Shulou(Shulou.com)06/01 Report--

The company wants to cooperate with local radio and television companies. To this end, we have pulled a 100Mb fiber optic dedicated line. On our side of this special line, the design is to run a cisco ASA 5520 firewall. This device is quite common. I use it a lot. It's just that there's no hands-on configuration for some time. The network structure is roughly as follows:

Requirements: network adjustment, so that our company's internal servers can access the radio grid.

Something that was supposed to be simple. It may be due to too little configuration. According to memory configuration cisco ASA 5520, unexpectedly does not work! There is no justice in heaven!

Cisco asa 5520 configuration: # this lists my own configuration, the default configuration is not written.

Interface GigabitEthernet0/0

Nameif outside

Security-level 0

Ip address 172.31.87.130 255.255.255.192

!

Interface GigabitEthernet0/1

Nameif inside

Security-level 100

Ip address 172.18.20.1 255.255.255.0

Global (outside) 1 interface

Nat (inside) 1 172.18.0.0 255.255.0.0

Route outside 0.0.0.0 0.0.0.0 172.31.87.129 1

Route inside 172.16.18.0 255.255.255.0 172.18.20.254 1

Testing: testing on ASA 5520:

GX-FW-5520-02 (config) # ping 172.31.87.129

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.87.129, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-2-10 ms

GX-FW-5520-02 (config) # ping 172.18.10.62

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.10.62, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-1-1 ms

As a result, ASA 5520 is connected to both inside and outside.

Test it on our company's server:

[root@test-lvs02] # ping 172.31.87.129

PING 172.31.87.129 (172.31.87.129) 56 (84) bytes of data.

.

It doesn't work, Nima! What's going on?

In my impression, this configuration allows internal access to the outside. Is there anything else to be configured? Alas, the old revolution has encountered new problems. Think of something.

Enable debug icmp trace on ASA 5520 and see:

GX-FW-5520-02 (config) # ICMP echo request from inside:172.18.20.252 to outside:172.31.87.131 ID=25 seq=0 len=72

ICMP echo request translating inside:172.18.20.252/25 to outside:172.31.87.130/7795

ICMP echo reply from outside:172.31.87.129 to inside:172.31.87.130 ID=7795 seq=0 len=72

ICMP echo reply untranslating outside:172.31.87.129/7795 to inside:172.18.20.252/25

ICMP echo request from inside:172.18.20.252 to outside:172.31.87.130 ID=25 seq=1 len=72

ICMP echo request translating inside:172.18.20.252/25 to outside:172.31.87.130/7795

ICMP echo reply from outside:172.31.87.129 to inside:172.31.87.130 ID=7795 seq=1 len=72

ICMP echo reply untranslating outside:172.31.87.130/7795 to inside:172.18.20.252/25

ICMP echo request from inside:172.18.20.252 to outside:172.31.87.129 ID=25 seq=2 len=72

Isn't this a typical trick? The returned ICMP packet is blocked. Since when is cisco going to acl the returned packets? I can't help it. Add it.

Access-list from_outside_in extended permit icmp any any

Access-group from_outside_in in interface outside

And then test it on an internal server. It's through. Helpless!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.