Networking 使用包跟踪器的ASA配置
我正在尝试配置以下网络 我无法从公用笔记本电脑打开 我能够从VLAN20 laptop0 ping到防火墙192.158.99.1 我有以下关于asa和多交换机的配置。 请让我知道我还需要做什么来完成这个网络Networking 使用包跟踪器的ASA配置,networking,cisco,vlan,asa,Networking,Cisco,Vlan,Asa,我正在尝试配置以下网络 我无法从公用笔记本电脑打开 我能够从VLAN20 laptop0 ping到防火墙192.158.99.1 我有以下关于asa和多交换机的配置。 请让我知道我还需要做什么来完成这个网络 ciscoasa(config)#show run : Saved : ASA Version 9.6(1) ! hostname ciscoasa names ! interface GigabitEthernet1/1 nameif inside security-level 10
ciscoasa(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.99.1 255.255.255.252
!
interface GigabitEthernet1/2
nameif dmz
security-level 50
ip address 172.16.1.0 255.255.255.0
ospf authentication message-digest
ospf message-digest-key 1 md5 *****
!
!
interface Management1/1
management-only
nameif outside
security-level 0
ip address 148.12.56.67 255.255.255.0
ospf authentication message-digest
ospf message-digest-key 1 md5 *****
!
webvpn
enable outside
object network DMZ
subnet 172.16.1.0 255.255.255.0
object network LAN
subnet 192.168.20.0 255.255.255.0
object network webserver
host 172.16.1.10
object network webserver-external-ip
host 148.12.56.68
!
route outside 192.168.99.0 255.255.255.252 148.12.56.68 1
!
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit tcp any object webserver eq www
access-list OUTSIDE extended permit tcp any host 148.12.56.68 eq www
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
!
!
access-group OUTSIDE in interface outside
object network DMZ
nat (dmz,outside) dynamic interface
object network LAN
nat (inside,outside) dynamic interface
object network webserver
nat (dmz,outside) static 148.12.56.68
!
!
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
network 192.168.99.0 255.255.255.252 area 0
network 148.12.56.0 255.255.255.0 area 0
network 171.16.1.0 255.255.255.0 area 1
network 172.16.1.0 255.255.255.0 area 1
!
> S1#show run
Building configuration...
Current configuration : 1840 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S1
!
ip routing
!
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
switchport nonegotiate
!
interface FastEthernet0/5
no switchport
ip address 192.168.99.2 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
mac-address 000c.8551.6601
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
mac-address 000c.8551.6602
ip address 192.168.20.1 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 192.0.0.0 0.255.255.255 area 0
network 172.16.1.0 0.0.0.255 area 1
end
`您正在仅管理模式下使用管理界面,因此只能使用此界面管理ASA。正如我所知,您不能从管理界面中删除“仅管理”选项 数据包跟踪器命令示例:
packet-tracer input outside tcp <laptop_ip> 148.12.56.68 80
logging host <asa_interface> <remote_log_server_ip> <protocol/port/>
我认为日志消息是解决问题的最佳朋友之一我将管理界面从防火墙更改为千兆以太网。我在as上尝试了以下命令以显示跟踪:192.168.20.3是笔记本电脑0数据包跟踪程序输入的IP地址,在tcp 192.168.20.3 148.12.56.68 80之外,但它显示无效命令。数据包跟踪程序命令可以在特权EXEC模式下使用,因此您必须在
数据包跟踪程序命令。顺便说一下,我以为是公用笔记本电脑的IP地址,而不是内部地址。哦,好吧,我想我误解了。这是我在数据包追踪中的第一个网络。想学习ASA防火墙,我会用公共笔记本电脑检查。谢谢我在asa上以执行模式尝试了以下命令,但仍然显示无效命令:ciscoasa#tcp 172.16.1.100 148.12.56.68外部的数据包跟踪器输入在“^”标记处检测到80^%无效输入。西斯科阿萨#
logging host <asa_interface> <remote_log_server_ip> <protocol/port/>
logging host inside 192.168.1.1 udp