URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 23808
[ Назад ]

Исходное сообщение
"cisco 5505 ASA Version 8.4(3) site to site vpn"
Отправлено pvvking , 23-Май-12 09:16

Есть 2 cisco 5505 ASA v.8.4(3) нужно понять vpn схема такая
192.168.10.201 <-->192.168.10.1  192.168.1.2<--типа инет-->192.168.2.2  192.168.20.1<-->192.168.20.201
                                     |        cisco A             |                                 |        cisco B        |
c cisco A
ping 192.168.2.2 есть
ping 192.168.20.1 нет
ping 192.168.20.201 нет
c cisco B
ping 192.168.1.2 есть
ping 192.168.10.1 нет
ping 192.168.0.201 нет
что может быть не так
конфиг одной cisco A
ciscoA(config)# show ru
: Saved
:
ASA Version 8.4(3)
!
hostname ural
enable password 8RXXXXXXXXXXXXXXX4 encrypted
passwd 2XXXXXXXXXXXXXXXXU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network GW
host 192.168.1.1
access-list NONATACL extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPNACL extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set TSET esp-3des esp-md5-hmac
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map SMAP 10 match address VPNACL
crypto map SMAP 10 set peer 192.168.2.2
crypto map SMAP 10 set ikev1 transform-set TSET
crypto map SMAP 20 set pfs
crypto map TEST interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
!
tls-proxy maximum-session 24
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_192.168.2.2 internal
group-policy GroupPolicy_192.168.2.2 attributes
vpn-tunnel-protocol ikev1
tunnel-group 192.168.2.2 type ipsec-l2l
tunnel-group 192.168.2.2 general-attributes
default-group-policy GroupPolicy_192.168.2.2
tunnel-group 192.168.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f7f7806933230a41918a3deadd132263
: end

Содержание

cisco 5505 ASA Version 8.4(3) site to site vpn,Huaweiboy, 12:05 , 23-Май-12

Сообщения в этом обсуждении

"cisco 5505 ASA Version 8.4(3) site to site vpn"
Отправлено Huaweiboy , 23-Май-12 12:05

> Есть 2 cisco 5505 ASA v.8.4(3) нужно понять vpn схема такая
> 192.168.10.201 <-->192.168.10.1  192.168.1.2<--типа инет-->192.168.2.2  192.168.20.1<-->192.168.20.201
>
>
>
а где у тебя тут настройки nat? чтобы он не натил трафик из диапазона IP, который в туннель заворачивается. У тебя я так понял это NONATACL. Черт его знает, может в этом дело. У меня тоже аса 5505. Конф такой для НАТ:

/описание объектов - подсетей головного филиала
object network 172.16.0.0-16
subnet 172.16.0.0 255.255.0.0
object network 172.17.0.0-16
subnet 172.17.0.0 255.255.0.0
object network 192.168.2.0-24
subnet 192.168.2.0 255.255.255.0
object network 192.168.3.0-24
subnet 192.168.3.0 255.255.255.0
object network 192.168.32.0-23
subnet 192.168.32.0 255.255.254.0
object network 192.168.1.0-24
subnet 192.168.1.0 255.255.255.0
/помещение всех объектов в один родительский
object-group network GO-nets
network-object object 192.168.2.0-24
network-object object 192.168.3.0-24
network-object object 172.16.0.0-16
network-object object 172.17.0.0-16
network-object object 192.168.32.0-23
network-object object 192.168.1.0-24

object network inside-net
subnet 192.168.222.0 255.255.255.240
nat (inside,outside) source static inside-net inside-net destination static GO-nets GO-nets description NoNAT