ASA5520连接3750 无法PING通外网ISP网关地址

wongchan

又要麻烦大家了，小弟还得请教大家个问题：
拓扑如下：

ISP---------e0/0 ASA5510 e0/1 ----------g1/0/24 3750 --------PC

简单描述下：3750作为PC和的网关，上面启用SVI，还有DHCP分配各个网段。

现在的问题是从PC可以自动获取DHCP分配的地址，PC可以PING通防火墙的外网IP地址，但PING不同ISP的网关，不知道为什么？

下面是ASA5510和3750的配置，大家受累帮我看下，先谢谢了！！

ASA 5510 config:

ASA Version 8.2(1)
!
hostname TEST-ASA-01
enable password p1tEhrIOnzoJ0/a3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.902
description Connect_To_SW3750
vlan 902
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.252
!            
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool OP 192.168.100.51-192.168.100.100
ip local pool NW_POOL 192.168.200.1-192.168.200.30
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy OP internal
group-policy OP attributes
vpn-tunnel-protocol svc webvpn
webvpn
  svc keep-installer installed
  svc ask enable
group-policy NW internal
group-policy NW attributes
vpn-tunnel-protocol svc webvpn
webvpn
  svc keep-installer installed
  svc ask enable
username test01 password T6mdQEbjE1ywEZ6. encrypted
username test01 attributes
vpn-group-policy NW
username wangchen password ZVft9mUih0WHN9E8 encrypted privilege 15
username chwg password 2VqixR7FDLomW84E encrypted privilege 15
username chwg attributes
vpn-group-policy OP
tunnel-group OP type remote-access
tunnel-group OP general-attributes
address-pool OP
default-group-policy OP
tunnel-group OP webvpn-attributes
group-alias NP_Operation enable
tunnel-group NW type remote-access
tunnel-group NW general-attributes
address-pool NW_POOL
tunnel-group NW webvpn-attributes
group-alias Network enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:16e51a179de83fefe7dd24dbe719fee9
: end





Cisco 3750 config:


TEST-SW-01#sh running-config
Building configuration...

Current configuration : 3225 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname TEST-SW-01
!
enable secret 5 $1$hqqT$aiL4DTejV0uI0N.qtk8R1/
!
no aaa new-model
switch 1 provision ws-c3750g-24t
ip subnet-zero
!
ip dhcp pool Wired
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.254
   dns-server 202.99.96.68 8.8.8.8
!
ip dhcp pool Wireless
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.254
   dns-server 202.99.96.68 8.8.8.8
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 230
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 230
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 230
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 230
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 999
switchport mode access
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 902
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.10.254 255.255.255.0
!
interface Vlan111
ip address 192.168.20.254 255.255.255.0
!
interface Vlan301
ip address 192.168.40.254 255.255.255.0
!
interface Vlan902
ip address 192.168.1.2 255.255.255.252
!
interface Vlan999
ip address 192.168.50.254 255.255.255.0
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
password 7 120E061F4A5358557D
login
line vty 0 4
password 7 1312141A5354507B7C
login
line vty 5 15
no login
!
!
end

TEST-SW-01#



祝好

zengjiawei

你的ASA的默认路由呢？ 0.0.0.0 0.0.0.0 ISP的IP（网关）

wongchan

zengjiawei 发表于 2014-5-2 18:27
你的ASA的默认路由呢？ 0.0.0.0 0.0.0.0 ISP的IP（网关）

在中间的位置

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

ciscowlan

你好像没有做允许level低访问level高的ACL吧，默认level等级高访问level等低是允许的，但是还要放开level低访问level高的的策略。

wongchan

ciscowlan 发表于 2014-5-2 22:00
你好像没有做允许level低访问level高的ACL吧，默认level等级高访问level等低是允许的，但是还要放开level低 ...

你说的是ASA防火墙默认inside可以访问outside ,而默认outside不能访问inside？
我理解您的意思是，我现在一个包可以从内部inside到外部，但是当回包的时从outside就访问不了inside ?
是这个意思么？
那您说开启这个从outside访问inside的命令式啥？
做一个ACL就行么？

ciscowlan

wongchan 发表于 2014-5-3 09:51
你说的是ASA防火墙默认inside可以访问outside ,而默认outside不能访问inside？
我理解您的意思是，我现 ...

恩，是的。做一个ACL放行匹配的流量就可以了

创新0824

没有策略！

wongchan

创新0824 发表于 2014-5-8 11:58
没有策略！

没有策略是啥意思？

创新0824

wongchan 发表于 2014-5-8 21:47
没有策略是啥意思？

就是ACL，防火墙叫策略啊！

wongchan

创新0824 发表于 2014-5-8 21:51
就是ACL，防火墙叫策略啊！

恩，等于您和6F的意思是一样的
我需要在ASA上面写一条ACL，来放行outside到inside的流量
这样就能ping通了，是吧？