Cisco-Asa

Cisco ASA 5505 無法與 Site-to-Site VPN 上的任何內容通信

  • May 6, 2019

所以我有一個帶有 2 個站點到站點 VPN 和一個遠端訪問 VPN 的 Cisco ASA 5505 設置,現在任何連接的東西(硬連線、S2S VPN 或 RA VPN)都可以毫無問題地相互通信。

問題是通過其中一個 S2S VPN 我有一個 Active Directory 設置,我正在嘗試更改 RA VPN 以使用此 AS DS 提供的 LDAP 登錄,但似乎 ASA 自身無法通過S2S VPN。

所以 AD DS 伺服器在 IP 上10.1.18.109

(由 ASA 執行的網路範圍)

ASA is on 10.101.0.1/255.255.0.0
In Office (so Hardwired into ASA) is on 10.101.1.0/255.255.0.0
RA VPN is on 10.101.2.0/255.255.0.0

(網路範圍通過 S2S VPN)

S2S VPN Ireland is on 10.2.0.0/255.255.0.0
S2S VPN London is on 10.1.0.0/255.255.0.0

所以我需要 ASA 與 10.1.18.109 對話,目前它無論如何都無法與它對話 LDAP 只是連接超時,並且 ping 失敗了。

我試過的

VPN 的所有 NAT 規則都啟用了已檢查 ACL 的 Route Lookup,應該允許它

我如何測試

我一直在通過內部ping inside 10.1.18.109和外部的 VLAN 測試 pingping outside 10.1.18.109

我認為是錯誤的

我不是最好的,所以我認為這與在 10.101.0.1 IP 地址上執行的 ASA 有關,並且不允許訪問 VPN

目前配置。

: Saved
   :
   ASA Version 9.1(1) 
   !
   hostname ciscoasa
   domain-name fabrikam.ltd
   enable password xxxxxxxxxxxxxx encrypted
   passwd xxxxxxxxxxxxxxxx encrypted
   names
   ip local pool OutOfOfficePool 10.101.2.1-10.101.2.254 mask 255.255.255.0
   !
   interface Ethernet0/0
    switchport access vlan 2
   !
   interface Ethernet0/1
   !
   interface Ethernet0/2
   !
   interface Ethernet0/3
   !
   interface Ethernet0/4
   !
   interface Ethernet0/5
   !
   interface Ethernet0/6
   !
   interface Ethernet0/7
   !
   interface Vlan1
    nameif inside
    security-level 100
    ip address 10.101.0.1 255.255.0.0 
   !
   interface Vlan2
    nameif outside
    security-level 0
    ip address y.y.y.y 255.255.255.248 
   !
   ftp mode passive
   dns domain-lookup inside
   dns domain-lookup outside
   dns server-group DefaultDNS
    name-server 10.1.18.109
    domain-name fabrikam.ltd
   same-security-traffic permit intra-interface
   object network obj_any
    subnet 0.0.0.0 0.0.0.0
   object network inside
    subnet 10.101.0.0 255.255.0.0
   object network inside-subnet
    subnet 10.101.0.0 255.255.0.0
   object network obj-SrcNet
    subnet 0.0.0.0 0.0.0.0
   object network obj-amzn-lon
    subnet 10.1.0.0 255.255.0.0
   object network obj-amzn-ire
    subnet 10.2.0.0 255.255.0.0
   object network NETWORK_OBJ_10.101.2.0_24
    subnet 10.101.2.0 255.255.255.0
   object network inoffice
    subnet 10.101.1.0 255.255.255.0
   object network outoffice
    subnet 10.101.2.0 255.255.255.0
   object network 10.X.X.X
    range 10.2.0.0 10.2.255.255
   access-list outside_acl extended permit ip host x.x.x.x host y.y.y.y 
   access-list outside_acl extended permit ip host v.v.v.v host y.y.y.y 
   access-list outside_acl extended permit ip host m.m.m.m host y.y.y.y 
   access-list outside_acl extended permit ip host z.z.z.z host y.y.y.y 
   access-list acl-amzn-lon extended permit ip any 10.1.0.0 255.255.0.0 
   access-list IRELAND-135 extended permit ip host m.m.m.m host y.y.y.y 
   access-list IRELAND-159 extended permit ip host z.z.z.z host y.y.y.y 
   access-list IRELAND-LOCAL extended permit ip any4 10.2.0.0 255.255.0.0 
   access-list outside_access_in extended permit ip host x.x.x.x host y.y.y.y 
   access-list outside_access_in extended permit ip host v.v.v.v host y.y.y.y 
   access-list acl-amzn extended permit ip any4 10.1.0.0 255.255.0.0 
   access-list amzn-filter extended permit ip 10.1.0.0 255.255.0.0 10.101.0.0 255.255.0.0 
   access-list ireland-filter extended permit ip 10.2.0.0 255.255.0.0 10.101.0.0 255.255.0.0 
   access-list outside_cryptomap_2 extended permit ip any4 10.2.0.0 255.255.0.0 
