Cisco 5506-x 动态站点到站点隧道不起作用

网络工程 思科-ASA ipsec 隧道 艾克
2022-02-28 21:31:14

我逐步遵循 ASA 到 ASA 动态到静态 IKEv1/IPsec 配置示例 ,目前我使用 IP 地址 10.0.0.1 用于静态对等体,10.0.0.2 用于动态对等体,但似乎隧道没有工作:

拓扑

ASA1(config)# sh cry ipsec sa 

There are no ipsec sas

ASA1(config)# sh cry isakmp sa 

There are no IKEv1 SAs

There are no IKEv2 SAs

ASA2(config)# sh cry ipsec sa 

There are no ipsec sas

ASA2(config)# sh cry isakmp sa 

There are no IKEv1 SAs

There are no IKEv2 SAs

ASA1 的配置:

hostname ASA1  
names  

!  
interface GigabitEthernet1/1  
 nameif outside  
 security-level 0  
 ip address 10.0.0.1 255.255.255.0  
 no shutdown  
!  
interface GigabitEthernet1/2  
 nameif inside  
 security-level 100  
 ip address 192.168.0.1 255.255.255.0  
 no shutdown  
!  
interface GigabitEthernet1/3  
 shutdown  
 no nameif      
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/4  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/5  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/6  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/7  
 shutdown  
 no nameif      
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/8  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface Management1/1  
 management-only  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
ftp mode passive  
same-security-traffic permit inter-interface  
object network 192.168.2.0-remote_network  
 subnet 192.168.2.0 255.255.255.0  
object network 192.168.0.0-inside_network  
 subnet 192.168.0.0 255.255.255.0  
object network obj_any  
 subnet 0.0.0.0 0.0.0.0  
access-list outside_access_in extended permit ip any any   
access-list outside_cryptomap extended permit ip object 192.168.0.0-inside_network object 192.168.2.0-remote_network   
access-list outside_cryptomap extended permit icmp object 192.168.0.0-inside_network object 192.168.2.0-remote_network   
access-list internet_access extended permit ip object 192.168.0.0-inside_network any   
pager lines 24  
mtu outside 1500  
mtu inside 1500  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
no arp permit-nonconnected  
arp rate-limit 16384  
nat (inside,outside) source static 192.168.0.0-inside_network 192.168.0.0-inside_network destination static 192.168.2.0-remote_network 192.168.2.0-remote_network no-proxy-arp route-lookup  
!  
object network obj_any  
 nat (any,outside) dynamic interface  
!  
nat (inside,outside) after-auto source dynamic any interface  
access-group outside_access_in in interface outside  
timeout xlate 3:00:00  
timeout pat-xlate 0:00:30  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute  
timeout tcp-proxy-reassembly 0:01:00  
timeout floating-conn 0:00:00  
timeout conn-holddown 0:00:15  
timeout igp stale-route 0:01:10  
user-identity default-domain LOCAL  
aaa authentication login-history  
no snmp-server location  
no snmp-server contact  
service sw-reset-button  
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac   
crypto ipsec security-association pmtu-aging infinite  
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset  
crypto dynamic-map outside_dyn_map 1 set reverse-route  
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map  
crypto map outside_map interface outside  
crypto ca trustpool policy  
crypto ikev1 enable outside  
crypto ikev1 policy 10  
 authentication pre-share  
 encryption aes-256  
 hash sha  
 group 2  
 lifetime 86400  
telnet timeout 5  
ssh stricthostkeycheck  
ssh timeout 5  
ssh key-exchange group dh-group1-sha1  
console timeout 0  

threat-detection basic-threat  
threat-detection statistics access-list  
no threat-detection statistics tcp-intercept  
dynamic-access-policy-record DfltAccessPolicy  
tunnel-group DefaultL2LGroup ipsec-attributes  
 ikev1 pre-shared-key cisco123  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
  no tcp-inspection  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map   
  inspect ftp   
  inspect h323 h225   
  inspect h323 ras   
  inspect rsh   
  inspect rtsp   
  inspect esmtp   
  inspect sqlnet   
  inspect skinny    
  inspect sunrpc   
  inspect xdmcp   
  inspect sip    
  inspect netbios   
  inspect tftp   
  inspect ip-options   
!  
service-policy global_policy global  
prompt hostname context   
no call-home reporting anonymous

