NAT问题探讨
针对ASA5505 做以下配置,用PING工具,测试结果单方向(深圳---》香港)ping正常,却(香港--》深圳) 无法ping,配置如下, 还烦请高手指点!
香港IP: 192.168.130.0/24
192.168.131.0/24
192.168.127.0/24
深圳:192.168.132.0/24
深圳ADSL 外网IP:10.10.0.0
User Access Verification
Password:
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
Invalid password
Password:
Invalid password
Password:
Invalid password
Access denied.
ciscoasa> enable
Password: *********
ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name cisco.com
enable password r0ejP/h/1olf5rAO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
description Backup Interface in case of emergency
nameif Backup
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description ChinaTelecom ISP
nameif outside
security-level 0
ip address 10.10.0.2 255.255.255.0
!
interface Vlan12
no forward interface Vlan1
nameif SZside
security-level 100
ip address 192.168.132.3 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup SZside
dns server-group DefaultDNS
domain-name cisco.com
dns server-group defaultDns
name-server 192.168.132.250
domain-name cisco.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.131.0 255.255.255.0
access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.127.0 255.255.255.0
access-list PNat extended permit ip 192.168.132.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu Backup 1500
mtu outside 1500
mtu SZside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm p_w_picpath disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 2 10.10.0.4
global (SZside) 5 interface
nat (SZside) 5 access-list PNat
nat (SZside) 2 192.168.132.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.0.1 2
route SZside 192.168.127.0 255.255.255.0 192.168.132.88 1
route SZside 192.168.130.0 255.255.255.0 192.168.132.88 1
route SZside 192.168.131.0 255.255.255.0 192.168.132.88 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http PatrickAu 255.255.255.255 SZside
http 192.168.132.0 255.255.255.0 Backup
http 192.168.131.0 255.255.255.0 Backup
http 192.168.130.0 255.255.255.0 Backup
http 218.213.12.130 255.255.255.255 outside
http 192.168.132.0 255.255.255.0 SZside
http 192.168.3.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.132.0 255.255.255.0 SZside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.132.250 interface SZside
!
username jakksadmin password qW2ZzDxwL/dmdfak encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ce682cbd916c3319bb54ad48dff96bd5
: end
ciscoasa#
转载于:https://blog.51cto.com/hedon/398062