思科ASA5510配置问题

T`ing

LAOWANG-ASA(config)# show running-config
: Saved
:
ASA Version 8.4(3)
!
hostname LAOWANG-ASA
enable password jK1gVW.kdm8cDHVR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description internet
nameif outside
security-level 0
ip address 172.25.211.2 255.255.255.0
!
interface Ethernet0/1
description internal
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot config disk0:/running-config
ftp mode passive
dns domain-lookup inside
dns server-group inside
name-server 202.106.0.20
object network inside
subnet 0.0.0.0 0.0.0.0
object network outside
host 172.25.211.3
access-list out extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside
nat (any,any) dynamic outside
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.211.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group adsl request dialout pppoe
vpdn group adsl localname WX-TEST
vpdn group adsl ppp authentication chap
vpdn username WX-TEST password *****
dhcpd dns 202.106.46.151 202.106.0.20
dhcpd lease 7200
dhcpd domain inside-
!
dhcpd address 192.168.1.10-192.168.1.200 inside
dhcpd dns 202.106.46.151 202.106.0.20 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username azrael_sf password F.FrKoi/E38a3Cg0 encrypted
!
!
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a4e9792b267544448db45177dc92943
: end
LAOWANG-ASA(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 172.25.211.254 to network 0.0.0.0

C    172.25.211.0 255.255.255.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 172.25.211.254, outside
LAOWANG-ASA(config)# ping 114.114.114.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 114.114.114.114, timeout is 2 seconds:
!!!!!
NAT做了  之前用PPPOE接口做外网口也是这样，PPPOE接口有默认路由 应该不用做NAT吧。但是内网同样上不去网，访问控制列表也做了。不知道是哪里的问题 请朋友们帮忙看看

T`ing

在朋友的帮助下 告诉我没有检测icmp ，经过学习发现加入检测icmp的目的是因为 icmp不能像TCP/UDP一样使用端口号控制会话。 命令很简单fixup protocol icmp
policy-map global_policy
class inspection_default
  inspect icmp
可是加完这条命令之后还是没有通
请朋友们帮忙看看

T`ing

        8.3版本以后NAT部分有变动
原配置：
global (outside) 10 interface
global (dmz) 10 interface
nat (dmz) 10 172.18.1.0 255.255.255.0
nat (inside) 10 10.26.0.0 255.255.0.0
nat (inside2) 10 172.16.1.0 255.255.255.0
新配置：
object network obj_10.26.0.0
subnet 10.26.0.0 255.255.0.0
nat (inside,outside) dynamic interface  （）括号里面不是摆设需要写出来的

object network obj_10.26.0.0-01
subnet 10.26.0.0 255.255.0.0
nat (inside,dmz) dynamic interface

object network obj_172.16.1.0-01
subnet 172.16.1.0 255.255.255.0
nat (inside2,dmz) dynamic interface

object network obj_172.18.1.0
subnet 172.18.1.0 255.255.255.0
nat (dmz,outside) dynamic interface
静态NAT配置修改：
原配置：
static (dmz,outside) tcp 11.22.33.44 ftp 172.18.1.80 ftp netmask 255.255.255.255
static (dmz,outside) tcp 11.22.33.44 www 172.18.1.80 www netmask 255.255.255.255
static (inside,outside) tcp 11.22.33.44 5900 10.26.0.8 5900 netmask 255.255.255.255
新配置：
object network obj-172.18.1.80
host 172.18.1.80
nat (dmz,outside) static 11.22.33.44 service tcp ftp ftp

object network obj-172.18.1.80-01
host 172.18.1.80
nat (dmz,outside) static 11.22.33.44 service tcp www www

object network obj-10.26.0.8
host 10.26.0.8
nat (inside,outside) static 11.22.33.44 service tcp 5900 5900

T`ing

T`ing 发表于 2017-11-13 11:53
8.3版本以后NAT部分有变动
原配置：
global (outside) 10 interface

NAT没有写正确所以导致内网上不去网

q466265670

学习学习