Cisco-Asa
Cisco ASA 5505 無法與 Site-to-Site VPN 上的任何內容通信
所以我有一個帶有 2 個站點到站點 VPN 和一個遠端訪問 VPN 的 Cisco ASA 5505 設置,現在任何連接的東西(硬連線、S2S VPN 或 RA VPN)都可以毫無問題地相互通信。
問題是通過其中一個 S2S VPN 我有一個 Active Directory 設置,我正在嘗試更改 RA VPN 以使用此 AS DS 提供的 LDAP 登錄,但似乎 ASA 自身無法通過S2S VPN。
所以 AD DS 伺服器在 IP 上
10.1.18.109(由 ASA 執行的網路範圍)
ASA is on 10.101.0.1/255.255.0.0 In Office (so Hardwired into ASA) is on 10.101.1.0/255.255.0.0 RA VPN is on 10.101.2.0/255.255.0.0(網路範圍通過 S2S VPN)
S2S VPN Ireland is on 10.2.0.0/255.255.0.0 S2S VPN London is on 10.1.0.0/255.255.0.0所以我需要 ASA 與 10.1.18.109 對話,目前它無論如何都無法與它對話 LDAP 只是連接超時,並且 ping 失敗了。
我試過的
VPN 的所有 NAT 規則都啟用了已檢查 ACL 的 Route Lookup,應該允許它
我如何測試
我一直在通過內部
ping inside 10.1.18.109和外部的 VLAN 測試 pingping outside 10.1.18.109我認為是錯誤的
我不是最好的,所以我認為這與在 10.101.0.1 IP 地址上執行的 ASA 有關,並且不允許訪問 VPN
目前配置。
: Saved : ASA Version 9.1(1) ! hostname ciscoasa domain-name fabrikam.ltd enable password xxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxx encrypted names ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 10.101.0.1 255.255.0.0 ! interface Vlan2 nameif outside security-level 0 ip address y.y.y.y 255.255.255.248 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 10.1.18.109 domain-name fabrikam.ltd same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network inside subnet 10.101.0.0 255.255.0.0 object network inside-subnet subnet 10.101.0.0 255.255.0.0 object network obj-SrcNet subnet 0.0.0.0 0.0.0.0 object network obj-amzn-lon subnet 10.1.0.0 255.255.0.0 object network obj-amzn-ire subnet 10.2.0.0 255.255.0.0 object network NETWORK_OBJ_10.101.2.0_24 subnet 10.101.2.0 255.255.255.0 object network inoffice subnet 10.101.1.0 255.255.255.0 object network outoffice subnet 10.101.2.0 255.255.255.0 object network 10.X.X.X range 10.2.0.0 10.2.255.255 access-list outside_acl extended permit ip host x.x.x.x host y.y.y.y access-list outside_acl extended permit ip host v.v.v.v host y.y.y.y access-list outside_acl extended permit ip host m.m.m.m host y.y.y.y access-list outside_acl extended permit ip host z.z.z.z host y.y.y.y access-list acl-amzn-lon extended permit ip any 10.1.0.0 255.255.0.0 access-list IRELAND-135 extended permit ip host m.m.m.m host y.y.y.y access-list IRELAND-159 extended permit ip host z.z.z.z host y.y.y.y access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0 access-list outside_access_in extended permit ip host x.x.x.x host y.y.y.y access-list outside_access_in extended permit ip host v.v.v.v host y.y.y.y access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0 access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.101.0.0 255.255.0.0 access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.101.0.0 255.255.0.0 access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0 access-list outside_cryptomap_2 extended permit ip any 10.1.0.0 255.255.0.0 access-list outside_cryptomap_3 extended permit ip any 10.2.0.0 255.255.0.0 access-list outside_cryptomap_1 extended permit ip any 10.1.0.0 255.255.0.0 access-list tcp_bypass extended permit tcp 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.1.0.0 255.255.0.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0 access-list tcp_bypass extended permit tcp 10.2.0.0 255.255.0.0 10.101.2.0 255.255.255.0 access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list inside_access_in extended permit ip any any access-list acl-outside extended permit icmp any any echo access-list acl-inside extended permit icmp any any echo access-list global_mpc extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire route-lookup nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon route-lookup nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup ! object network obj_any nat (inside,outside) dynamic interface object network inside-subnet nat (inside,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 109.239.111.