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside1
ssh 10.0.0.0 255.0.0.0 inside2
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 10.167.16.3 10.168.0.68
dhcpd lease 43200
dhcpd auto_config outside
!
dhcpd address 10.168.48.31-10.168.48.250 inside
dhcpd wins 10.168.0.7 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username root password $sha512$5000$qtyMXRmCD8n3UOqeq0oHwA==$BV9gLCOhag0Ma67ndkY0bw== pbkdf2 privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:aa8a6720199ccdc7b4f77260e09a5123
: end

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-9-21 22:24 , Processed in 0.091934 second(s), 26 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表