기본 라이센스로 Cisco ASA 5505를 설정하고 있습니다.
TCP/UDP 통신은 내부->외부, 외부->내부, 내부->보안 순으로 작동하는데, 이것이 제가 원하는 트래픽 보안입니다.
HTTP, SSH 및 내부->보안에서의 기타 액세스는 작동하지만 내부->보안(192.168.110.0 호스트에서 192.168.7.1 또는 192.168.7.0 호스트로)에서 ping을 수행할 수 없습니다.
ICMP를 활성화하려면 어떻게 해야 합니까?
구성:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.110.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group birdie
ip address removedIP 255.255.255.255 pppoe
!
interface Vlan3
no forward interface Vlan1
nameif secure
security-level 50
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list Outside-In extended permit icmp any any
access-list Outside-In extended permit tcp any any eq www
access-list Outside-In extended permit tcp any any eq https
access-list Outside-In extended permit tcp any any eq 5969
access-list inside_nat0_outbound extended permit ip any 192.168.111.0 255.255.255.224
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.111.0 255.255.255.0 any
access-list standardUser_splitTunnelAcl1 extended permit ip 192.168.110.0 255.255.255.0 any
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list secure_in extended permit icmp any any
access-list secure_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1492
mtu outside 1492
mtu secure 1500
ip local pool vpnuser 192.168.111.5-192.168.111.20
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (secure) 1 192.168.7.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.110.6 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.110.6 www netmask 255.255.255.255
static (inside,outside) tcp interface 5969 192.168.110.12 5969 netmask 255.255.255.255
static (inside,secure) 192.168.110.0 192.168.110.0 netmask 255.255.255.0
access-group inside_in in interface inside
access-group Outside-In in interface outside
access-group secure_in in interface secure
route outside 0.0.0.0 0.0.0.0 RemovedIP 1
답변1
귀하의 구성에서 나에게 이상하게 보이는 유일한 것은 진술입니다 static(inside,secure). 매핑된 주소와 실제 주소가 동일하기 때문에 아무 작업도 하지 않는 것 같습니다. 내 구성에는 dmz 유형 네트워크도 있지만 static(inside,dmz)설명은 없습니다. ( static(dmz,outside) ...외부 노출 서비스에 대한 정보가 있습니다 .)
어쨌든, 해당 정적을 제거하고 어떤 효과가 있는지 확인해보세요.