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server LDAP_SRV_GRP protocol ldap aaa-server LDAP_SRV_GRP (outside) host 10.1.18.109 ldap-base-dn dc=fabrikam, dc=ltd ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn cn=Administrator, cn=Users, dc=fabrikam, dc=ltd server-type microsoft user-identity default-domain LOCAL http server enable http 10.0.0.0 255.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart sysopt connection tcpmss 1379 sla monitor 1 type echo protocol ipIcmpEcho 10.1.0.1 interface outside frequency 5 sla monitor schedule 1 life forever start-time now sla monitor 2 type echo protocol ipIcmpEcho 10.2.0.1 interface outside frequency 5 sla monitor schedule 2 life forever start-time now sla monitor 5 type echo protocol ipIcmpEcho 8.8.8.8 interface outside frequency 5 sla monitor schedule 5 life forever start-time now crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport crypto ipsec ikev1 transform-set APPLE_CLIENT esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set APPLE_CLIENT mode transport crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association replay window-size 128 crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route crypto map amazon_lon_map 1 match address acl-amzn-lon crypto map amazon_lon_map 1 set pfs crypto map amazon_lon_map 1 set peer x.x.x.x v.v.v.v crypto map amazon_lon_map 1 set ikev1 transform-set transform-amzn-lon crypto map amazon_lon_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map amazon_lon_map 1 set security-association lifetime seconds 3600 crypto map amazon_lon_map 2 match address outside_cryptomap_2 crypto map amazon_lon_map 2 set pfs crypto map amazon_lon_map 2 set peer m.m.m.m z.z.z.z crypto map amazon_lon_map 2 set ikev1 transform-set transform-ireland crypto map amazon_lon_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map MAP_OUTSIDE 1 match address outside_cryptomap_1 crypto map MAP_OUTSIDE 1 set pfs crypto map MAP_OUTSIDE 1 set peer x.x.x.x v.v.v.v crypto map MAP_OUTSIDE 1 set ikev1 transform-set transfrom-amzn crypto map MAP_OUTSIDE 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map MAP_OUTSIDE 1 set security-association lifetime seconds 3600 crypto map MAP_OUTSIDE 1 set reverse-route crypto map MAP_OUTSIDE 2 match address outside_cryptomap_3 crypto map MAP_OUTSIDE 2 set pfs crypto map MAP_OUTSIDE 2 set peer m.m.m.m z.z.z.z crypto map MAP_OUTSIDE 2 set ikev1 transform-set transform-ireland crypto map MAP_OUTSIDE 2 set security-association lifetime seconds 3600 crypto map MAP_OUTSIDE 2 set reverse-route crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE crypto map MAP_OUTSIDE interface outside crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair OutOfOfficeKeyPair proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal subject-name CN=leeds.internal.fabrikam.ltd,O=fabrikam Limited,C=UK keypair OutOfOfficeKeyPair crl configure crypto ca trustpoint ASDM_TrustPoint2 enrollment terminal crl configure crypto ca trustpoint ASDM_TrustPoint3 enrollment terminal no validation-usage crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA certificate ca * removed* quit crypto ca certificate chain ASDM_TrustPoint0 certificate 7f301c5c *removed* quit crypto ca certificate chain ASDM_TrustPoint3 certificate ca *removed* quit crypto isakmp identity address crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 policy 201 authentication pre-share encryption aes hash sha group 2 lifetime 28800 crypto ikev1 policy 1000 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 2000 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 3000 authentication pre-share encryption aes hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd domain leeds.internal.fabrikam.ltd dhcpd auto_config outside