|
楼主 |
发表于 2008-10-19 06:48:27
|
显示全部楼层
FWSM透明模式,PC无法和MSFC网关通讯
MSFC
| vlan 5
|
FWSM
| vlan 6
|
PC机
MSFC网关地址int vlan5 1.1.1.1/24,FWSM透明模式管理地址1.1.1.2/24,PC机地址1.1.1.10/24
FWSM/contexta# sho run
: Saved
:
FWSM Version 3.2(2) <context>
!
firewall transparent
hostname contexta
domain-name cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan5
nameif outside
security-level 0
bridge-group 1
!
interface Vlan6
nameif inside
security-level 100
bridge-group 1
!
passwd 2KFQnbNIdI.2KYOU encrypted
interface bvi 1
ip address 1.1.1.2 255.255.255.0
access-list out-to-in extended permit ip any any
access-list out-to-in extended permit icmp any any
access-list in-to-out extended permit ip any any
access-list in-to-out extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging standby
logging trap informational
logging history notifications
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.19.81.0 10.19.81.0 netmask 255.255.255.0
access-group out-to-in in interface outside
access-group in-to-out in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:7d7fcf8bfa1ab8a99e23281c571105f4
: end
FWSM/contexta#
我在FWSM上,可以ping通MSFC上的1.1.1.1,可以ping通PC1.1.1.10
在PC无法ping通1.1.1.1,arp-a,可以正确解析到网关1.1.1.1的mac
在MSFC上,也可以看到正确的PC的arp
在防火墙上capture,在MSFC上ping1.1.1.10,count=1000
显示如下
FWSM/contexta# sho capture 2 detail
220 packets seen, 220 captured
1: 03:15:45.75507590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 75)
2: 03:15:45.75507590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 75)
3: 03:15:47.75509590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 76)
4: 03:15:47.75509590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 76)
5: 03:15:49.75511590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 77)
6: 03:15:49.75511590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 77)
7: 03:15:51.75513590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 78)
8: 03:15:51.75513590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 78)
9: 03:15:53.75515590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 79)
10: 03:15:53.75515590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 79)
11: 03:15:55.75517590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 80)
12: 03:15:55.75517590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 80)
13: 03:15:57.75519590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 81)
14: 03:15:57.75519590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 81)
15: 03:15:59.75521590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 82)
16: 03:15:59.75521590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 82)
17: 03:16:01.75523590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 83)
18: 03:16:01.75523590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 83)
19: 03:16:03.75525590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 84)
20: 03:16:03.75525600 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
但在PC上.ping MSFC 1.1.1.1,却capture不到任何数据
对于两个vlan间做桥,在MSFC与FWSM之间trunk上的tag,是怎么区别呢?
透明模式还需要额外打开什么命令么? |
|