Vpn

Cisco ASA VPN 隧道到第二個位置 - 所有流量都通過第一個隧道

  • January 21, 2011

我無法從我的 Cisco ASA 5510 設置第二個 VPN 隧道。當我執行數據包跟踪器時,我沒有看到數據包通過 NAT 豁免階段或 VPN 查找階段。第一條隧道已啟動並執行良好,一端裝有 Watchguard。第二條隧道是 PIX(未知型號或版本)

你們有任何想法將不勝感激。

這是我的網路架構: 內部網路:10.10.10.0/24 內部 if:10.10.10.1 外部 if:8.8.8.8

網路內部的第一個 VPN 隧道:10.0.40.0/24 內部 if:10.0.40.1 外部 if:74.128.54.15

網路內的第二個 VPN 隧道:10.1.0.160/27 內部 if:unknown ouside if:63.74224.5

這是我的執行配置:

: Saved
:
ASA Version 7.2(1)
!
hostname asa1
domain-name domain.com
enable password xxxxxxxxxx encrypted
names
name 10.10.10.52 sub1
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 8.8.8.8 255.255.255.224 standby 8.8.8.9
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface Ethernet0/2
description LAN Failover Interface
!
interface Ethernet0/3
description STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
management-only
!
passwd xxxxxxxxxxxxx encrypted
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
banner motd This is a private system. If you are not
banner motd authorized to access this system,
banner motd LOG OFF NOW!
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name domain.com
object-group service httpANDhttps tcp
description Both port 80 and 443
port-object eq https
port-object eq www
object-group service PASVports tcp
description ports 50000-51000
port-object range 50000 50100

--cut-- other access-list items here

access-list inside_access_in extended permit ip any any
access-list watchguard extended permit ip 10.10.10.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list outside_30_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
pager lines 24
logging enable
logging timestamp
logging trap emergencies
logging asdm informational
logging from-address CiscoASA@domain.com
logging recipient-address brad@domain.com level alerts
logging host inside int-logging 6/1470
logging class vpn trap emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface LANfailover Ethernet0/2
failover key *****
failover replication http
failover mac address Ethernet0/0 xxxx.abcd.xxx1 xxxx.abcd.xxx2
failover mac address Ethernet0/1 xxxx.abcd.xxx3 xxxx.abcd.xxx4
failover link Statefailover Ethernet0/3
failover interface ip LANfailover 192.168.1.25 255.255.255.252 standby 192.168.1.26
failover interface ip Statefailover 192.168.1.49 255.255.255.252 standby 192.168.1.50
no monitor-interface management
icmp permit 10.10.10.0 255.255.255.0 inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list watchguard
nat (inside) 101 0.0.0.0 0.0.0.0

--cut-- -- static nats here -- 

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 8.8.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management

--cut-- snmp entries here

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firebox esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Client-3DES-MD5 esp-3des esp-md5-hmac
crypto map watchguardmap 1 match address outside_cryptomap_1
crypto map watchguardmap 1 set peer 63.74.224.5
crypto map watchguardmap 1 set transform-set Client-3DES-MD5
crypto map watchguardmap 1 set security-association lifetime seconds 86400
crypto map watchguardmap 10 match address watchguard
crypto map watchguardmap 10 set pfs
crypto map watchguardmap 10 set peer 74.128.54.15
crypto map watchguardmap 10 set transform-set firebox
crypto map watchguardmap 10 set security-association lifetime seconds 2592000
crypto map watchguardmap 10 set security-association lifetime kilobytes 2147483647
crypto map watchguardmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2592000
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 74.128.54.15 type ipsec-l2l
tunnel-group 74.128.54.15 ipsec-attributes
pre-shared-key *
tunnel-group 63.74.224.5 type ipsec-l2l
tunnel-group 63.74.224.5 ipsec-attributes
pre-shared-key *
no tunnel-group-map enable ou
telnet int-vpn 255.255.255.255 inside
telnet timeout 5
ssh int-vpn 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.20-192.168.1.25 management
dhcpd enable management
!
!
!
ntp server 206.246.118.250 source outside
smtp-server 10.10.10.50
prompt hostname context
Cryptochecksum:19372
: end

我懷疑你需要做一些debug crypto ipsecdebug crypto isakmp觀察通往第二個站點的隧道。您很可能與 IKE ID 不匹配

您有兩個完全未引用的訪問列表:outside_30_cryptomapinside_nat0_outbound

我沒有看到nat (inside) 0 access-list outside_cryptomap_1,因此您前往“第二個站點”的流量正在被 NAT 處理。

引用自:https://serverfault.com/questions/224838