Vpn
Cisco ASA VPN 隧道到第二個位置 - 所有流量都通過第一個隧道
我無法從我的 Cisco ASA 5510 設置第二個 VPN 隧道。當我執行數據包跟踪器時,我沒有看到數據包通過 NAT 豁免階段或 VPN 查找階段。第一條隧道已啟動並執行良好,一端裝有 Watchguard。第二條隧道是 PIX(未知型號或版本)
你們有任何想法將不勝感激。
這是我的網路架構: 內部網路:10.10.10.0/24 內部 if:10.10.10.1 外部 if:8.8.8.8
網路內部的第一個 VPN 隧道:10.0.40.0/24 內部 if:10.0.40.1 外部 if:74.128.54.15
網路內的第二個 VPN 隧道:10.1.0.160/27 內部 if:unknown ouside if:63.74224.5
這是我的執行配置:
: Saved : ASA Version 7.2(1) ! hostname asa1 domain-name domain.com enable password xxxxxxxxxx encrypted names name 10.10.10.52 sub1 dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 8.8.8.8 255.255.255.224 standby 8.8.8.9 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2 ! interface Ethernet0/2 description LAN Failover Interface ! interface Ethernet0/3 description STATE Failover Interface ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 management-only ! passwd xxxxxxxxxxxxx encrypted banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ banner motd This is a private system. If you are not banner motd authorized to access this system, banner motd LOG OFF NOW! banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ boot system disk0:/asa721-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 domain-name domain.com object-group service httpANDhttps tcp description Both port 80 and 443 port-object eq https port-object eq www object-group service PASVports tcp description ports 50000-51000 port-object range 50000 50100 --cut-- other access-list items here access-list inside_access_in extended permit ip any any access-list watchguard extended permit ip 10.10.10.0 255.255.255.0 10.0.40.0 255.255.255.0 access-list outside_30_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224 access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224 access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224 pager lines 24 logging enable logging timestamp logging trap emergencies logging asdm informational logging from-address CiscoASA@domain.com logging recipient-address brad@domain.com level alerts logging host inside int-logging 6/1470 logging class vpn trap emergencies mtu outside 1500 mtu inside 1500 mtu management 1500 failover failover lan unit primary failover lan interface LANfailover Ethernet0/2 failover key ***** failover replication http failover mac address Ethernet0/0 xxxx.abcd.xxx1 xxxx.abcd.xxx2 failover mac address Ethernet0/1 xxxx.abcd.xxx3 xxxx.abcd.xxx4 failover link Statefailover Ethernet0/3 failover interface ip LANfailover 192.168.1.25 255.255.255.252 standby 192.168.1.26 failover interface ip Statefailover 192.168.1.49 255.255.255.252 standby 192.168.1.50 no monitor-interface management icmp permit 10.10.10.0 255.255.255.0 inside asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 nat-control global (outside) 101 interface nat (inside) 0 access-list watchguard nat (inside) 101 0.0.0.0 0.0.0.0 --cut-- -- static nats here -- access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 8.8.8.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management --cut-- snmp entries here crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set firebox esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set Client-3DES-MD5 esp-3des esp-md5-hmac crypto map watchguardmap 1 match address outside_cryptomap_1 crypto map watchguardmap 1 set peer 63.74.224.5 crypto map watchguardmap 1 set transform-set Client-3DES-MD5 crypto map watchguardmap 1 set security-association lifetime seconds 86400 crypto map watchguardmap 10 match address watchguard crypto map watchguardmap 10 set pfs crypto map watchguardmap 10 set peer 74.128.54.15 crypto map watchguardmap 10 set transform-set firebox crypto map watchguardmap 10 set security-association lifetime seconds 2592000 crypto map watchguardmap 10 set security-association lifetime kilobytes 2147483647 crypto map watchguardmap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 9 authentication pre-share encryption 3des hash sha group 2 lifetime 2592000 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 tunnel-group 74.128.54.15 type ipsec-l2l tunnel-group 74.128.54.15 ipsec-attributes pre-shared-key * tunnel-group 63.74.224.5 type ipsec-l2l tunnel-group 63.74.224.5 ipsec-attributes pre-shared-key * no tunnel-group-map enable ou telnet int-vpn 255.255.255.255 inside telnet timeout 5 ssh int-vpn 255.255.255.255 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.20-192.168.1.25 management dhcpd enable management ! ! ! ntp server 206.246.118.250 source outside smtp-server 10.10.10.50 prompt hostname context Cryptochecksum:19372 : end
我懷疑你需要做一些
debug crypto ipsec
並debug crypto isakmp
觀察通往第二個站點的隧道。您很可能與 IKE ID 不匹配您有兩個完全未引用的訪問列表:
outside_30_cryptomap
和inside_nat0_outbound
我沒有看到
nat (inside) 0 access-list outside_cryptomap_1
,因此您前往“第二個站點”的流量正在被 NAT 處理。