cisco packet tracer6.2版本 防火墙 5505 不同vlan无法通

yanyaohua1981

问题：防火墙（cisco5505）左边的三层交换机192.168.5.2无法ping通防火墙右边的路由器211.10.1.22防火墙trust区域ip地址：192.168.5.1/24，untrust区域ip地址：211.10.1.21/30


我做了以下步骤：
1.三层交换机的路由如下，我是采用OSPF的，但为了能ping通路由器，我加了条静态路由

   router ospf 1
   log-adjacency-changes
   redistribute static subnets
   redistribute connected subnets
   network 192.168.0.0 0.0.0.255 area 1
   network 192.168.1.0 0.0.0.255 area 1
   network 192.168.2.0 0.0.0.255 area 1
   network 192.168.3.0 0.0.0.255 area 1
   network 192.168.5.0 0.0.0.255 area 1
   network 192.168.4.0 0.0.0.255 area 1

  ip classless
  ip route 211.10.1.20 255.255.255.252 192.168.5.1

  Switch#show ip route
C 192.168.0.0/24 is directly connected, Vlan1
C 192.168.1.0/24 is directly connected, Vlan100
C 192.168.2.0/24 is directly connected, Vlan200
C 192.168.3.0/24 is directly connected, Vlan300
C 192.168.4.0/24 is directly connected, Vlan400
C 192.168.5.0/24 is directly connected, Vlan500
211.10.1.0/30 is subnetted, 1 subnets
S 211.10.1.20 [1/0] via 192.168.5.1

2.路由器的路由如下，也是采用OSPF的，但为了能ping通交换机，我加了条静态路由
  router ospf 1
log-adjacency-changes
redistribute static subnets
redistribute connected subnets
network 172.16.1.0 0.0.0.3 area 1
network 211.10.1.0 0.0.0.3 area 1
network 211.10.1.16 0.0.0.3 area 1
!
ip classless
ip route 192.168.5.0 255.255.255.0 211.10.1.21   

Router#show ip route
172.16.0.0/30 is subnetted, 4 subnets
C 172.16.1.0 is directly connected, Serial0/0/0
O 172.16.1.4 [110/65] via 172.16.1.1, 01:29:06, Serial0/0/0
O 172.16.1.8 [110/129] via 172.16.1.1, 01:29:06, Serial0/0/0
O 172.16.1.12 [110/66] via 172.16.1.1, 01:29:06, Serial0/0/0
S 192.168.5.0/24 [1/0] via 211.10.1.21
O 192.168.6.0/24 [110/130] via 211.10.1.1, 01:29:06, Serial0/0/1
[110/130] via 172.16.1.1, 01:29:06, Serial0/0/0
211.10.1.0/30 is subnetted, 6 subnets
C 211.10.1.0 is directly connected, Serial0/0/1
O 211.10.1.4 [110/65] via 211.10.1.1, 01:29:06, Serial0/0/1
O 211.10.1.8 [110/129] via 211.10.1.1, 01:29:06, Serial0/0/1
O 211.10.1.12 [110/66] via 211.10.1.1, 01:29:06, Serial0/0/1
C 211.10.1.16 is directly connected, FastEthernet0/1
C 211.10.1.20 is directly connected, FastEthernet0/0

3.防火墙的路由配置如下，192.168.5.1是trust口，和三层交换机相连，211.10.1.21是untrust口和路由器相连

   HQFW01#show route
S 192.168.0.0 255.255.255.0 [1/0] via 192.168.5.2, trust
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.5.2, trust
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.5.2, trust
S 192.168.3.0 255.255.255.0 [1/0] via 192.168.5.2, trust
S 192.168.4.0 255.255.255.0 [1/0] via 192.168.5.2, trust
C 192.168.5.0 255.255.255.0 is directly connected, trust
211.10.1.0/30 is subnetted, 2 subnets
C 211.10.1.0 255.255.255.252 is directly connected, untrust
C 211.10.1.20 255.255.255.252 is directly connected, untrust
S* 0.0.0.0/0 [1/0] via 211.10.1.22

疑问：
防火墙左右两边ping不通，即使执行了access-list 101 extended permit icmp any any，也不行。
我把防火墙替换成路由器，左右两边设备ping是通的。
路由器的路由信息如下：
ip classless
ip route 192.168.0.0 255.255.255.0 192.168.5.2
ip route 192.168.1.0 255.255.255.0 192.168.5.2
ip route 192.168.2.0 255.255.255.0 192.168.5.2
ip route 192.168.3.0 255.255.255.0 192.168.5.2
ip route 192.168.4.0 255.255.255.0 192.168.5.2
ip route 0.0.0.0 0.0.0.0 211.10.1.22

帮忙看看防火墙到底哪里配置有问题，多谢多谢


下面是防火的配置：
: Saved
:
ASA Version 8.4(2)
!
hostname HQFW01
names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 200
!
interface Ethernet0/2
switchport access vlan 1
!
interface Ethernet0/3
switchport access vlan 1
!
interface Ethernet0/4
switchport access vlan 1
!
interface Ethernet0/5
switchport access vlan 1
!
interface Ethernet0/6
switchport access vlan 1
!
interface Ethernet0/7
switchport access vlan 1
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
no nameif
no security-level
ip address dhcp
!
interface Vlan100
nameif trust
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan200
nameif untrust
security-level 0
ip address 211.10.1.21 255.255.255.252
!
!
route trust 192.168.0.0 255.255.255.0 192.168.5.2 1
route trust 192.168.1.0 255.255.255.0 192.168.5.2 1
route trust 192.168.2.0 255.255.255.0 192.168.5.2 1
route trust 192.168.3.0 255.255.255.0 192.168.5.2 1
route trust 192.168.4.0 255.255.255.0 192.168.5.2 1
route untrust 0.0.0.0 0.0.0.0 211.10.1.22 1
!
access-list 101 extended permit icmp any any
!
!
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd enable
!
dhcpd auto_config outside
!
!
!
!
!