Коллеги, помогите настроить site-to-site ipsec на двух Cisco ASA 5505
Схема такая: 10.10.10.0/24---(ASA1)---86.110....((Internet))---213.243....---(ASA2)---10.10.8.0/24
Сам туннель я поднял быстро визардом в ASDM с 2 сторон с одинаковыми параметрами. В мониторинге-VPN сессия устанавливается и при обрыве (logout) тут же поднимается снова.
проблема в том что не идет трафик из сетки 10.10.10.0/24 в 10.10.8.0/24Делаю packet-tracer input LAN tcp 10.10.10.1 80 10.10.8.1 80 detailed
На 12 фазе постоянный DROP с руганью на implicit rule, чтобы я не делал - не проходит, ACL перепробовал разные.
Помогите найти грабли.
Result of the command: "packet-tracer input LAN tcp 10.10.10.1 80 10.10.8.1 80 detailed"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in LAN 255.255.255.0 LAN
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xdd37a290, priority=12, domain=permit, deny=false
hits=83387, user_data=0xd64ef650, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8280ca0, priority=0, domain=inspect-ip-options, deny=true
hits=48901580, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect http
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd83b1588, priority=70, domain=inspect-http, deny=false
hits=31887, user_data=0xd8321850, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect waas
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9fd7598, priority=70, domain=inspect-waas, deny=false
hits=81089, user_data=0xd82d1e50, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0,
dst ip=0.0.0.0, mask=0.0.0.0,
sport range<0> : 1-65535
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip LAN LAN 255.255.255.0 WAN NIK 255.255.255.0
NAT exempt
translate_hits = 48987, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9d32f00, priority=6, domain=nat-exempt, deny=false
hits=48987, user_data=0xdd02f2d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=LAN, mask=255.255.255.0, port=0
dst ip=NIK, mask=255.255.255.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN) 0 0.0.0.0 0.0.0.0
nat-control
match ip LAN any WAN any
no translation group, implicit deny
policy_hits = 20864
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82953f0, priority=0, domain=nat, deny=false
hits=21095, user_data=0xdb447c18, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (LAN) 0 0.0.0.0 0.0.0.0
nat-control
match ip LAN any WAN any
no translation group, implicit deny
policy_hits = 20864
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd82dcdd8, priority=0, domain=host, deny=false
hits=296, user_data=0xdb447c18, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xdcfa7958, priority=70, domain=encrypt, deny=false
hits=267, user_data=0xa2882c, cs_id=0xdc3f7070, reverse, flags=0x0, protocol=0
src ip=LAN, mask=255.255.255.0, port=0
dst ip=NIK, mask=255.255.255.0, port=0, dscp=0x0
Phase: 12
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd8404310, priority=11, domain=permit, deny=true
hits=385465, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Вот конфиг асы на одном конце:
: Saved
:
ASA Version 8.2(2)
!
hostname asacher
domain-name alfa.fake
enable password ------- encrypted
passwd ------- encrypted
names
..............
dns-guard
!
interface Vlan1
shutdown
nameif M9
security-level 0
ip address .............
!
interface Vlan2
nameif WAN
security-level 0
ip address ...............
ospf cost 10
!
interface Vlan22
nameif LAN
security-level 100
ip address 10.10.10.10 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 32
!
interface Ethernet0/3
switchport access vlan 42
!
interface Ethernet0/4
switchport access vlan 42
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 22
!
interface Ethernet0/7
switchport access vlan 22
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup LAN
dns server-group DefaultDNS
name-server gegel
name-server diogen
name-server sokrat
domain-name alfa.fake
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Internet_full_access
description Internet full access
network-object host atom
.................
