ASA Inside不能通DMZ

billcyz

这张图里面DMZ不能ping通inside，是不是需要ACL？该怎么配置？？

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 202.2.14.24 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
access-list outside extended deny ip any any
access-list dmz_to_other extended permit icmp 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 echo-reply
access-list outside_in extended permit icmp any host 202.2.14.26 echo
access-list outside_in extended deny ip any any
access-list inside_in extended permit icmp any any echo
access-list dmz_test extended permit icmp 192.168.1.0 255.255.255.0 any echo-reply
access-list dmz_test extended deny ip any any
pager lines 24
no logging message 402128
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
static (DMZ,outside) 202.2.14.26 192.168.1.2 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 202.2.14.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:07ff3d35209eb408587278c7e51f7756
: end

billcyz

求大神给我指点一下

billcyz

设置了inspect icmp，应该有用啊

Araon_Marcellus

inside: sec-level = 50
dmz: sec-level = 100

* inside < dmz

myna

access-list dmz_to_inside extended permit icmp 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 any
access-group dmz_to_inside in interface DMZ

billcyz

Araon_Marcellus 发表于 2014-11-29 22:24
inside: sec-level = 50
dmz: sec-level = 100

可是设置了inside为100，DMZ是50啊

billcyz

myna 发表于 2014-11-29 23:00
access-list dmz_to_inside extended permit icmp 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0  ...

试过了，可是还是不成功

myna

billcyz 发表于 2014-11-30 05:14
试过了，可是还是不成功

ASA换一个版本

klinuxe

这个什么版本的GNS3

klinuxe

拿分走人呵呵，楼下继续！

klinuxe

拿分走人呵呵，楼下继续！

doudoupig

拿分走人呵呵，楼下继续！

phil

Thanks for your information.