ASA VPN 隧道 NAT 问题

网络工程 思科-ASA 纳特 ipsec
2022-02-06 04:32:50

我一直试图跳过两条隧道。客户有一个我们需要访问的云解决方案。由于我们已经有一个通往客户的 vpn site2site 隧道,我们已经可以访问他的 LAN。我们现在尝试做的是使用我们的内部 IP 子网将隧道扩展到云提供商,以便客户 ASA 将流量推送到云提供商。

一切都已设置好,我希望它能够正常工作。

让这变得有点困难的是,我们需要对几个子网进行 NAT,因为其他客户已经在我们的硬件上配置了相同的子网。

所以配置现在看起来像这样:

access-list outside_cryptomap_3; 5 elements; name hash: 0x4c48cff2
access-list outside_cryptomap_3 line 1 extended permit ip <CUSTOMER_LAN_SUBNET> 255.255.255.0 <OUR_SUBNET> 255.255.255.192 (hitcnt=474) 
access-list outside_cryptomap_3 line 2 extended permit ip <CUSTOMER_CLOUD1_SUBNET> 255.255.255.0 <OUR_SUBNET> 255.255.255.192 (hitcnt=464) 
access-list outside_cryptomap_3 line 3 extended permit ip <CUSTOMER_CLOUD2_NAT_SUBNET> 255.255.255.0 <OUR_SUBNET> 255.255.255.192 (hitcnt=463)
access-list outside_cryptomap_3 line 4 extended permit ip <CUSTOMER_CLOUD3_NAT_SUBNET> 255.255.255.0 <OUR_SUBNET> 255.255.255.192 (hitcnt=464) 
access-list outside_cryptomap_3 line 5 extended permit ip <CUSTOMER_CLOUD4_NAT_SUBNET> 255.255.255.0 <OUR_SUBNET> 255.255.255.192 (hitcnt=464)

crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer <OUR_PUBLIC_IP>
crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 3 set reverse-route

nat (inside,outside) source static NONAT_NETWORKS NONAT_NETWORKS destination static Txxxxx_Remote_Network Txxxxx_Remote_Network no-proxy-arp route-lookup
nat (inside,outside) source static CLOUD_DMZ CLOUD_NAT_DMZ destination static Txxxxx_Remote_Network Txxxxx_Remote_Network no-proxy-arp
nat (inside,outside) source static CLOUD_MGMT CLOUD_NAT_MGMT destination static Txxxxx_Remote_Network Txxxxx_Remote_Network no-proxy-arp
nat (outside,inside) source static Txxxxx_Remote_Network Txxxxx_Remote_Network destination static CLOUD_NAT_DMZ CLOUD_DMZ no-proxy-arp
nat (inside,outside) source static CLOUD_LST CLOUD_NAT_LST destination static Txxxxx_Remote_Network Txxxxx_Remote_Network no-proxy-arp
nat (outside,inside) source static Txxxxx_Remote_Network Txxxxx_Remote_Network destination static CLOUD_NAT_LST CLOUD_LST no-proxy-arp
nat (outside,inside) source static Txxxxx_Remote_Network Txxxxx_Remote_Network destination static CLOUD_NAT_MGMT CLOUD_MGMT no-proxy-arp

object-group network NONAT_NETWORKS
 network-object <CUSTOMER_LAN_SUBNET> 255.255.255.0
 network-object <CUSTOMER_CLOUD1_SUBNET> 255.255.255.0

object network Txxxxx_Remote_Network
 subnet <OUR_SUBNET> 255.255.255.192

object network CLOUD_DMZ
 subnet <CUSTOMER_CLOUD3_SUBNET> 255.255.255.0

object network CLOUD_NAT_DMZ
 subnet <CUSTOMER_CLOUD3_NAT_SUBNET> 255.255.255.0

object network CLOUD_MGMT
 subnet <CUSTOMER_CLOUD4_SUBNET> 255.255.255.0

object network CLOUD_NAT_MGMT
 subnet <CUSTOMER_CLOUD4_NAT_SUBNET> 255.255.255.0

object network CLOUD_LST
 subnet <CUSTOMER_CLOUD2_SUBNET> 255.255.255.0

object network CLOUD_NAT_LST
 subnet <CUSTOMER_CLOUD2_NAT_SUBNET> 255.255.255.0

现在的问题如下:

 Routing failed to locate next hop for ICMP from outside:<OUR_NETWORK>/1 to inside:<cloud_mgmt_ip>/0

任何人都可以帮忙吗?我错过了什么?

提前非常感谢:)

1个回答

我真笨。正如@Eddie 指出的那样,这是一个路由问题。问题的路由当然是通过第二条隧道到云子网的路由,该路由不在内部,而是在外部。因此 nat 语句应该是nat (outside,outside)

结案。

对不起,我的队形不足。我试图匿名化数据。使用虚拟数据会更聪明。

得到教训。人,不要连续工作 10 小时。

其它你可能感兴趣的问题
上一篇TTL、GRE隧道 下一篇无法从服务器 VLAN ping 或 SSH 到新的 Catalyst 2960-CX 交换机 (1)