现所有LAN内主机缺省网关指向一台ASA5520,现需通过另一台与ASA在同一网段的路由器访问另一网段的分支机构,在ASA上增加指向分支机构网段的静态路由,但是LAN内主机无法访问分支机构网段,经查发现数据包到ASA后,ASA根本没发路由重定向的包给LAN内主机。请问专家应如何解决以上问题?
回答内容: 基于安全,ASA禁止ip redirect,因此不会发重定向。
ASA缺省也不会让从一个interface进入的数据再从这个interface出去,所以ASA把你的数据包丢弃了。可以配置以下命令:
same-security-traffic permit intra-interface
这样ASA就可以允许数据从同一个接口进出,解决你的问题。
In the ASA configuration, host 172.22.1.6 attempts to ping host 172.16.10.1. Host 172.22.1.6 sends an ICMP echo request packet to the default gateway (ASA). Intra-interface communications have not been enabled on the ASA. The ASA drops the echo request packet. The test ping fails. The ASA is used to troubleshoot the problem.
没配置 same-security-traffic permit intra-interface
就不允许 172.22.1.6 ping 172.16.10.X
Intra-interface communications are now enabled. The same-security-traffic permit intra-interface command is added to the previous con在以上说到的基础上,还需要其他两条命令
1,ACL放行
access-list neiwang extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
2,NAT转换
nat (inside) 0 access-list neiwang
搞定 figuration. Host 172.22.1.6 attempts to ping host 172.16.10.1. Host 172.22.1.6 sends an ICMP echo request packet to the default gateway (ASA). Host 172.22.1.6 records successful replies from 172.16.10.1. The ASA passes the ICMP traffic successfully.
加了这条配置后就行了 same-security-traffic permit intra-interface
|
