Cisco

5505 和 5512x 之間的站點到站點 VPN

  • February 11, 2014

我正在嘗試在隔離網路上的 ASA 5512x 和 5505 之間設置站點到站點 vpn IPsec 隧道。

我在兩台設備上都執行了 IPsec VPN 嚮導並使用了相同的配置,但它們似乎從未嘗試過相互交談。

5512

  • 外部介面:172.16.1.1
  • 內部介面:10.10.254.254

5505

  • 外部介面 172.16.1.2
  • 內部介面:192.168.1.1

我目前只有一根網線在每台設備的外部介面之間執行,我可以從每台設備上 ping 172.16.1.x IP。

有什麼我想念的嗎?很抱歉,如果這很明顯,但我以前從未使用過站點到站點設置。

5512 正在執行 ASA 8.6(1)2,而 5505 正在執行 ASA 8.2(5)…我不確定這些是否完全不兼容,我無法線上找到答案。我會嘗試升級 5505,但我目前無法訪問 Cisco 帳戶下載圖像,我正在等待一位同事的回复,並提供憑據。

這是兩個設備的配置:

5512 配置:

: Saved  
:  
ASA Version 8.6(1)2   
!  
hostname asa5512  
domain-name test.com  
enable password 8Ry2YjIyt7RRXU24 encrypted  
passwd 2KFQnbNIdI.2KYOU encrypted  
names  
!  
interface GigabitEthernet0/0  
nameif outside  
security-level 0  
ip address 172.16.1.2 255.255.255.0   
!  
interface GigabitEthernet0/1  
nameif inside  
security-level 100  
ip address 10.10.254.254 255.255.0.0   
!  
interface GigabitEthernet0/2  
shutdown  
no nameif  
no security-level  
no ip address  
!  
interface GigabitEthernet0/3  
shutdown  
no nameif  
no security-level  
no ip address  
!  
interface GigabitEthernet0/4  
shutdown  
no nameif  
no security-level  
no ip address  
!  
interface GigabitEthernet0/5  
shutdown  
no nameif  
no security-level  
no ip address  
!  
interface Management0/0  
nameif management  
security-level 0  
ip address 192.168.1.1 255.255.255.0   
!  
ftp mode passive  
dns server-group DefaultDNS  
domain-name test.com  
object network 192.168.1.0_24  
subnet 192.168.1.0 255.255.255.0  
access-list outside_cryptomap extended permit ip object 192.168.1.0_24 host 172.16.1.2   
pager lines 24  
mtu management 1500  
mtu inside 1500  
mtu outside 1500  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
timeout xlate 3:00:00  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute  
timeout tcp-proxy-reassembly 0:01:00  
timeout floating-conn 0:00:00  
dynamic-access-policy-record DfltAccessPolicy  
user-identity default-domain LOCAL  
http server enable  
http 192.168.1.15 255.255.255.255 management  
no snmp-server location  
no snmp-server contact  
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac   
crypto ipsec ikev2 ipsec-proposal DES  
protocol esp encryption des  
protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal 3DES  
protocol esp encryption 3des  
protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES  
protocol esp encryption aes  
protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES192  
protocol esp encryption aes-192  
protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES256  
protocol esp encryption aes-256  
protocol esp integrity sha-1 md5  
crypto map outside_map1 1 match address outside_cryptomap  
crypto map outside_map1 1 set peer 172.16.1.2   
crypto map outside_map1 1 set ikev1 transform-set ESP-3DES-SHA  
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES  
crypto map outside_map1 interface outside  
crypto ikev2 policy 1  
encryption aes-256  
integrity sha  
group 5 2  
prf sha  
lifetime seconds 86400  
crypto ikev2 policy 10  
encryption aes-192  
integrity sha  
group 5 2  
prf sha  
lifetime seconds 86400  
crypto ikev2 policy 20  
encryption aes  
integrity sha  
group 5 2  
prf sha  
lifetime seconds 86400  
crypto ikev2 policy 30  
encryption 3des  
integrity sha  
group 5 2  
prf sha  
lifetime seconds 86400  
crypto ikev2 policy 40  
encryption des  
integrity sha  
group 5 2  
prf sha  
lifetime seconds 86400  
crypto ikev1 policy 120  
authentication pre-share  
encryption 3des  
hash sha  
group 2  
lifetime 86400  
telnet timeout 5  
ssh timeout 5  
console timeout 0  
threat-detection basic-threat  
threat-detection statistics access-list  
no threat-detection statistics tcp-intercept  
webvpn  
tunnel-group 172.16.1.2 type ipsec-l2l  
tunnel-group 172.16.1.2 ipsec-attributes  
ikev1 pre-shared-key *****  
ikev2 remote-authentication pre-shared-key *****  
ikev2 local-authentication pre-shared-key *****  
!  
class-map inspection_default  
match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
parameters  
 message-length maximum client auto  
 message-length maximum 512  
policy-map global_policy  
class inspection_default  
 inspect dns preset_dns_map   
 inspect ftp   
 inspect h323 h225   
 inspect h323 ras   
 inspect ip-options   
 inspect netbios   
 inspect rsh   
 inspect rtsp   
 inspect skinny    
 inspect esmtp   
 inspect sqlnet   
 inspect sunrpc   
 inspect tftp   
 inspect sip    
 inspect xdmcp   
!  
service-policy global_policy global  
prompt hostname context   
no call-home reporting anonymous  
call-home  
profile CiscoTAC-1  
 no active  
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  
 destination address email callhome@cisco.com  
 destination transport-method http  
 subscribe-to-alert-group diagnostic  
 subscribe-to-alert-group environment  
 subscribe-to-alert-group inventory periodic monthly 27  
 subscribe-to-alert-group configuration periodic monthly 27  
 subscribe-to-alert-group telemetry periodic daily  
Cryptochecksum:aafae49415856e6cd5c44dedd3984999  
: end  
no asdm history enable  

5505 配置:

: Saved

:

ASA Version 8.2(5) 

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.1.1 255.255.255.0 

!

ftp mode passive

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.2 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 172.16.1.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.132 inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

 message-length maximum client auto

 message-length maximum 512

policy-map global_policy

class inspection_default

 inspect dns preset_dns_map 

 inspect ftp 

 inspect h323 h225 

 inspect h323 ras 

 inspect rsh 

 inspect rtsp 

 inspect esmtp 

 inspect sqlnet 

 inspect skinny  

 inspect sunrpc 

 inspect xdmcp 

 inspect sip  

 inspect netbios 

 inspect tftp 

 inspect ip-options 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:6a787924fbd2678c0c41685cbbf16b81

: end

no asdm history enable  

任何幫助將不勝感激,謝謝!

在流量嘗試使用隧道(通過匹配加密 ACL)之前,ASA 不會嘗試建立隧道。

在達到這一點之前,您需要對目前配置進行一些更改。

  • 更改內部介面子網。它們現在都在 192.168.1.0/24 上,因此它們永遠無法與 VPN 另一端相同編號子網中的節點通信。
  • 將您的加密 ACL 更改為每個 ASA 上的位置,源是內部網路,目標是遠端內部網路。

因此,例如,如果您將 5505 上的內部網路更改為 192.168.2.0,那麼您需要像這樣設置您的加密 ACL:

5512:

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

5505:

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

然後,隧道應嘗試建立流量從一個子網發送到另一個子網的時間 - 因此,從 192.168.1.0/24 中的節點嘗試 ping 192.168.2.1。或者,您可以使用該packet-tracer命令來模擬流量 - 從一個到另一個的模擬數據包也應該讓隧道點亮。

引用自:https://serverfault.com/questions/574819