我正在尝试在 Cisco ASA 和 Forcepoint Stonesoft NGFW 之间建立站点到站点 VPN,我支持确保从 Forcepoint NGFW 端进行的所有设置都正确,但我遇到了来自 cisco ASA 的问题。
这是我的网络地图
我的 Cisco ASA 的内部 IP 为 192.168.4.12,位于另一个 Fortinet 防火墙后面,该防火墙连接到另一个连接到互联网的 ISP 路由器。使 Cisco ASA 作为 VPN 隧道的发起者,因此它没有静态公共 IP,只有一个动态公共 IP。
CiscoFW# show run
: Saved
:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)32
!
hostname CiscoFW
enable password REMOVED encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd removed encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.4.12 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.177.1.77 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NGFW-Internal
subnet 10.77.0.0 255.255.0.0
description NGFW-Internal
object network NETWORK_OBJ_10.177.1.0_24
subnet 10.177.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list 100 extended permit icmp any any
access-list outside_cryptomap_1 extended permit ip 10.177.1.0 255.255.255.0 object NGFW-Internal
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.177.1.0_24 NETWORK_OBJ_10.177.1.0_24 destination static NGFW-Internal NGFW-Internal no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.4.9 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 outside
http 10.177.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal NGFW-TSv2
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer 90.90.10.10
crypto map outside_map0 2 set ikev1 phase1-mode aggressive group5
crypto map outside_map0 2 set ikev2 ipsec-proposal NGFW-TSv2
crypto map outside_map0 interface outside
crypto ca trustpool policy
crypto isakmp identity key-id itmanager@whatever.com
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.177.1.0 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy-Ngfw internal
group-policy GroupPolicy-Ngfw attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ikev2
username admin password REMOVED encrypted privilege 15
tunnel-group 90.90.10.10 type ipsec-l2l
tunnel-group 90.90.10.10 general-attributes
default-group-policy GroupPolicy-Ngfw
tunnel-group 90.90.10.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key Cisco123
ikev2 local-authentication pre-shared-key Cisco123
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f9e367f14ff7742459421745f6228a1e
: end
这是fortinet配置文件
这是 Cisco ASA 调试日志
隧道不上来