01-15-2020 11:19 PM - edited 02-21-2020 09:50 AM
Dears,
My trouble is ACL that any4 or specified host. My topology:
And configuration of devices:
[Internet]v15.2
interface GigabitEthernet1/0
ip address 209.165.1.1 255.255.255.0
no shutdown
===============================
[ciscoasa]v9.6
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.1.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
no shutdown
!
object network LAN
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
object network WEB
host 10.0.0.2
nat (inside,outside) static interface service tcp 80 80
!
access-list asa extended permit icmp any4 host 209.165.1.2
access-list asa extended permit icmp any4 interface outside
access-list asa extended permit icmp any4 interface outside echo
access-list asa extended permit icmp any4 interface outside echo-reply
access-list asa extended permit tcp any4 host 209.165.1.2
access-list asa extended permit tcp any4 interface outside eq 80
access-group asa in interface outside
!
route outside 0.0.0.0 0.0.0.0 209.165.1.1
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
===============================
[WEB]v15.2
interface GigabitEthernet1/0
ip address 10.0.0.2 255.0.0.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
===============================
In these configuration, Web cann't ping Internet(209.165.1.1) but ICMP echo-request has reachable and echo-reply has unreachable.
And Internet can not access web. Please refer...
WEB#ping 209.165.1.1 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 209.165.1.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
WEB#
Internet#
*Jan 16 15:05:35.051: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
*Jan 16 15:05:37.051: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
*Jan 16 15:05:39.043: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
However, I modified ACL:
access-list asa extended permit icmp any4 any4
access-list asa extended permit tcp any4 any4
access-group asa in interface outside
WEB#ping 209.165.1.1 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 209.165.1.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 16/20/24 ms
WEB#
Internet#
*Jan 16 15:09:30.115: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
*Jan 16 15:09:30.135: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
*Jan 16 15:09:30.159: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
Internet#telnet 209.165.1.2 80
Trying 209.165.1.2, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Thu, 16 Jan 2020 15:10:00 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 209.165.1.2 closed by foreign host]
Internet#
It resolved! But why? For Internet, destination IP address that echo-reply and web are not 209.165.1.2? impossible?
Regards
Solved! Go to Solution.
01-16-2020 11:40 AM
01-16-2020 11:40 AM
01-16-2020 08:33 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide