ASA route inside 不起作用

tcpdump

ASA5512， 配置了静太路由，但是不起作用，172。17。1。10在加上same-security-traffic permit intra-interface能ping192。168。3。10但是不能访问服务，看TCP连接都是syn_sent不加same-security-traffic permit intra-interface连PING都不通。VPN， 内部主机NAT访问公网， 外部访问WEB 172。17。1。16都没有问题。就是内部主机要访问192。168。3。X段不行，感觉route inside 192.168.3.0 255.255.255.0 172.17.1.4 1 这条命令不起作用。求解。
[local]1[/local]
配置如下：
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 218.14.1.1 255.255.255.240  standy 218.14.1.11
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
this interface is lan failover
!            
interface GigabitEthernet0/3

speed 1000
duplex full
nameif inside
security-level 100
ip address 172.17.1.1  255.255.255.0 standy 172.17.1.2
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
!
time-range k3used
absolute start 08:00 01 January 2008
periodic daily 0:00 to 23:59
periodic daily 9:00 to 18:00
!
ftp mode passive
clock timezone BeiJing 8
object network obj-inside
subnet 172.17.1.0 255.255.255.0
object network obj-vpn       
subnet 10.10.10.0 255.255.255.0
object network websrv
host 172.17.1.16
object network weboutip
host 218.14.1.3
access-list out-in permit ip any  host 172.17.1.16
access-list  vpn perimit 172.17.1.0 255.255.255.0
access-list innet perimit ip 172.17.1.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 10.10.10.1-10.10.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static object weboutip  object websrv service tcp www www
nat (inside,outside) dynamic interface
access-group out-in in interface outside
access-group innet in interface inside
route outside 0.0.0.0 0.0.0.0 218.14.1.2 1
route inside 192.168.2.0 255.255.255.0 172.17.1.4 1
route inside 192.168.3.0 255.255.255.0 172.17.1.4 1
failover
failover lan unit primary
failover lan interface folink g0/2
failover interface ip folink 10.10.1.1 255.255.255.248 standby 10.10.1.2
monitor external
monitor internal
no monitor management
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set vpn_set esp-3des esp-md5-hmac
crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set
crypto dynamic-map vpn_map 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map
crypto map vpnmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.17.1.55

webvpn
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 61.128.128.68
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn
username system password Suzg.Gjrd8WdjxU1 encrypted
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
address-pool vpn_pool
default-group-policy vpnclient
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
!

phil

Thanks for your information.

zhurx

两边都要配好路由啊。路由器上要加 ip route 172.17.1.0 255.255.255.0 172.17.1.1.
你只在firewall上加了路由，你在内网路由器（192.168.2.0/24）上没加。