ASA INSIDE内部stream量被丢弃
ASA 5505被用于在两个networking之间进行路由,因为它包含了到所有事物的路由。 以下描述了networking拓扑。
我已经尝试了访问列表的各种组合,例如:
access-list INSIDE_TO_INSIDE extended permit ip any any 要么
- 为另一个IP地址范围configurationCisco ASA 5505
- 思科Anyconnect:它支持在Vista上启动之前login(SBL)?
- 站点到站点VPN仅用于内部stream量
- configurationASA将某些端口上的stream量引导至特定的外部接口
- 思科ASA 5505内部接口路由问题
access-list INSIDE_TO_INSIDE extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
以及:
access-group INSIDE_TO_INSIDE in interface inside
我无法ping通或从.30networking上的PC连接到.10networking上的一台PC。
我的日志有这样的事情:
iscoasa# %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0) %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0) %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside %ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0) %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/22 to 192.168.30.11/64337 flags SYN ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside %ASA-3-106014: Deny inbound icmp src inside:192.168.10.117 dst inside:192.168.30.11 (type 0, code 0) %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/21 to 192.168.30.11/64340 flags RST ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64338 flags RST ACK on interface inside %ASA-2-106001: Inbound TCP connection denied from 192.168.10.117/80 to 192.168.30.11/64339 flags RST ACK on interface inside
这是一个漂亮的股票ASAconfiguration。 此外,分组跟踪器显示icmp或tcp 22通信量由隐式规则从192.168.30.11到192.168.10.117的DROPPED。 这是怎么回事?
您正在查找的命令是same-security-traffic permit {inter-interface | intra-interface} same-security-traffic permit {inter-interface | intra-interface}
缺省情况下,进入一个接口的stream量不能退出相同的接口。 以下命令将允许此stream量。
same-security-traffic permit intra-interface
通常与此命令相关的是same-security-traffic permit inter-interface命令。 默认情况下,ASA不允许来自一个安全级别的stream量退出相同安全级别的接口。 same-security-traffic permit inter-interface命令允许此通信量。
请参阅此Cisco文档了解更多详细信息。
https://www.cisco.com/c/en/us/td/docs/security/asa/asa81/command/ref/refgd/s1.html