故事背景:

有个客户是用的中国电信的IP MAN, 用的DM ×××建立的到国外的联系,但是近期发现有丢包。

解放方法:

在内网的机器上写了 4 个脚本,大致内容是 不停的PING 国内出口,对端公网IP, 对端DM×××的内网IP,同时在trace一下,

脚本内容:


:top
echo %date% %time%>> ping-192-168-46-1.txt
ping -n 10 192.168.46.1 | findstr "Request timed out" >> ping-192-168-46-1.txt

goto top


但是发现,ASA的防火墙不能进行PING 和 Tracert, 所以第一个问题就是解决ASA的穿越PING 和 tracert的流量。




Refer to:

https://advanxer.com/blog/2015/04/allowing-tracert-in-cisco-asa-firewall/


http://www.xerunetworks.com/2011/02/traceroute-through-cisco-asa-firewall/


http://www.dasblinkenlichten.com/icmp-and-traceroute-passing-through-an-asa/   


access-list inside21_access_in remark PAGE 4 - ALLOW PING TRACERT DNS
access-list inside21_access_in extended permit icmp object-group i-group-shinternet any



policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error


policy-map global_policy
 class class-default
 set connection decrement-ttl

access-list inside21_access_in remark PAGE 4 - ALLOW PING TRACERT DNS
access-list inside21_access_in extended permit icmp any any time-exceeded
access-list inside21_access_in extended permit icmp any any unreachable

icmp unreachable rate-limit 10 burst-size 5

access-list outside116_access_in extended permit icmp any any