dhcpd option 3 ip 10.101.0.1 y.y.y.y dhcpd option 6 ip 10.1.13.58 8.8.8.8 ! dhcpd address 10.101.1.1-10.101.1.254 inside dhcpd domain leeds.internal.fabrikam.ltd interface inside dhcpd option 3 ip 10.101.0.1 interface inside dhcpd option 6 ip 10.1.13.58 8.8.8.8 interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol l2tp-ipsec default-domain value leeds.internal.fabrikam.ltd group-policy DfltGrpPolicy attributes group-policy OutOfOffice internal group-policy OutOfOffice attributes dns-server value 10.1.18.109 1.1.1.1 vpn-tunnel-protocol ikev1 l2tp-ipsec default-domain value leeds.internal.fabrikam.ltd group-policy ireland-filter internal group-policy ireland-filter attributes vpn-filter value ireland-filter vpn-tunnel-protocol ikev1 group-policy filter1 internal group-policy filter1 attributes vpn-filter value amzn-filter vpn-tunnel-protocol ikev1 ikev2 group-policy filter internal group-policy filter attributes vpn-filter value acl-amzn username user1 password xxxxxxxxxxxxxxxxxxxxxxxx nt-encrypted username user1 attributes vpn-group-policy OutOfOffice vpn-tunnel-protocol ikev1 l2tp-ipsec service-type remote-access tunnel-group DefaultRAGroup general-attributes address-pool OutOfOfficePool default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key ***** tunnel-group DefaultRAGroup ppp-attributes authentication pap authentication ms-chap-v2 tunnel-group x.x.x.x type ipsec-l2l tunnel-group x.x.x.x general-attributes default-group-policy filter1 tunnel-group x.x.x.x ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group v.v.v.v type ipsec-l2l tunnel-group v.v.v.v general-attributes default-group-policy filter1 tunnel-group v.v.v.v ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group IRELAND-135 type ipsec-l2l tunnel-group IRELAND-135 general-attributes default-group-policy ireland-filter tunnel-group IRELAND-135 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group IRELAND-159 type ipsec-l2l tunnel-group IRELAND-159 general-attributes default-group-policy ireland-filter tunnel-group IRELAND-159 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 tunnel-group OutOfOffice type remote-access tunnel-group OutOfOffice general-attributes address-pool OutOfOfficePool authentication-server-group LDAP_SRV_GRP LOCAL default-group-policy OutOfOffice tunnel-group OutOfOffice ipsec-attributes ikev1 pre-shared-key ***** ikev1 trust-point ASDM_TrustPoint0 tunnel-group OutOfOffice ppp-attributes authentication ms-chap-v2 tunnel-group m.m.m.m type ipsec-l2l tunnel-group m.m.m.m general-attributes default-group-policy ireland-filter tunnel-group m.m.m.m ipsec-attributes ikev1 pre-shared-key ***** tunnel-group z.z.z.z type ipsec-l2l tunnel-group z.z.z.z general-attributes default-group-policy ireland-filter tunnel-group z.z.z.z ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match access-list global_mpc match default-inspection-traffic class-map tcp_bypass match access-list tcp_bypass ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp policy-map tcp_bypass_policy class tcp_bypass set connection advanced-options tcp-state-bypass ! service-policy global_policy global service-policy tcp_bypass_policy interface inside prompt hostname context no call-home reporting anonymous : end我什至嘗試了埠 80 TCP ping 無濟於事,
在外部界面上
Sending 5 TCP SYN requests to 10.1.18.109 port 80 from 109.239.111.4, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)在內部界面
Sending 5 TCP SYN requests to 10.1.18.109 port 80 from 109.239.111.4, timeout is 2 seconds: ????? Success rate is 0 percent (0/5)Amazon AWS 上的 VPC 流日誌未顯示與該 IP 地址的任何嘗試連接
我的 NAT 規則很容易看到,
在這種情況下,您需要的一件事是
management-access <interface-name>全域命令,其中“< interface-name >”是內部介面 nameif。預設情況下,ASA 不會將自己的流量放入 VPN 隧道,因此此命令會授予該行為。此命令還允許您從隧道的另一端通過 SSH 連接到防火牆。為了使其正常工作,覆蓋防火牆子網的 NAT 語句需要
route-lookup添加關鍵字,這聽起來就像你的那樣。