Cisco
ASA 可以 ping,但不能 ping 電腦
我剛剛設置了一個新的 ASA 5506-X。從 ASA 我可以在外面和里面 ping。但是內部電腦無法 ping 外部 ip,例如 8.8.8.8。Tracert 8.8.8.8 全部超時。以下是配置:
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ciscoasa enable password $sha512$5000$CQmyTVA8Hnz5EPKvxkmsTQ==$olS735SaLOSZR/N052FWAQ== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown <--- More ---> no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown <--- More ---> no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 no failover <--- More ---> no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any nat (any,outside) static interface ! nat (inside,outside) after-auto source dynamic any interface route outside 0.0.0.0 0.0.0.0 192.168.11.254 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history <--- More ---> http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.99 inside dhcpd dns 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! <--- More ---> class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios <--- More ---> inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:9c2cff01a07174783f08cca102d29eab : end [OK]
將以下內容添加到您的配置中:
icmp permit any echo-reply outside icmp permit any time-exceeded outside icmp permit any unreachable outside icmp deny any echo outside