   access-list outside_cryptomap_2 extended permit ip any 10.1.0.0 255.255.0.0 
   access-list outside_cryptomap_3 extended permit ip any 10.2.0.0 255.255.0.0 
   access-list outside_cryptomap_1 extended permit ip any 10.1.0.0 255.255.0.0 
   access-list tcp_bypass extended permit tcp 10.101.1.0 255.255.255.0 10.101.2.0 255.255.255.0 
   access-list tcp_bypass extended permit tcp 10.1.0.0 255.255.0.0 10.101.2.0 255.255.255.0 
   access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.1.0.0 255.255.0.0 
   access-list tcp_bypass extended permit tcp 10.2.0.0 255.255.0.0 10.101.2.0 255.255.255.0 
   access-list tcp_bypass extended permit tcp 10.101.2.0 255.255.255.0 10.2.0.0 255.255.0.0 
   access-list inside_access_in extended permit ip any any 
   access-list acl-outside extended permit icmp any any echo 
   access-list acl-inside extended permit icmp any any echo 
   access-list global_mpc extended permit ip any any 
   pager lines 24
   logging enable
   logging asdm informational
   mtu inside 1500
   mtu outside 1500
   icmp unreachable rate-limit 1 burst-size 1
   icmp permit any outside
   no asdm history enable
   arp timeout 14400
   no arp permit-nonconnected
   nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-ire obj-amzn-ire route-lookup
   nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn-lon obj-amzn-lon route-lookup
   nat (inside,outside) source static any any destination static NETWORK_OBJ_10.101.2.0_24 NETWORK_OBJ_10.101.2.0_24 no-proxy-arp route-lookup
   !
   object network obj_any
    nat (inside,outside) dynamic interface
   object network inside-subnet
    nat (inside,outside) dynamic interface
   !
   nat (inside,outside) after-auto source dynamic any interface
   access-group inside_access_in in interface inside
   route outside 0.0.0.0 0.0.0.0 109.239.111.1 1
   timeout xlate 3:00:00
   timeout pat-xlate 0:00:30
   timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
   timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
   timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
   timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
   timeout tcp-proxy-reassembly 0:01:00
   timeout floating-conn 0:00:00
   dynamic-access-policy-record DfltAccessPolicy
   aaa-server LDAP_SRV_GRP protocol ldap
   aaa-server LDAP_SRV_GRP (outside) host 10.1.18.109
    ldap-base-dn dc=fabrikam, dc=ltd
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn cn=Administrator, cn=Users, dc=fabrikam, dc=ltd
    server-type microsoft
   user-identity default-domain LOCAL
   http server enable
   http 10.0.0.0 255.0.0.0 inside
   no snmp-server location
   no snmp-server contact
   snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
   sysopt connection tcpmss 1379
   sla monitor 1
    type echo protocol ipIcmpEcho 10.1.0.1 interface outside
    frequency 5
   sla monitor schedule 1 life forever start-time now
   sla monitor 2
    type echo protocol ipIcmpEcho 10.2.0.1 interface outside
    frequency 5
   sla monitor schedule 2 life forever start-time now
   sla monitor 5
    type echo protocol ipIcmpEcho 8.8.8.8 interface outside
    frequency 5
   sla monitor schedule 5 life forever start-time now
   crypto ipsec ikev1 transform-set transform-amzn-lon esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set transform-amzn-ire esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
