ASA 5505 用于在两个网络之间路由,因为它包含到所有网络的路由。以下描述了网络拓扑。
我尝试过各种访问列表的组合,例如:
access-list INSIDE_TO_INSIDE extended permit ip any any
或者
access-list INSIDE_TO_INSIDE extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
也:
access-group INSIDE_TO_INSIDE in interface inside
我无法从 .30 网络上的 PC ping 或连接到 .10 网络上的 PC。
我的日志有如下内容:
iscoasa# %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/21 to 192.168.30.11/64340 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside
这是相当标准的 ASA 配置。此外,数据包跟踪器显示 icmp 或 tcp 22 流量被隐含规则从 192.168.30.11 丢弃到 192.168.10.117。这是怎么回事?
答案1
您正在寻找的命令是
same-security-traffic permit {inter-interface | intra-interface}
默认情况下,进入一个接口的流量不能从同一个接口流出。以下命令将允许此类流量。
same-security-traffic permit intra-interface
与此命令经常相关的是same-security-traffic permit inter-interface命令。默认情况下,ASA 不允许来自某一安全级别的流量离开同一安全级别的接口。该same-security-traffic permit inter-interface命令允许此流量。
请参阅思科文档以了解更多详细信息。
https://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html