ASA2 的配置:

hostname ASA2  
names  

!  
interface GigabitEthernet1/1  
 nameif outside  
 security-level 0  
 ip address 10.0.0.2 255.255.255.0  
 no shutdown  
!  
interface GigabitEthernet1/2  
 nameif inside  
 security-level 100  
 ip address 192.168.2.1 255.255.255.0  
 no shutdown  
!  
interface GigabitEthernet1/3  
 shutdown  
 no nameif      
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/4  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/5  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/6  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/7  
 shutdown  
 no nameif      
 no security-level  
 no ip address  
!  
interface GigabitEthernet1/8  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface Management1/1  
 management-only  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
ftp mode passive  
object network 192.168.2.0-inside_network  
 subnet 192.168.2.0 255.255.255.0  
object network 192.168.0.0-remote_network  
 subnet 192.168.0.0 255.255.255.0  
object network obj_any  
 subnet 0.0.0.0 0.0.0.0  
access-list outside_cryptomap extended permit ip object 192.168.2.0-inside_network object 192.168.0.0-remote_network      
pager lines 24  
mtu outside 1500  
mtu inside 1500  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
no arp permit-nonconnected  
arp rate-limit 16384  
nat (inside,outside) source static 192.168.2.0-inside_network 192.168.2.0-inside_network destination static 192.168.0.0-remote_network 192.168.0.0-remote_network no-proxy-arp route-lookup  
!  
object network obj_any  
 nat (any,outside) dynamic interface  
!  
nat (inside,outside) after-auto source dynamic any interface  
timeout xlate 3:00:00  
timeout pat-xlate 0:00:30  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute  
timeout tcp-proxy-reassembly 0:01:00  
timeout floating-conn 0:00:00  
timeout conn-holddown 0:00:15  
timeout igp stale-route 0:01:10  
user-identity default-domain LOCAL  
aaa authentication login-history  
no snmp-server location  
no snmp-server contact  
service sw-reset-button  
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac   
crypto ipsec security-association pmtu-aging infinite  
crypto map outside_map 1 match address outside_cryptomap  
crypto map outside_map 1 set peer 10.0.0.1   
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA  
crypto map outside_map interface outside  
crypto ca trustpool policy  
crypto ikev1 enable outside  
crypto ikev1 policy 10  
 authentication pre-share  
 encryption aes-256  
 hash sha  
 group 2  
 lifetime 86400  
telnet timeout 5  
ssh stricthostkeycheck  
ssh timeout 5  
ssh key-exchange group dh-group1-sha1  
console timeout 0  

threat-detection basic-threat  
threat-detection statistics access-list  
no threat-detection statistics tcp-intercept  
dynamic-access-policy-record DfltAccessPolicy  
tunnel-group 10.0.0.1 type ipsec-l2l  
tunnel-group 10.0.0.1 ipsec-attributes  
 ikev1 pre-shared-key cisco123  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
  no tcp-inspection  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map   
  inspect ftp   
  inspect h323 h225   
  inspect h323 ras   
  inspect rsh   
  inspect rtsp   
  inspect esmtp   
  inspect sqlnet   
  inspect skinny    
  inspect sunrpc   
  inspect xdmcp   
  inspect sip    
  inspect netbios   
  inspect tftp   
  inspect ip-options   
!  
service-policy global_policy global  
prompt hostname context

有任何想法吗?

数据包跟踪器结果:

ASA2(config)# packet-tracer input inside tcp 192.168.2.100 56789 192.168.0.100 443

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
1个回答

在 ASA2(动态对等体)上,您没有在crypto map outside_map 1.

请在 ASA2 上尝试以下操作:

  • 消除crypto map outside_map 1 set pfs
  • 添加crypto map outside_map 1 set peer 10.0.0.1

此外,在 ASA2 上,您可能需要在内部接口上创建一个接口访问列表,以便来自 ASA2 内部网络的流量到达 VPN 隧道另一端的 ASA1 网络/子网。

使用动态站点到站点 IPSec VPN,您只能从动态站点发起流量。因此,您需要从 ASA2 生成流量以启动隧道。

如果它仍然不起作用,请在 ASA2 上运行 packet-tracer 命令(使用 CLI),如下所示,并使用输出更新您的问题。我将相应地检查并更新我的答案:

  • packet-tracer input inside tcp 192.168.2.100 56789 192.168.0.100 443

更新的答案:

packet-tracer 的输出告诉我们 ASA2 不知道将流量路由/转发到网络内部的 ASA1(192.168.0.0/24 中的 192.168.0.100),因为它的路由表中没有任何内容。

请在此特定设置/实验室中添加以下用于测试目的,然后再次尝试 packet-tracer(和 ping)几次:

  • 在 ASA2 上:route outside 0.0.0.0 0.0.0.0 10.0.0.1
  • 在 ASA1 上:route outside 0.0.0.0 0.0.0.0 10.0.0.2

在此设置/实验室中,ASA2 不是实际的动态对等体,因为您在外部接口上配置了静态 IP 地址。因此,您需要在 ASA2 上使用静态默认路由,在 ASA1 上也是如此。

在现实世界/场景中,当 ASA2 是动态对等体(外部接口上的动态 IP 地址)时,ASA2 将/应该有自己的默认路由,这要归功于命令ip address dhcp setrouteor ip address pppoe setroute

我希望它是有帮助的,你可以解决这个问题。

其它你可能感兴趣的问题
上一篇在帧中继网络中分配 IP 地址 下一篇tcp序列号和路由规则