雄安专业网站建设电话/日照网络推广公司

拿手上的设备做了一个简单的实验，具体拓扑如下 
adsl router-----asa5510------cat2960

其中asa5510的e0口设为outside,与adsl router的Lan口互联，e1口与2960互联，同时2960的上联口设置为trunk口，在2960上划分了vlan 2、3, 2960的管理vlan为vlan1,ip地址为192.168.1.2,网关为192.168.1.1，在asa5510上划分了子接口，分别对应vlan2和vlan3，配置如下： 
------------------ASA 5510 Configuration Begin------------------------ 
: Saved 
: 
ASA Version 7.2(4) 
! 
hostname ciscoasa 
domain-name default.domain.invalid 
enable password 8Ry2YjIyt7RRXU24 encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
names 
dns-guard 
! 
interface Ethernet0/0 
nameif outside 
security-level 0 
ip address 192.168.0.2 255.255.255.0 
! 
interface Ethernet0/1 
nameif vlan1 
security-level 100 
ip address 192.168.1.1 255.255.255.0 
! 
interface Ethernet0/1.1 
vlan 2 
nameif vlan2 
security-level 100 
ip address 192.168.4.1 255.255.255.0 
! 
interface Ethernet0/1.2 
vlan 3 
nameif vlan3 
security-level 100 
ip address 192.168.5.1 255.255.255.0 
! 
interface Ethernet0/2 
shutdown 
no nameif 
no security-level 
no ip address 
! 
interface Ethernet0/3 
shutdown 
no nameif 
no security-level 
no ip address 
! 
interface Management0/0 
shutdown 
no nameif 
no security-level 
no ip address 
management-only 
! 
boot system disk0:/asa724-k8.bin 
ftp mode passive 
dns server-group DefaultDNS 
domain-name default.domain.invalid 
same-security-traffic permit inter-interface 
pager lines 24 
mtu outside 1500 
mtu vlan1 1500 
mtu vlan2 1500 
mtu vlan3 1500 
icmp unreachable rate-limit 1 burst-size 1 
asdm image disk0:/asdm-524.bin 
no asdm history enable 
arp timeout 14400 
global (outside) 1 192.168.0.10-192.168.0.20 
nat (vlan3) 1 192.168.5.0 255.255.255.0 
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
http server enable 
http 0.0.0.0 0.0.0.0 vlan3 
no snmp-server location 
no snmp-server contact 
snmp-server enable traps snmp authentication linkup linkdown coldstart 
telnet timeout 5 
ssh timeout 5 
console timeout 0 
! 
class-map inspection_default 
match default-inspection-traffic 
! 
! 
policy-map global_policy 
class inspection_default 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
! 
service-policy global_policy global 
prompt hostname context 
Cryptochecksum:a4d2bbbc0c0ce4cdaad801d3b8b294a4 
: end

------------------ASA 5510 Configuration End-----------------------

现在是这样的情况，我在配置中删除nat (vlan3) 1 192.168.5.0 255.255.255.0时，我用接在vlan3下的pc机192.168.5.2是可以ping通2960的管理地址192.168.1.2的，或者是vlan2中的主机192.168.4.2，但如果加上这句，就再也不能ping通这两个地址了，用packet tracer的结果如下： 
-----------------------------------有上面这句话时的结果------------------------------------ 
ciscoasa(config)# packet-tracer input vlan3 icmp 192.168.5.2 8 0 192.168.1.2 detailed 
Phase: 1 
Type: FLOW-LOOKUP 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Found no matching flow, creating a new flow 
Phase: 2 
Type: ROUTE-LOOKUP 
Subtype: input 
Result: ALLOW 
Config: 
Additional Information: 
in   192.168.1.0     255.255.255.0   vlan1 
Phase: 3 
Type: ACCESS-LIST 
Subtype: 
Result: ALLOW 
Config: 
Implicit Rule 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e0ed10, priority=2, domain=permit, deny=false 
        hits=720, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 4 
Type: IP-OPTIONS 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e11348, priority=0, domain=permit-ip-option, deny=true 
        hits=6828, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 5 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e106c0, priority=66, domain=inspect-icmp-error, deny=false 
        hits=752, user_data=0x3e105f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 6 
Type: NAT 
Subtype: 
Result: DROP 
Config: 
nat (vlan3) 1 192.168.5.0 255.255.255.0 
  match ip vlan3 192.168.5.0 255.255.255.0 vlan1 any 
    dynamic translation to pool 1 (No matching global) 
    translate_hits = 9, untranslate_hits = 0 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x41ddd90, priority=1, domain=nat, deny=false 
        hits=7, user_data=0x41ddd20, cs_id=0x0, flags=0x0, protocol=0 
        src ip=192.168.5.0, mask=255.255.255.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Result: 
input-interface: vlan3 
input-status: up 
input-line-status: up 
output-interface: vlan1 
output-status: up 
output-line-status: up 
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule 
ciscoasa(config)#

-----------------------------------没有上面这句话时的结果------------------------------------ 
ciscoasa(config)# packet-tracer input vlan3 icmp 192.168.5.2 8 0 192.168.4.2 detailed 
Phase: 1 
Type: FLOW-LOOKUP 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Found no matching flow, creating a new flow 
Phase: 2 
Type: ROUTE-LOOKUP 
Subtype: input 
Result: ALLOW 
Config: 
Additional Information: 
in   192.168.4.0     255.255.255.0   vlan2 
Phase: 3 
Type: ACCESS-LIST 
Subtype: 
Result: ALLOW 
Config: 
Implicit Rule 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e0ed10, priority=2, domain=permit, deny=false 
        hits=742, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 4 
Type: IP-OPTIONS 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e11348, priority=0, domain=permit-ip-option, deny=true 
        hits=6874, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 5 
Type: INSPECT 
Subtype: np-inspect 
Result: ALLOW 
Config: 
Additional Information: 
Forward Flow based lookup yields rule: 
in  id=0x3e106c0, priority=66, domain=inspect-icmp-error, deny=false 
        hits=774, user_data=0x3e105f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 
        src ip=0.0.0.0, mask=0.0.0.0, port=0 
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 
Phase: 6 
Type: FLOW-CREATION 
Subtype: 
Result: ALLOW 
Config: 
Additional Information: 
New flow created with id 7446, packet dispatched to next module 
Module information for forward flow ... 
snp_fp_inspect_ip_options 
snp_fp_adjacency 
snp_fp_fragment 
snp_fp_tracer_drop 
snp_ifc_stat 
Module information for reverse flow ... 
Phase: 7 
Type: ROUTE-LOOKUP 
Subtype: output and adjacency 
Result: ALLOW 
Config: 
Additional Information: 
found next-hop 192.168.4.2 using egress ifc vlan2 
adjacency Active 
next-hop mac address 0016.d4c4.bd0b hits 195 
Result: 
input-interface: vlan3 
input-status: up 
input-line-status: up 
output-interface: vlan2 
output-status: up 
output-line-status: up 
Action: allow 
ciscoasa(config)#

不知各位大大能够解释一下原因及解决方法，谢谢！

本文转自 gehailong 51CTO博客，原文链接：http://blog.51cto.com/gehailong/301143，如需转载请自行联系原作者