拓扑如上图。
PIX接口信息已配置好。
interface Ethernet0
nameif ouside
security-level 0
ip address 122.224.109.234 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
nameif ouside
security-level 0
ip address 122.224.109.234 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
路由:
C 122.224.109.0 255.255.255.0 is directly connected, ouside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.18.0 255.255.255.0 [1/0] via 192.168.1.1, inside
左边R1,右边的R2路由均已配置好,分别如下:
R1
C 192.168.1.0/24 is directly connected, Ethernet0/0
C 192.168.18.0/24 is directly connected, Ethernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.1.1
C 192.168.18.0/24 is directly connected, Ethernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.1.1
R2
122.0.0.0/24 is subnetted, 1 subnets
C 122.224.109.0 is directly connected, Ethernet0/0
S 192.168.1.0/24 [1/0] via 122.224.109.234
S 192.168.18.0/24 [1/0] via 122.224.109.234
C 122.224.109.0 is directly connected, Ethernet0/0
S 192.168.1.0/24 [1/0] via 122.224.109.234
S 192.168.18.0/24 [1/0] via 122.224.109.234
配置完以后,在路由器R1上去PING R2122.224.109.1 怎么PING都不通
同理在R2上去PING R1 192.168.1.2也不通
百思不得其解,查询了相关文档得到答案,原来ICMP包在默认情况上,只能从OUTSIDE接口出去,但不能返回,所以R1 PING R2的时候不通。
所以得加上一条ACL,进行允许,如下:
access-list icmp-in extended permit icmp any any
access-group icmp-in in interface outside
加上这两条命令后,通了。。
如果要从R2 访问 R1,就必须先做映射。
static (inside,ouside) 122.224.109.237 192.168.1.2 netmask 255.255.255.255
因为前面已经加上了一条允许列表,所以,可以在R2上PING通 122.224.109.237 ,实际上是PING通了192.168.1.2
如果没有
access-list icmp-in extended permit icmp any any
access-group icmp-in in interface outside
从外到内也是不通的。。
这个问题搞了两天才解决,太高兴了,鼓励一下。呵呵。
