Здраствуйте господа. Появилась задача реализовать топологию типа spoke-to-spoke используя слеед оборудование Pix515E(7.0) , cisco2821(12.4 ADVIPSERVICE) и ASA5510(8.0) . используя доку http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/produc...
попытался настроить.
однако в доке есть(ИМХО) косяки, если судить по изображени. топологии то везде L2L однако в verefy кое-где ipsec role указано RA. но это не главное.Вобщем посторался настроить и в принципе судя по show crypro ipsec sa всё должно работать. но не работает :-( т.е. пинг от спока до хаба ходит , но между споками пинга нет. такое ощущение что виновата маршрутизация.
топология выглядит след образом
cisco3650 (ip 192.168.200.2/24)
|
pix515E(inside-ip 192.168.200.1/24,outside-172.16.110.7)
/ \
/ \
asa 2821(out-172.16.110.81,in-192.168.201.1)
(out172.16.110.179/in192.168.202.1)
|
cisco3750(192.168.202.2)
вот конфиги
PIX515E-hub# show run
: Saved
:
PIX Version 7.0(1)
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 172.16.110.7 255.255.0.0
!
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX515E-hub
ftp mode passive
same-security-traffic permit intra-interface
access-list ipsec-ufa remark ======ufa======
access-list ipsec-ufa extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list ipsec-ufa extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list ipsec-novosib remark -==========Novosib
access-list ipsec-novosib extended permit ip 192.168.200.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list ipsec-novosib extended permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list nonat remark ======ufa=====
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list nonat remark ======Novosib=====
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list nonat remark =======spoke-to-spoke=======
access-list nonat extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list nonat extended permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging console debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.200.0 255.255.255.0
route outside 192.168.202.0 255.255.255.0 172.16.110.179 1
route outside 192.168.201.0 255.255.255.0 172.16.110.81 1
route outside 0.0.0.0 0.0.0.0 172.16.110.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
aaa authentication ssh console LOCAL
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 match address ipsec-ufa
crypto map mymap 10 set peer 172.16.110.81
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address ipsec-novosib
crypto map mymap 20 set peer 172.16.110.179
crypto map mymap 20 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
tunnel-group 172.16.110.81 type ipsec-l2l
tunnel-group 172.16.110.81 ipsec-attributes
pre-shared-key *
tunnel-group 172.16.110.179 type ipsec-l2l
tunnel-group 172.16.110.179 ipsec-attributes
pre-shared-key *
!!
PIX515E-hub#
-------
ASA2-Novosib# sho run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA2-Novosib
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.202.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 172.16.110.179 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list ipsec-hub remark ======to_hub======
access-list ipsec-hub extended permit ip 192.168.202.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list ipsec-hub extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list nonat remark ======to_hub=====
access-list nonat extended permit ip 192.168.202.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list nonat extended permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.200.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.16.110.29 1
route outside 192.168.200.0 255.255.255.0 172.16.110.7 1
route outside 192.168.201.0 255.255.255.0 172.16.110.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address ipsec-hub
crypto map mymap 10 set peer 172.16.110.7
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 172.16.110.7 type ipsec-l2l
tunnel-group 172.16.110.7 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!: end
ASA2-Novosib#
-------------------C2821-UFA#sho run
Building configuration...Current configuration : 2243 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C2821-UFA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
memory-size iomem 15
no network-clock-participate wic 1
!
!
ip cef
!
!
ip ssh version 2
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW icmp
ip inspect name MYFW ftp
ip inspect name MYFW ipsec-msft
ip inspect name MYFW isakmp
!
!
voice-card 0
no dspfarm
!
!!
username cisco password 0 cisco
!!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 172.16.110.7 no-xauth
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.110.7
set transform-set myset
match address myacl
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.201.1 255.255.255.0
duplex auto
speed auto
!
interface Service-Engine0/1
no ip address
shutdown
!
interface GigabitEthernet0/1
ip address 172.16.110.81 255.255.0.0
ip nat outside
ip inspect MYFW in
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 192.168.200.0 255.255.255.0 172.16.110.7
ip route 192.168.202.0 255.255.255.0 172.16.110.7
!
!
ip http server
no ip http secure-server
ip nat inside source list fornat interface GigabitEthernet0/1 overload
!
ip access-list extended fornat
deny ip 102.168.201.0 0.0.0.255 192.168.202.0 0.0.0.255
deny ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.201.0 0.0.0.255 any
ip access-list extended myacl
permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.201.0 0.0.0.255 192.168.202.0 0.0.0.255
!
!
!
control-plane
!
!!
line con 0
line aux 0
line 258
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
line vty 5
!
scheduler allocate 20000 1000
!
endC2821-UFA#
спасибо огромное всем.
вот выводы команд
PIX515E-hub# show cry isa saActive SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 21 IKE Peer: 172.16.110.179
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 172.16.110.81
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
PIX515E-hub#
PIX515E-hub# show cry ipsec sa
interface: outside
Crypto map tag: mymap, local addr: 172.16.110.7local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer: 172.16.110.81Crypto map tag: mymap, local addr: 172.16.110.7
local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
current_peer: 172.16.110.81Crypto map tag: mymap, local addr: 172.16.110.7
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
current_peer: 172.16.110.179
Crypto map tag: mymap, local addr: 172.16.110.7local ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
current_peer: 172.16.110.179PIX515E-hub#
не знаю с чем это связано но пинги со стороны АSA (т.е. с 3750) доходят до роутера и он на них отвечает, но далее они видно уходят в никуда....
Проблема решена. Ошибся в аксес листе. вместо 192 прописал 102 :-)
всё работает )