ASA 5505 阻止流量

tag-icon tag-icon cisco-asa
ASA 5505 阻止流量

这个 5505 阻止了进出流量。我向优秀的 IT 人员寻求帮助,他们说它看起来配置正确。一周前它还在运行。我在这里展示了配置。如果有人能帮忙,我将不胜感激。

CrazyQASA# show running-config
: Saved
:
ASA Version 8.2(5)
!
terminal width 300
hostname CrazyQASA
domain-name CrazyQ.com

names
!
interface Ethernet0/0
 switchport access vlan 2
!

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.60.81.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 198.121.179.194 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 209.32.32.32
 name-server 206.8.8.8
 domain-name crazq.com
object-group service rdp3390 tcp
 port-object eq 3390
access-list inboundtraffic extended permit tcp any interface outside eq pptp
CrazyQASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms
CrazyQASA# ping 10.60.81.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.60.81.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
CrazyQASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
   * - candidate default, U - per-user static route, o - ODR
   P - periodic downloaded static route

Gateway of last resort is 198.121.179.194 to network 0.0.0.0

C    198.121.179.192 255.255.255.248 is directly connected, outside
C    10.60.81.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 198.121.179.194, outside
CrazyQASA#

答案1

您可以使用 packet-tracer 命令来排除此故障。您可以指定要排除故障的流量的特征,它会根据 ASA 的配置对其进行评估,并准确告诉您如果该流量确实击中了您的 ASA,会发生什么情况。

描述数据包追踪器的思科论坛帖子

答案2

事实证明这是网络 ARP 问题,而不是 CISCO 问题。为了修复它,我们将 MAC 地址强制改为与网卡上不同的地址,然后重新启动机器,然后将其改回网卡上的地址。这样就解决了所有问题。VPN 开始工作,DNS 开始工作,每个人都很开心。抱歉,我无法完全解释这一切的原因,但它确实有效了。

相关内容