   crypto ipsec ikev1 transform-set transfrom-amzn esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set transfrom-amzn1 esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set transform-amzn1 esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set transform-ireland esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
   crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
   crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac 
   crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
   crypto ipsec ikev1 transform-set APPLE_CLIENT esp-3des esp-sha-hmac 
   crypto ipsec ikev1 transform-set APPLE_CLIENT mode transport
   crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
   crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
   crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
   crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
   crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
   crypto ipsec security-association replay window-size 128
   crypto ipsec security-association pmtu-aging infinite
   crypto ipsec df-bit clear-df outside
   crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
   crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
   crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS
   crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
   crypto map amazon_lon_map 1 match address acl-amzn-lon
   crypto map amazon_lon_map 1 set pfs 
   crypto map amazon_lon_map 1 set peer x.x.x.x v.v.v.v 
   crypto map amazon_lon_map 1 set ikev1 transform-set transform-amzn-lon
   crypto map amazon_lon_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
   crypto map amazon_lon_map 1 set security-association lifetime seconds 3600
   crypto map amazon_lon_map 2 match address outside_cryptomap_2
   crypto map amazon_lon_map 2 set pfs 
   crypto map amazon_lon_map 2 set peer m.m.m.m z.z.z.z 
   crypto map amazon_lon_map 2 set ikev1 transform-set transform-ireland
   crypto map amazon_lon_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
   crypto map MAP_OUTSIDE 1 match address outside_cryptomap_1
   crypto map MAP_OUTSIDE 1 set pfs 
   crypto map MAP_OUTSIDE 1 set peer x.x.x.x v.v.v.v 
   crypto map MAP_OUTSIDE 1 set ikev1 transform-set transfrom-amzn
   crypto map MAP_OUTSIDE 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
   crypto map MAP_OUTSIDE 1 set security-association lifetime seconds 3600
   crypto map MAP_OUTSIDE 1 set reverse-route
   crypto map MAP_OUTSIDE 2 match address outside_cryptomap_3
   crypto map MAP_OUTSIDE 2 set pfs 
   crypto map MAP_OUTSIDE 2 set peer m.m.m.m z.z.z.z 
   crypto map MAP_OUTSIDE 2 set ikev1 transform-set transform-ireland
   crypto map MAP_OUTSIDE 2 set security-association lifetime seconds 3600
   crypto map MAP_OUTSIDE 2 set reverse-route
   crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
   crypto map MAP_OUTSIDE interface outside
   crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
   crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ciscoasa
    keypair OutOfOfficeKeyPair
    proxy-ldc-issuer
    crl configure
   crypto ca trustpoint ASDM_TrustPoint1
    enrollment terminal
    subject-name CN=leeds.internal.fabrikam.ltd,O=fabrikam Limited,C=UK
    keypair OutOfOfficeKeyPair
    crl configure
   crypto ca trustpoint ASDM_TrustPoint2
    enrollment terminal
    crl configure
   crypto ca trustpoint ASDM_TrustPoint3
    enrollment terminal
    no validation-usage
    crl configure
   crypto ca trustpool policy
   crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca * removed*
     quit
   crypto ca certificate chain ASDM_TrustPoint0
    certificate 7f301c5c *removed*

