URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 17793
[ Назад ]

Исходное сообщение
"ASA VPN"

Отправлено telsek , 10-Дек-08 15:28 
Добрый день!
ASA 5510 v 7.0
Создал l2l vpn

далее ввожу команды

sh crypto ipsec sa
There are no ipsec sas

sh isakmp sa
There are no isakmp sas

Что бы это значило?


Содержание

Сообщения в этом обсуждении
"ASA VPN"
Отправлено sh_ , 10-Дек-08 16:06 
Видимо не работает?

"ASA VPN"
Отправлено telsek , 10-Дек-08 16:15 
>Видимо не работает?

Ясен пень не работает :-)
Вопрос что не так, ведь даже если с другой стороны что то не так настроено
sh isakmp sa должно выдавать чото то вроде

Total     : 0
Embryonic : 0
        dst               src        state     pending     created


"ASA VPN"
Отправлено sh_ , 10-Дек-08 18:23 
Вы бы хоть конфиги показали. Как догадаться, что вы там насобирали?

"ASA VPN"
Отправлено telsek , 11-Дек-08 11:49 
>Вы бы хоть конфиги показали. Как догадаться, что вы там насобирали?

: Saved
:
ASA Version 7.0(8)
!
hostname gw-asa
domain-name mail.ru
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 172.30.41.254 255.255.255.0
!
interface Ethernet0/3
nameif blades
security-level 100
ip address 172.30.40.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service mx tcp
port-object eq smtp
object-group service from_moscow tcp
port-object range 0 65535
object-group network admins
description Administrator Addresses
network-object host xx.xx.xx.xx
object-group network blade
network-object xx.xx.xx.xx 255.255.255.224
object-group service www tcp
port-object eq www
port-object eq https
object-group service ns1 udp
port-object eq domain
object-group service master tcp
port-object eq www
port-object eq https
port-object eq domain
port-object eq 465
port-object eq ftp
object-group network blade_real2
network-object 172.30.41.0 255.255.255.224
network-object 172.30.41.253 255.255.255.255
access-list inbound_outside extended permit icmp any any echo-reply
access-list inbound_outside extended permit icmp any any traceroute
access-list inbound_outside extended permit icmp any any unreachable
access-list inbound_outside extended permit icmp any any time-exceeded
access-list inbound_outside extended permit icmp any any echo
access-list inbound_outside extended permit tcp any host xx.xx.xx.xx object-group www
access-list inbound_outside extended permit tcp any host xx.xx.xx.xx object-group mx
access-list inbound_outside extended permit tcp object-group admins object-group blade object-group from_moscow
access-list inbound_outside extended permit udp any host xx.xx.xx.xx object-group ns1
access-list inbound_outside extended permit tcp any host xx.xx.xx.xx object-group master
access-list inbound_outside extended permit udp object-group admins object-group blade
access-list ipsec_acl extended permit ip 172.30.40.0 255.255.255.0 200.0.1.0 255.255.255.0
access-list ipsec_acl extended permit ip 200.0.1.0 255.255.255.0 172.30.40.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging recipient-address admin@mail.ru level critical
logging host blades 172.30.40.5
mtu outside 1500
mtu inside 1500
mtu blades 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (blades) 0 access-list ipsec_acl
static (inside,outside) xx.xx.xx.xx 172.30.41.253 netmask 255.255.255.255
access-group inbound_outside in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxxx password xxxxxxxx encrypted privilege 15
username xxxxx password xxxxxxxx encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
snmp-server host outside xxxxxx poll community xxxxxxx version 2c
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map toMOSCOW 20 match address ipsec_acl
crypto map toMOSCOW 20 set pfs
crypto map toMOSCOW 20 set peer 10.10.10.10
crypto map toMOSCOW 20 set transform-set myset1
crypto map toMOSCOW 20 set security-association lifetime seconds 28800
crypto map toMOSCOW 20 set security-association lifetime kilobytes 4608000
crypto map toMOSCOW interface outside
isakmp identity address
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 120 retry 2
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map download
match access-list download
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map download
description Limit Rate from download.mail.ru
class download
  police 1000000 1500
!
service-policy global_policy global
ntp server 216.244.192.3 source outside prefer
ntp server 172.30.40.5
tftp-server blades 172.30.40.5 asa
Cryptochecksum:67df0658cdc0a4ca2e03875948c7c60c
: end