cisco ASA 5550端口相互不能访问的问题？

lijunbing99

CISCO asa 5550防火墙内部端口相互不能访问，配置如下，请各位指教
inter5550-1# show ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       inside                 192.168.51.249  255.255.255.0   CONFIG
GigabitEthernet0/2       hlrinside              172.16.10.248   255.255.255.0   CONFIG
GigabitEthernet0/3       hlroutside             10.16.10.1      255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet1/0       msceinside             172.17.20.248   255.255.255.0   CONFIG
GigabitEthernet1/1       msceoutside            10.17.20.1      255.255.255.0   CONFIG
GigabitEthernet1/2       bossinside             172.30.1.253    255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       inside                 192.168.51.249  255.255.255.0   CONFIG
GigabitEthernet0/1       outside                210.5.238.130   255.255.255.240 CONFIG
GigabitEthernet0/2       hlrinside              172.16.10.248   255.255.255.0   CONFIG
GigabitEthernet0/3       hlroutside             10.16.10.1      255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet1/0       msceinside             172.17.20.248   255.255.255.0   CONFIG
GigabitEthernet1/1       msceoutside            10.17.20.1      255.255.255.0   CONFIG
GigabitEthernet1/2       bossinside             172.30.1.253    255.255.255.0   manual
inter5550-1# show run
inter5550-1# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname inter5550-1
domain-name default.domain.invalid
enable password gsOM4N1QSZhrQN6x encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
speed 100
nameif inside
security-level 100
ip address 192.168.51.249 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
nameif outside
security-level 100
ip address *.*.*.*  255.255.255.240
!
interface GigabitEthernet0/2
speed 100
nameif hlrinside
security-level 100
ip address 172.16.10.248 255.255.255.0
!
interface GigabitEthernet0/3
speed 100
nameif hlroutside
security-level 0
ip address 10.16.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
speed 100
nameif msceinside
security-level 100
ip address 172.17.20.248 255.255.255.0
!
interface GigabitEthernet1/1
speed 100
nameif msceoutside
security-level 0
ip address 10.17.20.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif bossinside
security-level 100
ip address 172.30.1.253 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit tcp any any
access-list inside_acl extended permit udp any any
access-list inside_acl extended permit icmp any any
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit esp any any
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit tcp any any
access-list outside_acl extended permit udp any any
access-list hlrinside_acl extended permit ip any any
access-list hlrinside_acl extended permit tcp any any
access-list hlrinside_acl extended permit udp any any
access-list hlrinside_acl extended permit icmp any any
access-list hlroutside_acl extended permit icmp any any
access-list hlroutside_acl extended permit esp any any
access-list hlroutside_acl extended permit ip any any
access-list hlroutside_acl extended permit tcp any any
access-list hlroutside_acl extended permit udp any any
access-list msceinside_acl extended permit ip any any
access-list msceinside_acl extended permit tcp any any
access-list msceinside_acl extended permit udp any any
access-list msceinside_acl extended permit icmp any any
access-list msceinside_acl extended permit tcp any any eq ftp
access-list msceoutside_acl extended permit icmp any any
access-list msceoutside_acl extended permit esp any any
access-list msceoutside_acl extended permit ip any any
access-list msceoutside_acl extended permit tcp any any
access-list msceoutside_acl extended permit udp any any
access-list msceoutside_acl extended permit tcp any any eq ftp
access-list boosoutside extended permit ip any any
access-list boosoutside extended permit tcp any any
access-list boosoutside extended permit udp any any
access-list boosoutside extended permit icmp any any
access-list nonat extended permit ip 192.168.51.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list nonat extended permit ip 172.17.20.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.17.20.0 255.255.255.0
access-list nonat extended permit ip 172.16.10.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu hlrinside 1500
mtu hlroutside 1500
mtu management 1500
mtu msceinside 1500
mtu msceoutside 1500
mtu bossinside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 210.5.*.*
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.51.224 255.255.255.248
nat (inside) 1 10.1.0.0 255.255.128.0
nat (hlrinside) 0 access-list nonat
nat (msceinside) 0 access-list nonat
static (hlrinside,hlroutside) 10.16.10.129 172.16.10.129 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.134 172.16.10.134 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.150 172.16.10.150 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.215 172.16.10.215 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.217 172.16.10.217 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.177 172.16.10.177 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.171 172.16.10.171 netmask 255.255.255.255
static (hlrinside,hlroutside) 10.16.10.172 172.16.10.172 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.129 172.17.20.129 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.149 172.17.20.249 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.171 172.17.20.171 netmask 255.255.255.255
static (msceinside,msceoutside) 10.17.20.177 172.17.20.177 netmask 255.255.255.255
access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group hlrinside_acl in interface hlrinside
access-group hlroutside_acl in interface hlroutside
access-group msceinside_acl in interface msceinside
access-group msceoutside_acl in interface msceoutside
route inside 10.1.0.0 255.255.128.0 192.168.51.11 1
route outside 0.0.0.0 0.0.0.0 210.5.238.129 1
route hlrinside 172.29.1.0 255.255.255.0 172.16.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!            
username ommserver password 0DhPfWYXWOLCLLew encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d5c8a897d2ad588cde2b106928aa4ce
: end

单独在防火墙能PING任意端口，但是防火墙端口之间就不通为什么？  我做了安全级别相同能访问的策略。
inter5550-1# ping 172.16.10.248
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.248, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inter5550-1# ping 192.168.51.249
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.51.249, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
inter5550-1# ping in
inter5550-1# ping inside 172.16.10.248
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.248, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
inter5550-1#
inter5550-1#

lijunbing99

现在的目的就是要不影响现有的配置，把防火墙到路由器使用，请问有没有任指教一下。

anfy

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


你看看ASA里面有没有这样的命令，配置上试一试。

lijunbing99

已经做了的

lafzl

试了 还是行










搜啥网 http://www.soshaw.com
TBW淘宝

君子狼

嘿嘿，HLR，兄弟应该是Z的吧

好几年没有玩这个了，没有拓扑图，也不太懂你的意图，试试：

icmp permit any hlrinside

lijunbing99

icmp 也允许了的，
我做NAT 0还是不行，我最后就用简单no nat-control

lijunbing99

貌似业务各项都正常