Sujet Précédent Sujet Suivant

Autoriser l'ICMP ASA 5510

Fermé
chtibreizh44 Messages postés 4 Date d'inscription jeudi 4 avril 2013 Statut Membre Dernière intervention 8 avril 2013 - Modifié par chtibreizh44 le 4/04/2013 à 16:31
 ciscowarriorh - 8 avril 2013 à 22:17
Bonjour,
Je n'arrive pas a autorisé l'ICMP sur mon router firewall cisco.

Voici le running Config:
X.X.X.X = Adresse plublique


interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.99.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.99.98.3 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
object-group service srvAdminExt7894 tcp
port-object eq 7894
object-group service SchieleExt tcp
port-object eq 6780
object-group service MailSnatExt tcp
port-object eq 2525
object-group service SrvProxyExtTCP tcp
port-object eq 5222
object-group service SrvProxyExtUDP udp
port-object eq 5222
object-group service ereflex tcp
port-object eq 910
port-object eq 911
port-object eq telnet
object-group service Citrix2598 tcp
port-object eq 2598
object-group service Citrix8089 tcp
port-object eq 8089
object-group service Interdits tcp
port-object eq 20000
port-object eq 2149
port-object eq 3285
port-object eq 4661
port-object eq 4662
port-object eq 4663
port-object eq 4664
port-object eq 4665
port-object eq 4770
port-object eq 7662
object-group network IDEA
network-object reseauCadrean 255.255.0.0
network-object reseauNomades 255.255.0.0
network-object reseauArpajon 255.255.255.0
network-object reseauBarillais 255.255.255.0
network-object reseauCarquefou 255.255.255.0
network-object reseauSilo 255.255.255.0
network-object reseauNEF 255.255.255.0
network-object reseauChantenay 255.255.255.0
network-object reseauPS2 255.255.255.0
network-object reseauPS1 255.255.255.0
network-object host reseauGIMNAUTE
network-object reseauBouguenais 255.255.255.0
network-object reseauColomier 255.255.255.0
network-object reseauIdeaService 255.255.255.0
network-object reseauCherbourg 255.255.255.0
network-object reseauJIBEHEM 255.255.255.0
network-object reseauCadrean2 255.255.255.0
network-object ReseauVPN 255.255.255.0
network-object reseauBuisnessOrange 255.255.255.0
network-object reseauServeur 255.255.255.0
network-object reseauManitou 255.255.255.0
network-object reseauStNazaire 255.255.255.0
network-object reseauExtranetTelmat 255.255.255.0
network-object reseauCSSTrignac 255.255.255.0
network-object reseauCargil 255.255.255.0
network-object reseauSNATAulnay 255.255.255.0
network-object reseauRadio 255.255.255.0
network-object reseauSNATRoanne 255.255.255.0
network-object reseauENXTata 255.255.255.0
network-object reseauAirbus 255.255.255.248
network-object host reseauAirbus2
network-object reseauAirbus3 255.255.255.0
network-object reseauAirbus4 255.255.0.0
network-object reseauAirbus5 255.255.0.0
object-group network DNS_SERVERS
network-object host DNS_SERVER
network-object host DNS_SERVER2
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_out extended deny tcp object-group IDEA any object-group Interdits
access-list outside_access_in extended permit tcp any host X.X.X.X eq https
access-list outside_access_in extended permit tcp host srvMail host X.X.X.X eq smtp
access-list outside_access_in extended permit tcp any host X.X.X.X eq www
access-list outside_access_in extended permit tcp any host X.X.X.X object-group srvAdminExt7894
access-list outside_access_in extended permit tcp host Citrix host X.X.X.X object-group SchieleExt
access-list outside_access_in extended permit tcp any host X.X.X.X object-group MailSnatExt
access-list outside_access_in extended permit tcp any host X.X.X.X object-group SrvProxyExtTCP
access-list outside_access_in extended permit udp any host X.X.X.X object-group SrvProxyExtUDP
access-list outside_access_in extended permit tcp host srvEreflex host X.X.X.X object-group ereflex
access-list outside_access_in extended permit tcp host Citrix host X.X.X.X eq citrix-ica
access-list outside_access_in extended permit tcp host Citrix host X.X.X.X object-group Citrix2598
access-list outside_access_in extended permit tcp host Citrix host X.X.X.X eq www
access-list outside_access_in extended permit tcp host Citrix host X.X.X.X object-group Citrix8089
access-list outside_access_in extended permit tcp host Cargil host X.X.X.X eq ftp-data
access-list outside_access_in extended permit tcp host Cargil host X.X.X.X eq ftp
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DNS_SERVERS host X.X.X.X
access-list outside_access_in extended permit icmp object-group IDEA any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in extended permit icmp any object-group IDEA
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp object-group IDEA any
access-list inside_nat0_outbound extended deny ip any object-group IDEA
access-list inside_access_in_1 extended permit icmp any any
access-list outside_nat0_outbound extended permit ip host X.X.X.X object-group IDEA
access-list inside_nat0_outbound_1 extended permit ip any object-group IDEA
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https Mercure https netmask 255.255.255.255
static (inside,outside) tcp interface smtp Mercure smtp netmask 255.255.255.255
static (inside,outside) tcp interface 7894 srv-admin www netmask 255.255.255.255
static (inside,outside) tcp interface www Mercure www netmask 255.255.255.255
static (inside,outside) tcp interface 6780 Schiele www netmask 255.255.255.255
static (inside,outside) tcp interface 2525 MailSnat smtp netmask 255.255.255.255
static (inside,outside) tcp interface 5222 SrvProxy 5222 netmask 255.255.255.255
static (inside,outside) udp interface 5222 SrvProxy 5222 netmask 255.255.255.255
static (inside,outside) tcp interface telnet srvAs001 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 910 srvAs001 910 netmask 255.255.255.255
static (inside,outside) tcp interface 911 srvAs001 911 netmask 255.255.255.255
access-group outside_access_out out interface outside
access-group inside_access_in_1 in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside reseauCadrean 255.255.0.0 Getway 1
route inside reseauNomades 255.255.0.0 Getway 1
route inside reseauArpajon 255.255.255.0 Getway 1
route inside reseauBarillais 255.255.255.0 Getway 1
route inside reseauCarquefou 255.255.255.0 Getway 1
route inside reseauSilo 255.255.255.0 Getway 1
route inside reseauNEF 255.255.255.0 Getway 1
route inside reseauChantenay 255.255.255.0 Getway 1
route inside reseauPS2 255.255.255.0 Getway 1
route inside reseauPS1 255.255.255.0 Getway 1
route inside reseauBouguenais 255.255.255.0 Getway 1
route inside reseauColomier 255.255.255.0 Getway 1
route inside reseauIdeaService 255.255.255.0 Getway 1
route inside reseauCherbourg 255.255.255.0 Getway 1
route inside reseauCadrean2 255.255.255.0 Getway 1
route inside reseauBuisnessOrange 255.255.255.0 Getway 1
route inside reseauServeur 255.255.255.0 Getway 1
route inside reseauGIMNAUTE 255.255.255.255 Getway 1
route inside reseauAirbus4 255.255.0.0 Getway 1
route inside reseauAirbus5 255.255.0.0 Getway 1
route inside 162.168.1.0 255.255.255.0 Getway 1
route inside reseauManitou 255.255.255.0 Getway 1
route inside reseauSNATAulnay 255.255.255.0 Getway 1
route inside reseauSNATRoanne 255.255.255.0 Getway 1
route inside reseauExtranetTelmat 255.255.255.0 Getway 1
route inside reseauCSSTrignac 255.255.255.0 Getway 1
route inside reseauCargil 255.255.255.0 Getway 1
route inside reseauRadio 255.255.255.0 Getway 1
route inside reseauENXTata 255.255.255.0 Getway 1
route inside reseauAirbus2 255.255.255.255 Getway 1
route inside reseauAirbus3 255.255.255.0 Getway 1
route inside reseauAirbus 255.255.255.248 Getway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 10.99.98.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list

