Здравствуйте,
такая проблемка: имеется ASA 5520. Изначально работала в режиме Remote Access, все было нормально. Но затем воникла необходимость поднять тунель Site-to-Site. Теннель вроде подымается, но при этом перестают работать удаленные клиенты, т.е. они подключаются нормально, адрес им присваивается, но внут.сеть они не видят. В чем может быть засада?
>Здравствуйте,
>такая проблемка: имеется ASA 5520. Изначально работала в режиме Remote Access, все
>было нормально. Но затем воникла необходимость поднять тунель Site-to-Site. Теннель вроде
>подымается, но при этом перестают работать удаленные клиенты, т.е. они подключаются
>нормально, адрес им присваивается, но внут.сеть они не видят. В чем
>может быть засада?
засад может быть много.
может быть трафик до клиетом так же шифруется т.е. они попадают в crypto access list site-to-site пира?
а так конфиг в студию.
С конфигом сейчас проблемка - т.к. циска рабочая, пришлось вернуть старый конфиг без site-to-site. Вот пока что конфиг без site-to-site:same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside extended permit ip any any
access-list inside-XXX_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list ICMPACL extended permit icmp any any
access-list xxxvpn_splitTunnelAcl standard permit any
access-list xxx_splitTunnelAcl standard permit any
access-list xxx_splitTunnelAcl_1 standard permit any
access-list inside-XXX_access_out extended permit ip any any
access-list xxx_splitTunnelAcl_2 standard permit 192.168.219.0 255.255.255.0
access-list xxx_splitTunnelAcl_7 standard permit any
access-list xxx_splitTunnelAcl_3 standard permit any
access-list xxx_splitTunnelAcl_8 standard permit 192.168.209.0 255.255.255.0
access-list xxx_splitTunnelAcl_8 standard permit 192.168.219.0 255.255.255.0
access-list xxx_splitTunnelAcl_8 standard permit X.Y.Z.W 255.255.255.128
access-list xxx_splitTunnelAcl_4 standard permit 192.168.219.0 255.255.255.0
access-list xxx_splitTunnelAcl_5 standard permit any
access-list xxx_splitTunnelAcl_6 standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.209.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.219.0 255.255.255.0
access-list xxx_splitTunnelAcl_9 standard permit 192.168.61.0 255.255.255.0
access-list xxx_splitTunnelAcl_9 standard permit 192.168.209.0 255.255.255.0
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list xxx_splitTunnelAcl_10 standard permit any
pager lines 24
logging enable
logging timestamp
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool xxx 192.168.219.110-192.168.219.210 mask 255.255.255.0
ip audit name idsattack attack action alarm drop reset
ip audit name idsinfo info action alarm
ip audit interface outside idsinfo
ip audit interface outside idsattack
ip audit signature 2004 disable
no failover
monitor-interface inside
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group inside-XXX_access_in in interface inside
access-group inside-XXX_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside in interface management
access-group inside out interface management
route outside 0.0.0.0 0.0.0.0 X.Y.Z.W 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
filter none
url-list none
port-forward none
port-forward-name value Application Access
group-policy xxx internal
group-policy xxx attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
webvpn
/*---------------------------------------------*/
crypto ipsec transform-set matiasvpn esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set pfs
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set pfs
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set pfs
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set pfs
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set pfs
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set pfs
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set pfs
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set pfs
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 380 set pfs
crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 400 set pfs
crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 420 set pfs
crypto dynamic-map outside_dyn_map 420 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 440 set pfs
crypto dynamic-map outside_dyn_map 440 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmapmatias 119 set pfs
crypto dynamic-map dynmapmatias 119 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmapmatias 139 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmapmatias 159 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmapmatias 179 set transform-set ESP-3DES-SHA
crypto dynamic-map dynmapmatias 199 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map matiasmap 99 ipsec-isakmp dynamic dynmapmatias
crypto map matiasmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
/*-----------------------------------*/
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end