object-group service WAN_TCP_Incoming tcp
port-object range 6129 6129
port-object eq domain
port-object eq www
port-object eq imap4
port-object eq pop3
port-object eq ssh
port-object eq smtp
port-object eq https
port-object eq pptp
port-object eq 5900
port-object eq 5901
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list WAN_1_cryptomap_1 extended permit ip LAN 255.255.255.0 NIK 255.255.255.0
access-list WAN_access_out extended permit ip interface WAN any
access-list WAN_access_out extended permit ip host ............. any
access-list WAN_access_out extended permit ip host ............. any
access-list WAN_access_in extended permit tcp any any object-group WAN_TCP_Incoming log alerts
access-list WAN_access_in extended permit icmp any any echo-reply
access-list WAN_cryptomap_1 extended permit icmp LAN 255.255.255.0 NIK 255.255.255.0
access-list LAN_nat_static extended permit tcp host gegel eq 6129 any
access-list LAN_nat_outbound extended permit ip object-group Internet_full_access any
access-list LAN_nat_static_1 extended permit tcp host sokrat eq smtp any
access-list LAN_nat0_outbound extended permit ip LAN 255.255.255.0 NIK 255.255.255.0
access-list WAN_cryptomap_2 extended permit tcp LAN 255.255.255.0 NIK 255.255.255.0
access-list LAN_nat_static_8 extended permit tcp host sokrat eq https any
access-list LAN_nat_static_4 extended permit tcp host muhanov eq 6130 any
access-list LAN_nat_static_3 extended permit tcp host muhanov eq 6129 any
access-list LAN_nat_static_5 extended permit tcp host muhanov eq 6129 any
access-list LAN_nat_static_6 extended permit tcp host sokrat eq https any
access-list WAN_nat_static extended permit tcp host sokrat eq https any
access-list LAN_nat_static_2 extended permit tcp host sokrat eq https any
access-list LAN_nat_static_7 extended permit tcp host sokrat eq https any
access-list LAN_nat_static_9 extended permit tcp host diogen eq https any
access-list LAN_nat_static_10 extended permit tcp host geraklit eq pptp any
access-list WAN_1_cryptomap extended permit ip LAN 255.255.255.0 NIK 255.255.255.0
access-list LAN_nat_static_13 extended permit tcp host gegel eq 6129 any
access-list M9_access_in extended permit tcp any any object-group WAN_TCP_Incoming
access-list M9_access_in extended permit icmp any any echo-reply
access-list M9_access_out extended permit ip host M9 any
access-list LAN_nat_static_14 extended permit tcp host sokrat eq smtp any
access-list LAN_nat_static_15 extended permit tcp host sokrat eq https any
access-list LAN_access_in extended permit ip any any
access-list LAN_nat_static_12 extended permit tcp host geraklit eq pptp any
access-list LAN_nat_static_11 extended permit tcp host diogen eq 6129 any
pager lines 24
logging enable
logging history informational
logging asdm informational
no logging message 106015
...................
flow-export destination LAN 10.10.10.106 9996
flow-export template timeout-rate 1
flow-export delay flow-create 10
mtu WAN 1500
mtu LAN 1500
mtu M9 1500
ip verify reverse-path interface WAN
ip verify reverse-path interface LAN
no failover
no monitor-interface WAN
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (WAN) 1 interface
global (WAN) 4 ............ netmask 255.255.255.255
global (WAN) 5 ............ netmask 255.255.255.255
global (LAN) 3 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 access-list LAN_nat_outbound
static (LAN,M9) tcp interface 6129 access-list LAN_nat_static_13
static (LAN,WAN) tcp interface 6129 access-list LAN_nat_static
static (LAN,M9) tcp interface https access-list LAN_nat_static_15
static (LAN,WAN) tcp interface https access-list LAN_nat_static_7
static (LAN,WAN) tcp ............. 6129 access-list LAN_nat_static_11
static (LAN,WAN) tcp ............. 6129 access-list LAN_nat_static_5
static (LAN,M9) tcp interface smtp access-list LAN_nat_static_14
static (LAN,WAN) tcp interface smtp access-list LAN_nat_static_1
static (LAN,M9) tcp interface pptp access-list LAN_nat_static_12
static (LAN,WAN) tcp interface pptp access-list LAN_nat_static_10
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group LAN_access_in in interface LAN
access-group M9_access_in in interface M9
access-group M9_access_out out interface M9
route WAN 0.0.0.0 0.0.0.0 ............... 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ALFA.FAKE protocol nt
aaa-server ALFA.FAKE (LAN) host gegel
nt-auth-domain-controller 10.10.10.4
aaa-server ALFA.FAKE (LAN) host sokrat
nt-auth-domain-controller diogen
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http server idle-timeout 30
http server session-timeout 30
http LAN 255.255.255.0 LAN
snmp-server group Authentication&Encryption v3 priv
snmp-server user snmp Authentication&Encryption v3 encrypted auth md5 03:a1:d1:0c:2f:6a:63:d4:fd:18:0a:b6:85:e6:c6:b7 priv 3des 03:a1:d1:0c:2f:6a:63:d4:fd:18:0a:b6:85:e6:c6:b7:65:e9:c7:bd:55:72:15:5a:db:d3:93:1c:34:e0:7f:e1
snmp-server host LAN 10.10.10.150 community ***** udp-port 161
snmp-server host LAN atom community ***** udp-port 161
snmp-server host LAN geraklit community ***** udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
auth-prompt prompt hi
auth-prompt accept welcome to hell
auth-prompt reject go away
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN_map 1 match address WAN_1_cryptomap_1
crypto map WAN_map 1 set pfs group1
crypto map WAN_map 1 set peer NIK_Firewall
crypto map WAN_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh LAN 255.255.255.0 LAN
ssh timeout 20
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.10.5.0 255.255.255.0
threat-detection scanning-threat shun except ip-address NIK 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
username admin password ................ encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group (LAN) ALFA.FAKE
tunnel-group ............. type ipsec-l2l
tunnel-group ............. ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect im Drop_Yahoo_&_MSN
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global-policy
class global-class
inspect ctiqbe
..................
inspect xdmcp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a73e817d87207cbf2eef09955958c57b
: end
asdm image disk0:/asdm-621.bin
asdm location agrazhd 255.255.255.255 LAN
asdm location M9 255.255.255.255 LAN
asdm location NIK_Firewall 255.255.255.255 LAN
asdm history enable
Вариант для распечатки
(ok) on 02-Фев-12, 15:51 
