День добрый всем, Сломал голову...
Схема:
.... --- 2811 --- inside ASA outside ---- Inet------ 1841 --- branch
Между ASA и бранчевым 1841 IPSEC поверх которого лежит GRE и OSPF. В сторону от бранча все ОК - хелло на бранче попадают в туннель и далее по туннелю до АСИ и 2811, где появляется ospf neibour соотв. бранча в состоянии INIT. А вот в обратку проблема - хелло попадает в GRE (192.168.37.5 --- 192.168.37.249), пакеты доходят до АСА (капчуром их вижу). Далее в логах сообщение "No route to 192.168.37.249 ...." (хотя прописана статика!!! вторая точка с 2811 тоже есть в табл. маршрутизации) и 0 в счетчиках ipsec encaps
Конфиг:
ASA Version 7.2(1)
!
hostname asa-gogol
domain-name hahaha.ru
enable password Q83ANgfjCMHDKkGf encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 95.61.165.158 255.255.255.252
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.30
vlan 30
nameif inside
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 17.6.236.129 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone RU 4
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.3.2
domain-name hahaha.ru
same-security-traffic permit intra-interface
object-group service INET_SERV tcp
port-object eq https
port-object eq www
port-object eq smtp
port-object eq ftp
object-group network HTTP_PROXY_NETS
access-list nat *******
access-list SPLIT *******
access-list NO_NAT *******
access-list NO_NAT extended permit gre host 192.168.37.5 host 192.168.37.249 log
access-list OUTSIDE_IN extended permit esp host 17.70.213.107 any
access-list OUTSIDE_IN extended permit udp host 17.70.213.107 any eq isakmp
access-list OUTSIDE_IN extended permit esp host 182.200.63.138 any
access-list OUTSIDE_IN extended permit udp host 182.200.63.138 any eq isakmp
access-list tunnel_rostov extended permit gre host 192.168.37.5 host 192.168.37.249 log
pager lines 24
logging enable
logging timestamp
logging buffer-size 800000
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN_POOL 192.168.29.2-192.168.29.254 mask 255.255.255.0
icmp permit any traceroute outside
icmp permit any echo outside
icmp permit any inside
icmp permit any dmz
icmp permit any traceroute dmz
icmp permit any echo dmz
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 access-list nat
static (dmz,outside) 17.6.236.130 217.106.236.130 netmask 255.255.255.255
static (inside,dmz) 192.168.21.0 192.168.21.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside,outside) 192.168.35.254 192.168.35.254 netmask 255.255.255.255
static (inside,outside) 192.168.37.254 192.168.37.254 netmask 255.255.255.255
static (inside,outside) 192.168.37.5 192.168.37.5 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group DMZ_IN in interface dmz
!
!
route outside 0.0.0.0 0.0.0.0 95.61.165.157 1
route outside 192.168.37.249 255.255.255.255 195.161.165.157 10
!
router ospf 1
network 192.168.24.0 255.255.255.0 area 0
log-adj-changes
redistribute static metric 30 subnets
default-information originate metric 20
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
crypto ipsec transform-set CISCO_VPN esp-aes-256 esp-sha-hmac
crypto ipsec transform-set taganka esp-3des esp-sha-hmac
crypto ipsec transform-set branch esp-3des esp-sha-hmac
crypto dynamic-map cisco_vpn 10 set transform-set CISCO_VPN
crypto dynamic-map cisco_vpn 10 set reverse-route
crypto map OUTSIDE_MAP 60000 match address tunnel_rostov
crypto map OUTSIDE_MAP 60000 set connection-type answer-only
crypto map OUTSIDE_MAP 60000 set peer 87.117.38.179
crypto map OUTSIDE_MAP 60000 set transform-set branch
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 30 retry 5
tunnel-group 87.117.38.179 type ipsec-l2l
tunnel-group 87.117.38.179 ipsec-attributes
pre-shared-key *
!
service-policy global_policy global
ntp server 192.168.3.2
ntp server 192.168.24.2
prompt hostname context
Cryptochecksum:8089d75f3e2a7d46e74ee692e919cf8d
: end
Конфиг роутера 2811:
sho run
Building configuration...