     quit
   crypto ca certificate chain ASDM_TrustPoint3
    certificate ca *removed*
     quit
   crypto isakmp identity address 
   crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
   crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
   crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
   crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
   crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
   crypto ikev1 enable outside
   crypto ikev1 policy 201
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 28800
   crypto ikev1 policy 1000
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
   crypto ikev1 policy 2000
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
   crypto ikev1 policy 3000
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
   telnet timeout 5
   ssh timeout 5
   console timeout 0

   dhcpd domain leeds.internal.fabrikam.ltd
   dhcpd auto_config outside
   dhcpd option 3 ip 10.101.0.1 y.y.y.y
   dhcpd option 6 ip 10.1.13.58 8.8.8.8
   !
   dhcpd address 10.101.1.1-10.101.1.254 inside
   dhcpd domain leeds.internal.fabrikam.ltd interface inside
   dhcpd option 3 ip 10.101.0.1 interface inside
   dhcpd option 6 ip 10.1.13.58 8.8.8.8 interface inside
   dhcpd enable inside
   !
   threat-detection basic-threat
   threat-detection statistics access-list
   no threat-detection statistics tcp-intercept
   webvpn
    enable outside
   group-policy DefaultRAGroup internal
   group-policy DefaultRAGroup attributes
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol l2tp-ipsec 
    default-domain value leeds.internal.fabrikam.ltd
   group-policy DfltGrpPolicy attributes
   group-policy OutOfOffice internal
   group-policy OutOfOffice attributes
    dns-server value 10.1.18.109 1.1.1.1
    vpn-tunnel-protocol ikev1 l2tp-ipsec 
    default-domain value leeds.internal.fabrikam.ltd
   group-policy ireland-filter internal
   group-policy ireland-filter attributes
    vpn-filter value ireland-filter
    vpn-tunnel-protocol ikev1 
   group-policy filter1 internal
   group-policy filter1 attributes
    vpn-filter value amzn-filter
    vpn-tunnel-protocol ikev1 ikev2 
   group-policy filter internal
   group-policy filter attributes
    vpn-filter value acl-amzn
   username user1 password xxxxxxxxxxxxxxxxxxxxxxxx nt-encrypted
   username user1 attributes
    vpn-group-policy OutOfOffice
    vpn-tunnel-protocol ikev1 l2tp-ipsec 
    service-type remote-access 
   tunnel-group DefaultRAGroup general-attributes
    address-pool OutOfOfficePool
    default-group-policy DefaultRAGroup
   tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key *****
   tunnel-group DefaultRAGroup ppp-attributes
    authentication pap
    authentication ms-chap-v2
   tunnel-group x.x.x.x type ipsec-l2l
   tunnel-group x.x.x.x general-attributes
    default-group-policy filter1
   tunnel-group x.x.x.x ipsec-attributes
    ikev1 pre-shared-key *****
    isakmp keepalive threshold 10 retry 10
   tunnel-group v.v.v.v type ipsec-l2l
   tunnel-group v.v.v.v general-attributes
    default-group-policy filter1
   tunnel-group v.v.v.v ipsec-attributes
    ikev1 pre-shared-key *****
    isakmp keepalive threshold 10 retry 10
   tunnel-group IRELAND-135 type ipsec-l2l
   tunnel-group IRELAND-135 general-attributes
    default-group-policy ireland-filter
   tunnel-group IRELAND-135 ipsec-attributes
    ikev1 pre-shared-key *****
    isakmp keepalive threshold 10 retry 10
   tunnel-group IRELAND-159 type ipsec-l2l
   tunnel-group IRELAND-159 general-attributes
    default-group-policy ireland-filter
   tunnel-group IRELAND-159 ipsec-attributes
    ikev1 pre-shared-key *****
    isakmp keepalive threshold 10 retry 10
   tunnel-group OutOfOffice type remote-access
   tunnel-group OutOfOffice general-attributes
    address-pool OutOfOfficePool
    authentication-server-group LDAP_SRV_GRP LOCAL
    default-group-policy OutOfOffice
   tunnel-group OutOfOffice ipsec-attributes
    ikev1 pre-shared-key *****
    ikev1 trust-point ASDM_TrustPoint0
   tunnel-group OutOfOffice ppp-attributes
    authentication ms-chap-v2
   tunnel-group m.m.m.m type ipsec-l2l
   tunnel-group m.m.m.m general-attributes
    default-group-policy ireland-filter
   tunnel-group m.m.m.m ipsec-attributes
    ikev1 pre-shared-key *****
   tunnel-group z.z.z.z type ipsec-l2l
   tunnel-group z.z.z.z general-attributes
    default-group-policy ireland-filter
   tunnel-group z.z.z.z ipsec-attributes
    ikev1 pre-shared-key *****
   !
   class-map inspection_default
    match access-list global_mpc
    match default-inspection-traffic
   class-map tcp_bypass
    match access-list tcp_bypass
   !
   !
   policy-map type inspect dns preset_dns_map
    parameters
     message-length maximum client auto
     message-length maximum 512
   policy-map global_policy
    class inspection_default
     inspect dns preset_dns_map 
     inspect ftp 
     inspect h323 h225 
     inspect h323 ras 
     inspect rsh 
     inspect rtsp 
     inspect esmtp 
     inspect sqlnet 
     inspect skinny  
     inspect sunrpc 
     inspect xdmcp 
     inspect sip  
     inspect netbios 
     inspect tftp 
     inspect ip-options 
     inspect icmp 
   policy-map tcp_bypass_policy
    class tcp_bypass
     set connection advanced-options tcp-state-bypass
   !
   service-policy global_policy global
   service-policy tcp_bypass_policy interface inside
   prompt hostname context 
   no call-home reporting anonymous
   : end

我什至嘗試了埠 80 TCP ping 無濟於事,

在外部界面上

Sending 5 TCP SYN requests to 10.1.18.109 port 80
from 109.239.111.4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

在內部界面

Sending 5 TCP SYN requests to 10.1.18.109 port 80
from 109.239.111.4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Amazon AWS 上的 VPC 流日誌未顯示與該 IP 地址的任何嘗試連接

我的 NAT 規則很容易看到, ADSM NAT 規則輸出

在這種情況下,您需要的一件事是management-access &lt;interface-name&gt;全域命令,其中“< interface-name >”是內部介面 nameif。預設情況下,ASA 不會將自己的流量放入 VPN 隧道,因此此命令會授予該行為。此命令還允許您從隧道的另一端通過 SSH 連接到防火牆。

為了使其正常工作,覆蓋防火牆子網的 NAT 語句需要route-lookup添加關鍵字,這聽起來就像你的那樣。

引用自:https://serverfault.com/questions/961153