紧急求助-----关于ASA放开外部ping inside的地址问题

wys0815

防火墙的inside口地址为什么总是被outside所连接的设备ping不通，permit icmp  和inspect icmp都做了  真是百思不得其解，就要疯了。各位高手指点一下
在此感激不尽!
附上两台设备配置情况：
ping情况  
源地址：172.18.1.253   目的地址 172.18.1.254  可以ping通
源地址 172.18.1.253  目的地址  172.18.1.129  死活不通防火墙配置如下：
!
hostname zjjASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 100
ip address 172.18.1.254 255.255.255.252
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.18.1.129 255.255.255.252
<--- More --->              !
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list ping extended permit icmp any any
access-list ping extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group ping in interface outside
access-group ping out interface outside
access-group ping in interface inside
access-group ping out interface inside
<--- More --->              route outside 0.0.0.0 0.0.0.0 172.18.1.253 1
route inside 10.137.200.0 255.255.255.0 172.18.1.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
<--- More --->               match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:22fd244da78f51cfba1235a8b7476180
: end
zjjASA#            exit

Logoff

4503配置如下：

HN_zhangjiajie_4503#show
HN_zhangjiajie_4503#show run
HN_zhangjiajie_4503#show running-config
Building configuration...

Current configuration : 3063 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname HN_zhangjiajie_4503
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
vtp mode transparent
!
!
--More--         !
power redundancy-mode redundant
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 106
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface FastEthernet2/1
description connect to shengting_7609
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
!
interface FastEthernet2/2
description connect to wulinyuan_1841
--More--          no switchport
ip address 172.18.1.1 255.255.255.252
speed 100
duplex full
!
interface FastEthernet2/3
description connect to cili_1841
no switchport
ip address 172.18.1.5 255.255.255.252
speed 100
duplex full
!
interface FastEthernet2/4
description connect to sangzhi_1841
no switchport
ip address 172.18.1.9 255.255.255.252
speed 100
duplex full
!
interface FastEthernet2/5
description connect to yongdingqu_1841
no switchport
ip address 172.18.1.13 255.255.255.252
--More--          speed 100
duplex full
!
interface FastEthernet2/6
!
interface FastEthernet2/7
!
interface FastEthernet2/8
!
interface FastEthernet2/9
!
interface FastEthernet2/10
!
interface FastEthernet2/11
!
interface FastEthernet2/12
!
interface FastEthernet2/13
description connect to server
!
interface FastEthernet2/14
!
interface FastEthernet2/15
--More--         !
interface FastEthernet2/16
!
interface FastEthernet2/17
!
interface FastEthernet2/18
!
interface FastEthernet2/19
!
interface FastEthernet2/20
!
interface FastEthernet2/21
!
interface FastEthernet2/22
!
interface FastEthernet2/23
!
interface FastEthernet2/24
!
interface FastEthernet2/25
!
interface FastEthernet2/26
!
--More--         interface FastEthernet2/27
!
interface FastEthernet2/28
!
interface FastEthernet2/29
!
interface FastEthernet2/30
!
interface FastEthernet2/31
!
interface FastEthernet2/32
!
interface FastEthernet2/33
!
interface FastEthernet2/34
!
interface FastEthernet2/35
!
interface FastEthernet2/36
!
interface FastEthernet2/37
!
interface FastEthernet2/38
--More--         !
interface FastEthernet2/39
!
interface FastEthernet2/40
!
interface FastEthernet2/41
!
interface FastEthernet2/42
!
interface FastEthernet2/43
!
interface FastEthernet2/44
!
interface FastEthernet2/45
!
interface FastEthernet2/46
!
interface FastEthernet2/47
no switchport
ip address 172.18.1.253 255.255.255.252
!
interface FastEthernet2/48
!
--More--         interface Vlan1
no ip address
!
interface Vlan106
ip address 10.136.65.150 255.255.255.252
!
ip route 10.137.200.0 255.255.255.0 172.18.1.254
ip route 10.137.239.0 255.255.255.0 172.18.1.14
ip route 10.137.240.0 255.255.255.0 172.18.1.6
ip route 10.137.241.0 255.255.255.0 172.18.1.10
ip route 10.137.242.0 255.255.255.0 172.18.1.2
ip http server
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password cisco
--More--          login
line vty 5 15
password cisco
login
!
end

HN_zhangjiajie_4503#       show
HN_zhangjiajie_4503#       show ip t route

wys0815

cu的高手们快站出来啊

wys0815

补充一下 172.18.1.128/30  的路由 已经在4503上做了  但是上面的配置没有体现出来  问题肯定是asa上面

marsteel

pix/asa不支持这种hairpin通讯的。

wzknet

在ASA上是不可能完成的任务。

cnadl

"For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network. "

--Pinging Security Appliance Interfaces, Monitoring and Troubleshooting, Cisco Security Appliance Command Line Configuration Guide

here's a url for v7.1's

http://www.cisco.com/en/US/docs/ ... uble.html#wp1059645