URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 22256
[ Назад ]

Исходное сообщение
"Cisco ASA IPsec"

Отправлено pevman , 18-Фев-11 17:43 
Доброго времени суток.
Необходимо подключить soho офис к внутренней сети центрального офиса.
Делаю по документации http://www.cisco.com/en/US/products/ps6120/products_configur...
Настройка центрального офиса скрыта. Центральный офис выдал ключ, внешний ip, алгоритм шифрования.
В soho стоит cisco asa 5505 8.4(1) с 3des.
Туннель поднимается...
show crypto isakmp sa и show crypto ipsec sa говорят, что туннель поднят.
debug crypto isakmp 7 и debug crypto ipsec sa 7 при поднятии туннеля показывают аналогичную информацию, что и в документации.
Но из внутренней сети soho пакеты уходят только до внутреннего адреса маршрутизатора в центральном офисе.
192.168.0.0/24 - внутренняя сеть центрального офиса
192.168.20.0/25 - внутренняя сеть soho
192.168.0.1 - ip внутренний адреса маршрутизатора в центральном офисе
192.168.0.2 - пк во внутренней сети центрального офиса
192.168.20.3 - пк во внутренней сети soho офиса

Вывод debug icmp trace
ping 192.168.0.1
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.1 ID=1 seq=1627 len=32
ICMP echo reply from outside:192.168.0.1 to inside:192.168.20.3 ID=1 seq=1627 len=32
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.1 ID=1 seq=1628 len=32
ICMP echo reply from outside:192.168.0.1 to inside:192.168.20.3 ID=1 seq=1628 len=32

ping 192.168.0.2
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.2 ID=1 seq=1631 len=32
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.2 ID=1 seq=1632 len=32
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.2 ID=1 seq=1633 len=32
ICMP echo request from inside:192.168.20.3 to outside:192.168.0.2 ID=1 seq=1634 len=32

Помогите, пожалуйста, как локализовать ошибку и понять, что не так.
Конфигурация.

hostname ciscoasa
domain-name soho.ru
enable password пароль encrypted
passwd пароль encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address ip_внешний_soho 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone YEKST 3
clock summer-time YEKDT recurring last Sun Mar 2:00 last Sun Oct 3:00
access-list inside_access_in extended permit ip any any
access-list cryptomap_10 extended permit ip 192.168.20.0 255.255.255.128 192.168.0.0 255.255.255.0 log
access-list nonat extended permit ip 192.168.20.0 255.255.255.128 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging buffered errors
logging trap notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
route outside 0.0.0.0 0.0.0.0 ip_внешний_soho 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 3
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set soho2center esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address cryptomap_10
crypto map outside_map 20 set peer ip_центрального_офиса
crypto map outside_map 20 set transform-set soho2center
crypto map outside_map 20 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh 192.168.20.0 255.255.255.128 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username имя password пароль encrypted privilege 15
tunnel-group ip_центрального_офиса type ipsec-l2l
tunnel-group ip_центрального_офиса ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect dns preset_dns_map
  inspect sqlnet
  inspect tftp
  inspect xdmcp
  inspect snmp
  inspect netbios
  inspect icmp
!
service-policy global_policy global


  


Содержание

Сообщения в этом обсуждении
"Cisco ASA IPsec"
Отправлено pevman , 21-Фев-11 08:25 
ciscoasa# packet-tracer input inside icmp 192.168.20.4 0 0 192.168.0.104 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcabe73a8, priority=0, domain=inspect-ip-options, deny=true
        hits=44957, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb5ce658, priority=70, domain=inspect-icmp, deny=false
        hits=154, user_data=0xcb5ce450, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb5cfe60, priority=70, domain=inspect-icmp-error, deny=false
        hits=154, user_data=0xcb5cfc58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb824a60, priority=13, domain=debug-icmp-trace, deny=false
        hits=131, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static prm_net prm_net destination static njc_net njc_net
Additional Information:
Static translate 192.168.20.4/0 to 192.168.20.4/0
Forward Flow based lookup yields rule:
in  id=0xcb407b00, priority=6, domain=nat, deny=false
        hits=70, user_data=0xcb408860, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.20.0, mask=255.255.255.128, port=0
        dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcac56cd8, priority=0, domain=host-limit, deny=false
        hits=45116, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb527ae8, priority=70, domain=encrypt, deny=false
        hits=8, user_data=0x98bd4, cs_id=0xcb2d9548, reverse, flags=0x0, protocol=0
        src ip/id=192.168.20.0, mask=255.255.255.128, port=0
        dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 45487, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow