Cisco ASA Allow PING TRACERT traffice
故事背景:有个客户是用的中国电信的IP MAN, 用的DM VPN建立的到国外的联系,但是近期发现有丢包。
解放方法:
在内网的机器上写了 4 个脚本,大致内容是 不停的PING 国内出口,对端公网IP, 对端DMVPN的内网IP,同时在trace一下,
脚本内容:
:top
echo %date% %time%>> ping-192-168-46-1.txt
ping -n 10 192.168.46.1 | findstr "Request timed out" >> ping-192-168-46-1.txt
goto top
但是发现,ASA的防火墙不能进行PING 和 Tracert, 所以第一个问题就是解决ASA的穿越PING 和 tracert的流量。
Refer to:
https://advanxer.com/blog/2015/04/allowing-tracert-in-cisco-asa-firewall/
http://www.xerunetworks.com/2011/02/traceroute-through-cisco-asa-firewall/
http://www.dasblinkenlichten.com/icmp-and-traceroute-passing-through-an-asa/
access-list inside21_access_in remark PAGE 4 - ALLOW PING TRACERT DNS
access-list inside21_access_in extended permit icmp object-group i-group-shinternet any
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
policy-map global_policy
class class-default
set connection decrement-ttl
access-list inside21_access_in remark PAGE 4 - ALLOW PING TRACERT DNS
access-list inside21_access_in extended permit icmp any any time-exceeded
access-list inside21_access_in extended permit icmp any any unreachable
icmp unreachable rate-limit 10 burst-size 5
access-list outside116_access_in extended permit icmp any any
页:
[1]