Cisco ASA 5505 无法从内部 ping 通外部

Cisco ASA 5505 无法从内部 ping 通外部

大家好,在此先谢谢大家的帮助。我在让思科防火墙 (asa 5505) 在区域之间 ping 时遇到了一些问题。内部区域无法与外部区域 ping 通,反之亦然。但我可以让内部区域与 DMZ 进行 ping,外部区域可以与 DMZ 进行 ping。但不知出于什么原因,我无法让内部和外部互相接受 ping。这一切都是使用 CLI/控制台完成的,如果答案不涉及使用 ASDM(由于某些原因我不能使用 ASDM),我将不胜感激。我尝试了大量谷歌搜索,但没有一个解决方案对我有用或涉及使用 ASDM。

我认为是 NAT(到目前为止,这不完全是我的强项,从来都不是)。但是,我已经包含了大部分启动/运行配置。一些信息被省略了(即主机名和密码)。

!
ASA Version 7.2(4)
interface Ethernet0/0
 description inside network
nameif inside
 security-level 100
 ip address 10.27.6.2 255.255.255.252 
!
interface Ethernet0/1
 description DMZ network
 nameif DMZ
 security-level 50
 ip address 10.65.4.1 255.255.255.0 
!
interface Ethernet0/2
 description outside network
 nameif outside
 security-level 0
 ip address 209.65.5.2 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!

ftp mode passive
access-list outside extended permit tcp any any eq smtp 
access-list outside extended permit udp any any eq domain 
access-list outside extended permit tcp any any eq www 
access-list outside extended permit icmp any any 
access-list DMZ extended permit tcp any any eq smtp 
access-list DMZ extended permit tcp any any eq 50636 
access-list DMZ extended permit tcp any any eq domain 
access-list DMZ extended permit tcp any any eq www 
access-list DMZ extended permit udp any any eq domain 
access-list DMZ extended permit icmp any any 
pager lines 24
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (DMZ) 1 10.65.4.10-10.65.4.30
global (DMZ) 1 10.65.4.31
global (outside) 1 interface
nat (inside) 1 10.25.0.0 255.255.0.0
static (inside,DMZ) 10.25.0.0 10.25.0.0 netmask 255.255.0.0 
static (outside,DMZ) 10.65.4.2 209.65.5.3 netmask 255.255.255.255 
static (outside,DMZ) 10.65.4.3 209.65.5.4 netmask 255.255.255.255 
access-group DMZ in interface DMZ
access-group outside in interface outside
route inside 10.25.0.0 255.255.0.0 10.27.6.1 1
route outside 0.0.0.0 0.0.0.0 209.65.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat   0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map icmp-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:bfa954ee3900016b01cca15cfcf36eec
: end

上面的文本块中,关于外部和 DMZ 的静态 NAT 的行static (outside,DMZ) 10.65.4.X 209.65.5.X最初是这样static (DMZ,outside) 209.65.5.X 10.65.4.X的,但是我读到将较高安全级别映射到较低安全级别是一种不好的做法,所以我更改了它。我还尝试切换 ACL 以允许所有内容通过进行测试,代替ip any any我实际想要通过的内容,但仍然没有结果。感谢您审阅这一大段文字并提供任何建议,非常感谢。

相关内容