原因:默认情况下,ASA只对穿越的TCP和UDP流量维护状态化信息。所有Telnet流量可以出去再穿越防火墙回来,ICMP的流量出去就回不来了。
具体配置
1、ASA(5505的网络区域基于虚接口)
ciscoasa>en
ciscoasa#conf t
ciscoasa(config)#
ciscoasa(config)#hostname ASA
ASA(config)#interface vlan 2 vlan2虚接口
ASA(config-if)#nameif outside 定义outside接口
ASA(config-if)#security-level 0 安全级别0
ASA(config-if)#ip address 200.1.1.1 255.255.255.0
ASA(config-if)#no shutdown
ASA(config-if)#exit
ASA(config)#interface vlan 1 vlan1虚接口
ASA(config-if)#nameif inside 定义inside接口
ASA(config-if)#security-level 100 安全级别100
ASA(config-if)#ip address 192.168.1.1 255.255.255.0
ASA(config-if)#no sh
ASA(config-if)#no shutdown
ASA(config-if)#
outside路由器配置
Router>en
Router#conf t
Router(config)#hostname outside
outside(config)#interface f0/0
outside(config-if)#ip add 200.1.1.2 255.255.255.0
outside(config-if)#no shutdown
outside(config-if)#exit
outside(config)#line vty 0 4
outside(config-line)#password 666
outside(config-line)#login
outside(config-line)#exit
outside(config)#enable password 888
outside(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.1
outside(config)#
inside路由器配置
Router>en
Router#conf t
Router(config)#hostname inside
inside(config)#interface f0/0
inside(config-if)#ip add 192.168.1.2 255.255.255.0
inside(config-if)#no shutdown
inside(config-if)#exit
inside(config)#line vty 0 1
inside(config-line)#password 666
inside(config-line)#login
inside(config-line)#exit
inside(config)#enable password 888
inside(config)#ip route 200.1.1.0 255.255.255.0 192.168.1.1
验证inside到outside的Telnet流量
可以Telnet成功!!!!
再测试ping 命令
inside#ping 200.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
inside#
可以看到结果是不通!!!!!!!!!!!!!!
从外outside去测试tellnet和ping结果都是不通的!!!
体会原因!(如果不理解请在留言区留言)
最后再防火墙上放行Telnet流量和ICMP的流量
ASA(config)#access-list 100 permit tcp host 200.1.1.2 host 192.168.1.2 eq 23 放行Telnet的23号端口流量
ASA(config)#access-list 100 permit icmp host 200.1.1.2 host 192.168.1.2
放行ICMP的流量进来
ASA(config)#access-group 100 in interface outside
应用列表在outside口的in方向
测试结果
inside#ping 200.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
outside>ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/5 ms
outside>telnet 192.168.1.2
Trying 192.168.1.2 ...Open
User Access Verification
Password:
inside>
经过验证,Telnet流量和ICMP流量被防火墙放行
我的课程首页http://edu.51cto.com/lecturer/1025688.html
加群学习讨论:32307012
原文:http://blog.51cto.com/ronning/2103269