思科ASA5525防火墙inside-1无法和outside-1之间相互ping通但是业务可以放行

longbaobao7 · ‎12-22-2024

ASA5525# show run : Saved : : Serial Number: FCH2151J1KV : Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores) : ASA Version 9.8(2) ! hostname ASA5525 enable password $sha512$5000$rPPuBTB1Wrav3IMq9KmfDw==$l9BQfWvhkbCPG95HuazXiA== pbkdf2 names ! interface GigabitEthernet0/0 nameif outside-1 security-level 50 ip address 10.150.1.2 255.255.255.252 ! interface GigabitEthernet0/1 shutdown nameif outside-2 security-level 50 ip address 10.150.253.2 255.255.255.0 ! interface GigabitEthernet0/2 nameif inside-1 security-level 100 ip address 10.150.1.5 255.255.255.252 ! interface GigabitEthernet0/3 nameif inside-2 security-level 100 ip address 10.150.1.9 255.255.255.252 ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/7 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! boot system disk0:/asa982-smp-k8.bin ftp mode passive object network 10.150.25.0 subnet 10.150.25.0 255.255.255.0 description WaSiFaDian object network 10.150.3.13 host 10.150.3.13 object network 10.150.52.0 subnet 10.150.52.0 255.255.255.0 object network 10.150.24.8 host 10.150.24.8 object network 10.150.24.0 subnet 10.150.24.0 255.255.255.0 object network test subnet 10.150.0.0 255.255.0.0 object-group service sijiazhuangserver tcp port-object eq telnet port-object eq www port-object eq domain port-object eq pop3 port-object eq https port-object eq ftp port-object eq smtp port-object eq hostname port-object range 22220 22225 port-object eq 9000 port-object eq 8721 port-object eq sip object-group service udpserver udp port-object eq www port-object eq domain port-object eq 8721 access-list 101 extended permit ip any any access-list 10 extended deny ip host 10.150.6.149 any access-list 10 extended deny ip host 10.150.6.49 any access-list 10 extended deny ip 10.150.21.0 255.255.255.0 any access-list 10 extended permit ip 10.150.3.0 255.255.255.0 any access-list 10 extended permit ip 10.150.4.0 255.255.255.0 any access-list 10 extended permit ip 10.150.8.0 255.255.255.0 any access-list 10 extended permit ip host 10.150.6.51 any access-list 10 extended permit ip host 10.150.6.140 any access-list 10 extended permit tcp host 10.150.13.221 any object-group sijiazhuangserver access-list 10 extended permit ip 10.150.51.0 255.255.255.0 any access-list 10 extended permit ip host 10.150.14.34 any access-list 10 extended permit ip host 10.150.14.62 any access-list 10 extended permit ip host 10.150.14.88 any access-list 10 extended permit ip 10.150.6.0 255.255.255.0 any access-list 10 extended permit ip 10.150.7.0 255.255.255.0 any access-list 10 extended permit ip 10.150.9.0 255.255.255.0 any access-list 10 extended permit ip 10.150.10.0 255.255.255.0 any access-list 10 extended permit ip 10.150.11.0 255.255.255.0 any access-list 10 extended permit ip 10.150.12.0 255.255.255.0 any access-list 10 extended permit ip 10.150.13.0 255.255.255.0 any access-list 10 extended permit ip 10.150.14.0 255.255.255.0 any access-list 10 extended permit ip 10.150.15.0 255.255.255.0 any access-list 10 extended permit ip 10.150.16.0 255.255.255.0 any access-list 10 extended permit ip 10.150.17.0 255.255.255.0 any access-list 10 extended permit ip 10.150.18.0 255.255.255.0 any access-list 10 extended permit ip 10.150.19.0 255.255.255.0 any access-list 10 extended permit ip 10.150.20.0 255.255.255.0 any access-list 10 extended permit ip 10.150.24.0 255.255.255.0 any access-list 10 extended permit ip 10.150.26.0 255.255.255.0 any access-list 10 extended permit ip 10.150.21.0 255.255.255.0 any access-list 10 extended permit udp any any object-group udpserver access-list 10 extended permit ip host 10.150.13.128 any access-list 10 extended permit ip host 10.150.7.14 any access-list 10 extended permit ip host 10.150.6.50 any access-list 10 extended permit ip host 10.150.2.89 any access-list 10 extended permit ip host 10.150.52.201 any access-list 10 extended permit ip host 10.150.52.28 any access-list 10 extended permit ip host 10.150.52.27 any access-list 10 extended permit ip host 10.150.52.21 any access-list 10 extended permit ip object 10.150.24.8 any access-list 10 extended permit ip host 10.150.2.31 any access-list 10 extended permit ip object 10.150.3.13 any access-list 10 extended permit ip host 10.150.2.16 any access-list 10 extended permit ip host 10.150.2.118 any access-list 10 extended permit ip host 10.150.2.30 any access-list 10 extended permit ip any host 10.150.52.201 access-list 10 extended permit ip any host 10.150.52.28 access-list 10 extended permit ip any host 10.150.52.27 access-list 10 extended permit ip any host 10.150.52.21 access-list 10 extended permit ip any object 10.150.3.13 access-list 10 extended permit ip any host 10.150.2.89 access-list 10 extended permit ip any host 10.150.24.238 access-list 10 extended permit ip any host 10.150.24.237 access-list 10 extended permit ip any host 10.150.24.8 access-list 10 extended permit ip any host 10.150.2.31 access-list 10 extended permit ip any host 10.150.2.16 access-list 10 extended permit ip any host 10.150.2.118 access-list 10 extended permit ip any host 10.150.2.30 access-list 10 extended permit ip any host 10.150.23.100 access-list 10 extended permit ip any host 10.150.23.101 access-list 10 extended permit