ASA和ICMP
ASA和ICMP
提问于 2015-10-06 19:40:44
从一个SRC到几个DST,我可以看到一些下降发生在我的捕获为一些尝试,而没有其他。想知道如何才能看到下面测试中概述的所有到达的icmp数据包到底发生了什么。谢谢!
拓扑结构:
ASA配置--可以粘贴到GNS3中:
!-- Test lab script
En
Conf t
Hostname US
Int gi0
Ip address 172.30.1.1 255.255.255.0
Nameif backend
Security-level 50
No shut
Int gi1
Ip address 10.15.99.129 255.255.255.0
Nameif data_admin
Security-level 50
No shut
Same-security-traffic permit inter-interface
Object network host_10.15.99.129
host 10.15.99.129
Object network host_10.59.2.137
host 10.59.2.137
Access-list backend line 1 extended permit ip any any
Access-list backend line 1 extended permit icmp any any echo
Access-list data_admin line 1 extended permit ip any any
Access-list data_admin line 1 extended permit icmp any any echo
Access-group backend in int backend
Access-group data_admin in int data_admin
route backend 10.80.55.0 255.255.255.0 172.30.1.2
Nat (data_admin,backend) source static host_10.15.99.129 host_10.59.2.137
Class-map icmp-class
match any
Exit
Policy-map icmp_policy
class icmp-class
inspect icmp
Exit
Service-policy icmp_policy interface backend
Service-policy icmp_policy interface data_admin
Capture capin int backend match icmp any any
Capture capout int data_admin match icmp any any
Capture aspdrop type asp-drop all match ip any any数据包捕获:
!-- From PC to NAT IP of data_admin interface (FW)
9 packets captured
2: 04:27:33.064129 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
5: 04:27:35.046445 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
7: 04:27:37.105936 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
8: 04:27:39.090586 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
9: 04:27:41.117944 10.80.55.50 > 10.59.2.137: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
!-- From PC to interface IP of data_admin interface (FW)
Nothing
!-- From PC to data_admin router interface
12 packets captured
5: 19:24:07.343045 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
6: 19:24:09.287643 10.80.55.50 > 10.15.99.130: icmp: echo request
7: 19:24:11.370510 10.80.55.50 > 10.15.99.130: icmp: echo request
10: 19:24:13.166022 10.80.55.50 > 10.15.99.130: icmp: echo request
11: 19:24:15.201863 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
12: 19:24:17.262223 10.80.55.50 > 10.15.99.130: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule一旦我们回答了为什么我看不到这些水滴的问题。我想知道为什么这些东西一开始就被丢弃了。我已经尝试过将服务策略设置为全局策略、在默认类中设置检查策略或全局设置检查,所有这些都具有相同的结果。然而,最终,对icmp的检查和ACL的补贴不应该解释所有的事情吗?
回答 1
Network Engineering用户
回答已采纳
发布于 2015-10-09 22:05:05
我刚刚用ASA映像asa842测试了您在asa842中的设置(v1.3.8)。
回答你的问题..。
!--从PC到NAT IP of data_admin interface (FW)
您的ICMP数据包被丢弃的原因是RPF (反欺骗)。ASA根据入口DST (=host_10.59.2.137)检查您的路由表,因为路由表中没有条目,因此无法找到它。
若要验证原因,请再次启用日志记录和ping NAT ip地址。
US(config)#logging enable
US(config)#logging console 7思科文档- RPF
!--从PC到data_admin接口的IP接口(FW)
你不能在ASA上设计一个远距离的接口。例如,您不能从内部网络平平外部接口。
!--从PC到data_admin路由器接口
你碰过几次了吗?在GNS3中填充映射表比使用实际设备花费更多的时间。我对那件事没意见。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/23127
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号