ASA INSIDE 到 INSIDE 的流量被丢弃

ASA INSIDE 到 INSIDE 的流量被丢弃

ASA 5505 用于在两个网络之间路由,因为它包含到所有网络的路由。以下描述了网络拓扑。

在此处输入图片描述

我尝试过各种访问列表的组合,例如:

access-list INSIDE_TO_INSIDE extended permit ip any any

或者

access-list INSIDE_TO_INSIDE extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

也:

 access-group INSIDE_TO_INSIDE in interface inside

我无法从 .30 网络上的 PC ping 或连接到 .10 网络上的 PC。

我的日志有如下内容:

    iscoasa# %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/21 to 192.168.30.11/64340 flags RST ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK  on interface inside
%ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK  on interface inside

这是相当标准的 ASA 配置。此外,数据包跟踪器显示 icmp 或 tcp 22 流量被隐含规则从 192.168.30.11 丢弃到 192.168.10.117。这是怎么回事?

答案1

您正在寻找的命令是 same-security-traffic permit {inter-interface | intra-interface}

默认情况下,进入一个接口的流量不能从同一个接口流出。以下命令将允许此类流量。
same-security-traffic permit intra-interface

与此命令经常相关的是same-security-traffic permit inter-interface命令。默认情况下,ASA 不允许来自某一安全级别的流量离开同一安全级别的接口。该same-security-traffic permit inter-interface命令允许此流量。

请参阅思科文档以了解更多详细信息。
https://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html

相关内容