Current configuration : 10363 bytes
!
! Last configuration change at 09:18:30 RU Tue Nov 20 2007 by @@@
! NVRAM config last updated at 18:11:00 RU Tue Nov 20 2007
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2811_нана
!
boot-start-marker
boot-end-marker
!
logging buffered 5000000 debugging
enable secret 5 $1$LJb2$6rqemr2oyvYCa2z3qeQNs/
enable password 7 104F135A41040A
!
no aaa new-model
!
monitor session 1 source interface Fa0/0/1
monitor session 1 destination interface Fa0/0/2
!
resource policy
!
clock timezone RU 4
no ip subnet-zero
!
!
ip cef
!
!
ip domain name haha.ru
ip ssh version 2
!
!
!
!
username ****** privilege 15 secret 5 $1$nC6p$DMmMrfMLI4pb7cv96nyTJ/
!
!
class-map match-all best-effort
match dscp default cs1 af11 af21
class-map match-all rael-time
match dscp af41 ef
class-map match-all real-time
match dscp cs4 af41 cs5 ef
class-map match-all mission-critical
match dscp cs2 cs3 25 af31 cs6
!
!
policy-map to_****
class real-time
priority percent 50
class mission-critical
bandwidth remaining percent 50
class class-default
fair-queue
random-detect
policy-map to_mpls
class real-time
priority percent 50
class mission-critical
bandwidth percent 20
random-detect
!
!
!
!
!
!
interface Tunnel61
ip address 61.61.61.1 255.255.255.0
tunnel source 192.168.21.1
tunnel destination ****
!
interface Tunnel66
no ip address
ip helper-address 192.168.3.2
!
interface Tunnel611
bandwidth 1000
ip address 61.61.161.1 255.255.255.0
ip helper-address 192.168.3.*
ip helper-address 192.168.3.*
ip helper-address 192.168.0.*
ip flow ingress
ip flow egress
qos pre-classify
tunnel source Loopback61
tunnel destination 192.168.37.249
!
interface Loopback61
ip address 192.168.37.5 255.255.255.252
!
interface FastEthernet0/0
description "MPLS cloude"
bandwidth 10000
ip address 10.*.0.2 255.255.255.252
ip flow ingress
ip flow egress
rate-limit input access-group 700 10000000 5000 5000 conform-action transmit exceed-action drop
load-interval 30
duplex auto
speed auto
no cdp enable
service-policy output to_mpls
!
!
interface FastEthernet0/1
ip address 192.168.*.2 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/0/1
switchport trunk native vlan 99
switchport trunk allowed vlan 1,30,1002-1005
switchport mode trunk
!
!
interface Vlan30
ip address 192.168.24.2 255.255.255.0
ip helper-address 192.168.3.2
ip helper-address 192.168.0.52
ip helper-address 192.168.3.4
ip flow ingress
ip flow egress
load-interval 30
!
router ospf 1
log-adjacency-changes
area 0 range 192.168.0.0 255.255.240.0
area 0 range 192.168.16.0 255.255.248.0
area 54 stub
area 55 stub
area 61 stub
area 78 stub
redistribute static subnets
network 54.54.0.0 0.0.0.255 area 54
network 61.61.61.0 0.0.0.255 area 61
network 61.61.161.0 0.0.0.255 area 61
network 192.168.37.248 0.0.0.3 area 61
network 192.168.37.254 0.0.0.0 area 55
network 192.168.0.0 0.0.255.255 area 0
default-information originate
!
ip default-gateway 192.168.23.1
ip classless
ip route 192.168.37.249 255.255.255.255 192.168.24.1
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
alias exec r show run
!
line con 0
login local
line aux 0
line vty 0 4
access-class 100 in
password 7 104F135A41040A
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 23-Ноя-07, 15:06 