3 réponses

Réponse 1 / 3
Shaktale
4 avril 2013 à 23:50
Bonjour,

Tu veux autoriser ICMP d'où vers où et pour qui ?
0
Réponse 2 / 3
chtibreizh44 Messages postés 4 Date d'inscription jeudi 4 avril 2013 Statut Membre Dernière intervention 8 avril 2013
5 avril 2013 à 09:08
Bonjour,

Le problème que j'ai en ce moment c'est qu'une fois que les paquets sont arrivés sur l'interface outside, il ne sais pas vers ou les renvoyer. En gros mon ping passe mais ne revient pas a la machine depuis la quelle j'envoi les requêtes .
0
Shaktale
5 avril 2013 à 10:39
Soit encore plus imprécis dans la description de tes problèmes et tu continueras à les avoir pendant un petit moment. Lorsque l'on parle de problématique de flux sur un Firewall on parle en :
"@IP Source, @IP destination: port/protocole".
0
Réponse 3 / 3
chtibreizh44 Messages postés 4 Date d'inscription jeudi 4 avril 2013 Statut Membre Dernière intervention 8 avril 2013
5 avril 2013 à 10:57
ce que j'essaye de faire c'est de pinger l'interface outside (x.x.x.x) depuis un VLAN (10.99.99.0) de l'interface inside (10.99.0.254). Depuis mon VLAN j'arriver a pinger l'interface inside et a aller sur internet.
0
ciscowarrior
5 avril 2013 à 19:13
Ce que tu veux faire n'est pas possible.
0
chtibreizh44 Messages postés 4 Date d'inscription jeudi 4 avril 2013 Statut Membre Dernière intervention 8 avril 2013
8 avril 2013 à 11:18
C'est impossible, ou il existe un façon de pouvoir pinger ces interfaces?
0
ciscowarriorh
8 avril 2013 à 22:17
On ne peux pas pinger l'interface outside depuis l'inside, c'est pas possible de changer ce comportement

Alain
0

Discussions similaires

port icmp
qakou -
sd -

3 réponses
ping quel port ?
michel -
Géca -

28 réponses
port de l'icmp
sylvain -
sebsauvage -

3 réponses
Ping:sur quel port??
AsKy -
sebsauvage -

3 réponses
Ping bloqué : quel port ouvrir ?
zollen777 -
giomjon -

12 réponses