PTS上配置防火墙PAT,包无法返回
本帖最后由 old73 于 2018-5-9 18:53 编辑Ping 防火墙外的路由器地址,包能到达目的路由器,但返回的时候,到防火墙就找到到返回的地址了。
interface Vlan1 nameif inside security-level 100 ip address 172.16.20.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 61.128.128.60 255.255.255.0!interface Vlan10 no nameif no security-level no ip address!object network in_out subnet 0.0.0.0 0.0.0.0!!!!object network in_out nat (inside,outside) dynamic interface!
添加路由后,也是一样,包返回到防火墙后,找不到内网的地址
Version:1.0StartHTML:0000000105EndHTML:0000003987StartFragment:0000000538EndFragment:0000003951interface Vlan1 nameif inside security-level 100 ip address 172.16.20.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 61.128.128.60 255.255.255.0!interface Vlan10 no nameif no security-level no ip address!object network in_out subnet 0.0.0.0 0.0.0.0!route outside 0.0.0.0 0.0.0.0 61.128.128.61 1route inside 172.16.20.0 255.255.255.0 172.16.20.2 1!!!object network in_out nat (inside,outside) dynamic interface
解决了
加上:
access list 1 permit 1 icmp any any
access group 1 out interface inside
加上这两句就行了。
但原因是什么?防火墙在没有配置acl的情况下,为什么要阻止icmp在接口上out?但在in方向上不阻止? 感谢楼主分享!
页:
[1]