ip any host 10.150.23.102 access-list 10 extended permit ip any host 10.150.23.103 access-list 10 extended permit ip any host 10.150.23.104 access-list 10 extended permit ip any host 10.150.23.105 access-list 10 extended permit ip object 10.150.25.0 any access-list 10 extended permit ip 10.150.23.0 255.255.255.0 any access-list 10 extended permit icmp host 10.150.1.1 any access-list 10 extended permit icmp any host 10.150.1.1 access-list inside-1_access_in extended permit ip any any access-list inside-1_access_in extended permit icmp any any access-list outside-2_access_out extended permit ip any any access-list outside-2_access_out extended permit icmp any any access-list inside-2_access_in extended permit icmp any any inactive access-list inside-2_access_in extended permit ip any any inactive access-list inside-2_access_out extended permit icmp any any inactive access-list inside-2_access_out extended permit ip any any inactive access-list icmp extended permit icmp any any access-list icmp extended permit ip any any pager lines 24 logging enable logging trap informational logging asdm informational logging host inside-1 10.150.5.2 format emblem logging class auth trap informational mtu outside-1 1500 mtu outside-2 1500 mtu inside-1 1500 mtu inside-2 1500 mtu management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-782.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 access-group icmp in interface outside-1 access-group 10 out interface outside-1 access-group 101 in interface outside-2 access-group outside-2_access_out out interface outside-2 access-group icmp in interface inside-1 access-group inside-2_access_in in interface inside-2 access-group inside-2_access_out out interface inside-2 route outside-1 0.0.0.0 0.0.0.0 10.150.1.1 1 route outside-2 10.0.0.0 255.0.0.0 10.150.253.1 1 route inside-1 10.150.2.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.2.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.3.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.3.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.4.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.4.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.5.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.5.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.6.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.6.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.7.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.7.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.8.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.8.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.9.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.9.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.10.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.10.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.11.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.11.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.12.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.12.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.13.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.13.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.14.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.14.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.15.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.15.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.16.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.16.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.17.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.17.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.18.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.18.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.19.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.19.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.20.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.20.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.21.0 255.255.255.0 10.150.1.6 1 route inside-1 10.150.23.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.23.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.24.0 255.255.255.0 10.150.1.6 1 route inside-1 10.150.25.0 255.255.255.0 10.150.1.6 1 route inside-1 10.150.25.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.26.0 255.255.255.0 10.150.1.6 1 route inside-1 10.150.51.0 255.255.255.0 10.150.1.6 1 route inside-2 10.150.51.0 255.255.255.0 10.150.1.10 2 route inside-1 10.150.52.0 255.255.255.0 10.150.1.6 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication telnet console LOCAL aaa authentication login-history http server enable http 192.168.1.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 inside-1 http 0.0.0.0 0.0.0.0 inside-2 no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet 10.150.3.0 255.255.255.0 inside-1 telnet 0.0.0.0 0.0.0.0 inside-2 telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl cipher default low ssl cipher tlsv1 low ssl cipher tlsv1.1 low ssl cipher tlsv1.2 low ssl cipher dtlsv1 low dynamic-access-policy-record DfltAccessPolicy username cisco password $sha512$5000$abPg1i2oDOjygnt4l5oGkQ==$X3PKy10JVr54dQLh4MHilg== pbkdf2 privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:181e616a39108649c5ae369e75c3a117 : end